Release Notes 30.x - 39.x
39.1
2025-06-16
39.1 is an incremental release focusing on performance and stability fixes.
39.0
2025-03-31
39.0 is a major release with new features.
After this release, we provide security and stability fixes for PrivX 39.x, 38.x, and 37.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 36.x, 37.x, 38.x
- Zero-downtime upgrade: 38.x
The latest PrivX LTS version is v36, which can be obtained here.
Important Notes for This Release
Switch to discoverable passkeys
From PrivX v39 and later, any passkeys added to PrivX will be discoverable. When choosing to log in using a passkey, you may select from any credentials you've registered.
Note that any passkeys added in v38 and earlier are undiscoverable, and support for undiscoverable passkeys will be discontinued in a future release: If you have added passkeys in v38 or earlier, re-add those in v39 to ensure continued functioning.
For more information about setting up passkey login, see Passkey Login.
Changes to sshexec and exec router control commands (since v38)
From v38 and later, network-access manager now sends an extra {session parameters}
argument to the control commands of sshexec routers and exec routers.
- For sshexec router, network-access manager now executes the fixed commands:
/opt/privx/privx-router/sshexec/add {network parameters} {router parameters} {session parameters} [{static config}]
/opt/privx/privx-router/sshexec/del {network parameters} {router parameters} {session parameters} [{static config}] - For exec routers, network-access manager now executes the fixed commands:
/opt/privx/privx-router/exec/add {network parameters} {router parameters} {session parameters} [{static config}]
/opt/privx/privx-router/exec/del {network parameters} {router parameters} {session parameters} [{static config}]
The {session parameters}
contains session parameters in JSON format, for example:
{
"session_id": "f5d747f6-af79-412b-4471-b6f5043c90ce",
"target_id": "07bee1e7-7061-4a90-4831-f501bcbc778e",
"target_name": "ot-sshexec-target"
}
This change may break existing sshexec/exec routers that can't accommodate the extra argument. Such scripts/binaries will need to be changed to support the additional argument.
For more information about sshexec/exec routers, see PrivX Router Configuration.
Retaining SID extensions in RDP-certificate authentication (since v37)
In PrivX 36, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. From PrivX 37 and later, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.
If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade:
Option 1: Configure before upgrade
Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.
-
Gain root terminal access to any PrivX Server, add the following lines right after the
AUTHORIZER.logging
section in/opt/privx/etc/settings-default-config.toml
:[AUTHORIZER.ca_settings]
rdp_x509_include_sid = true -
Apply the new settings with:
sudo /opt/privx/bin/settings-tool -command migrate
RDP-certificate authentication will work as normal throughout the upgrade process.
Option 2: Configure after upgrade
If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.
-
After upgrade, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.
Save your changes. RDP-certificate authentication should function normally again.
Deprecation Warnings
agent-proxy Deprecated
The agent-proxy functionality has been removed in PrivX versions 39 and later.
The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.
Pure whitespace names disallowed
From version 37 and onward PrivX no longer be able to create items whose names consist purely of spaces. Also, you will be unable to update such items until their names are changed to contain some visible character(s).
Amazon Linux 2 support Ending
PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
New Features
- [PX-7130] Allow administrators to select the SMTP authentication method.
- New setting SMTP Authentication Mode under Administration→Workflows→Email Notification Settings.
- New supported authentication method XOAUTH2.
- [PX-7236] Administrators can now provide an additional issuer URL for OIDC directory settings, such as Oracle Cloud.
- This allows OIDC-login support for non-standard configuration where the issuer URL reported by the OIDC identity provider is different from the discovery endpoint URL.
- [PX-7295] New setting Trust on changed host keys for SSH services.
Improvements
- [PX-7388] Support for discoverable passkeys.
- Note: any passkeys you've added before this version should be re-added eventually. See Important Notes for This Release.
Bug Fixes
- [PX-7594] Directory scan fails to update host running status if the host is configured with command restrictions.
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-3655] remoteApp cannot be restored after it's minimized
-
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4778] RDP-PROXY: file under scanning can not be overwritten
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
-
[PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser
-
[PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end
-
[PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase
-
[PX-6464] Secret-manager crash if database doesn't have valid TLS certificate
-
[PX-6490] PrivX RDP session screen corrupts in Windows 2008 via Chrome and Edge browsers
-
[PX-6636] Web-target vCenter key strokes is not working properly in Bios/Grub menu
-
[PX-7393] Role mapping rules: an "Any Rule Matches" group with nested groups causes an error
-
[PX-7524] Host search sort does not work
Important API Changes
Workflow-engine endpoints now support the optional smtp_authentication_mode
, which defines how PrivX authenticates to the SMTP server used for sending workflow-related email notifications.
smtp_authentication_mode
is supported by the following endpoints:
- POST /workflow-engine/api/v1/testsmtp
- POST /workflow-engine/api/v1/workflows
- PUT /workflow-engine/api/v1/settings
- PUT /workflow-engine/api/v1/workflows
The possible values for smtp_authentication_mode
are:
"NO-AUTH"
"PLAIN"
"LOGIN"
"XOAUTH2"
"CRAM-MD5"
"SCRAM-SHA-1"
"SCRAM-SHA-1-PLUS"
"SCRAM-SHA-256"
"SCRAM-SHA-256-PLUS"
When smtp_authentication_mode
is undefined, it defaults to "PLAIN"
.
38.1
2025-06-16
38.1 is an incremental release focusing on performance and stability fixes.
38.0
2025-02-27
38.0 is a major release with new features.
After this release, we provide security and stability fixes for PrivX 38.x, 37.x, and 36.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 35.x, 36.x, 37.x
- Zero-downtime upgrade: 37.x
Important Notes for This Release
PrivX LTS (long-term support) is available PrivX 36 LTS is available. We are committed to provide 2-year support for each PrivX LTS release. Please do not upgrade to PrivX 38 if you chose the LTS path.
Changes to sshexec and exec router control commands
Network-access manager now sends an extra {session parameters}
argument to the control commands of sshexec routers and exec routers.
- For sshexec router, Network-access manager now executes the fixed commands:
/opt/privx/privx-router/sshexec/add {network parameters} {router parameters} {session parameters} [{static config}]
/opt/privx/privx-router/sshexec/del {network parameters} {router parameters} {session parameters} [{static config}] - For exec routers, Network-access manager now executes the fixed commands:
/opt/privx/privx-router/exec/add {network parameters} {router parameters} {session parameters} [{static config}]
/opt/privx/privx-router/exec/del {network parameters} {router parameters} {session parameters} [{static config}]
The {session parameters}
contains session parameters in JSON format, for example:
{
"session_id": "f5d747f6-af79-412b-4471-b6f5043c90ce",
"target_id": "07bee1e7-7061-4a90-4831-f501bcbc778e",
"target_name": "ot-sshexec-target"
}
This change may break existing sshexec/exec routers that can't accommodate the extra argument. Such scripts/binaries will need to be changed to support the additional argument.
For more information about sshexec/exec routers, see PrivX Router Configuration.
PrivX GUI Supports WCAG Level AA
PrivX GUI has been verified to support Web Content Accessibility Guidelines (WCAG) at level AA, which ensures content accessibility for a wider audience, including operators with disabilities. For more information, see the PrivX Accessibility Conformance Report.
Retaining SID extensions in RDP-certificate authentication
In PrivX 36, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. From PrivX 37 and later, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.
If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade:
Option 1: Configure before upgrade
Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.
-
Gain root terminal access to any PrivX Server, add the following lines right after the
AUTHORIZER.logging
section in/opt/privx/etc/settings-default-config.toml
:[AUTHORIZER.ca_settings]
rdp_x509_include_sid = true -
Apply the new settings with:
sudo /opt/privx/bin/settings-tool -command migrate
RDP-certificate authentication will work as normal throughout the upgrade process.
Option 2: Configure after upgrade
If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.
-
After upgrade, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.
Save your changes. RDP-certificate authentication should function normally again.
Upgrade not supported with old PostgreSQL versions
You cannot upgrade to PrivX 35, 36, 37, or 38 if your PrivX deployment uses PostgreSQL version 10 or earlier. For successful upgrade, your PrivX Database must run on PostgreSQL 11 or later.
Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.
If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.
Increased upgrade duration
Upgrading to this version from PrivX 35 or older may take somewhat longer, especially in environments with many hosts and principals. The information for connections (disconnected prior to the upgrade) under the Monitoring page might not appear for some time (proportionally longer based on the amount of data).
Deprecation Warnings
Pure whitespace names disallowed
From version 37 and onward PrivX no longer be able to create items whose names consist purely of spaces. Also, you will be unable to update such items until their names are changed to contain some visible character(s).
agent-proxy Deprecation imminent
The agent-proxy functionality will be removed in PrivX versions 39 and later.
The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.
Amazon Linux 2 support Ending
PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.
PostgreSQL 11.x Support Ended
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version is ended from this release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
New Features
- [PX-7013] Support for Oracle Cloud as a Host Directory.
- [PX-7275] Notify all approvers upon role request status change.
- [PX-7077] Support ML-KEM-based PQC algorithms.
- [PX-7103] Logout user from PrivX Web UI after being inactive.
- [PX-7276] Admin can set Justification field mandatory in workflow settings.
- [PX-7296] Support uploading Extender RPMs via the PrivX GUI.
- [PX-7355] network-access-manager: allow admin to add static config data to network targets.
- NOTE: This feature introduces changes that may break existing sshexec and exec routers, see Changes to sshexec and exec router control commands under Important Notes for This Release.
Bug Fixes
- [PX-7182] RDP Proxy cert login fails to recover after crash showing "No valid certificates were found on this smart card"
- [PX-7186] Role details page might take too long to load if HSM keys are being generated
- [PX-7243] RDP session login screen resizes incorrectly when heading is configured for the host
- [PX-7245] SSH-Proxy not logging ConnectionFailed audit events
- [PX-7249] Target domains: an (Ignored=False) filter returns ignored scanned accounts
- [PX-7251] "Target domains: scanned accounts with a false ""Managed"" status"
- [PX-7257] OIDC users with Administrator permissions cannot see Administration > Workflows pages.
- [PX-7263] UI banner for user license related grace period is not shown
- [PX-7268] Active Directory OIDC login fails if external_id is mapped using one-to-many attribute mapping in PrivX directory settings.
- [PX-7277] Password rotation certificate validation fails with matching access-group certificate if the target host's certificate has a different DNS name than the password rotation address or the target's real certificate
- [PX-7285] settings.toml has invalid data_version
- [PX-7291] Workflow-engine is unresponsive when receiving too many role requests per workflow
- [PX-7336] Carrier container listens to too many network interfaces
- [PX-7353] network-access-manager: disabled network targets are listed as accessible network targets
- [PX-7354] Error Dialog Window stuck unless page is refreshed
- [PX-7371] Carrier and Web-Proxy Version number missing from status page
- [PX-7372] Background migration of connections_old table may get stuck during upgrade from PrivX 35 or 36 to 37.
- [PX-7374] DB Proxy connection in connections table might have zero timestamp if connection failed early
- [PX-7383] Possible race condition in audit event partitions might cause monitor-service to crash when restoring PrivX from backups
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-3655] remoteApp cannot be restored after it's minimized
-
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4778] RDP-PROXY: file under scanning can not be overwritten
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
-
[PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser
-
[PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end
-
[PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase
-
[PX-6464] Secret-manager crash if database doesn't have valid TLS certificate
-
[PX-6490] PrivX RDP session screen corrupts in Windows 2008 via Chrome and Edge browsers
-
[PX-6636] Web-target vCenter key strokes is not working properly in Bios/Grub menu
-
[PX-7393] Role mapping rules: an "Any Rule Matches" group with nested groups causes an error
-
[PX-7524] Host search sort does not work
Important API Changes
v38 releases with go sdk v2, introducing numerous enhancements that standardize API behavior across all services, simplify API calls, and streamline query parameter handling. go sdk v2 introduces changes that aren't backwards-compatible: integrations done with v1 may need to be adapted to work correctly with v2.
You can continue using the v1 sdk. However, no further updates are provided for v1. The final PrivX version fully supporting sdk v1 is PrivX 37. While we will address critical bugs or significant API changes that may affect v1, all new features and improvements will only be available in sdk v2.
We strongly encourage users to adopt sdk v2 to take advantage of new features and enhancements.
37.1
2025-03-06
37.1 is an incremental release focusing on performance and stability fixes.
37.0
2024-11-27
37.0 is a major release with new features.
After this release, we provide security and stability fixes for PrivX 37.x, 36.x, and 35.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 34.x, 35.x, 36.x
- Zero-downtime upgrade: 36.x
Important Notes for This Release
PrivX LTS (long-term support) is coming soon We are planning to release the PrivX LTS version soon. We are committed to provide 2-year support for each PrivX LTS release. The first LTS version will be based on PrivX 36, so please do not upgrade to PrivX 37 if you choose the LTS path.
Read more: PrivX LTS (long-term support) Introduction
Retaining SID extensions in RDP-certificate authentication
In PrivX 36, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. In PrivX 37, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.
If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade to 37:
Option 1: Configure before upgrade
Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.
-
Gain root terminal access to any PrivX Server, add the following lines right after the
AUTHORIZER.logging
section in/opt/privx/etc/settings-default-config.toml
:[AUTHORIZER.ca_settings]
rdp_x509_include_sid = true -
Apply the new settings with:
sudo /opt/privx/bin/settings-tool -command migrate
RDP-certificate authentication will work as normal throughout the upgrade process.
Option 2: Configure after upgrade
If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.
-
After upgrade to 37, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.
Save your changes. RDP-certificate authentication should function normally again.
Upgrade not supported with old PostgreSQL versions
You cannot upgrade to PrivX 35, 36, or 37 if your PrivX deployment uses PostgreSQL version 10 or earlier. You must upgrade the PrivX database to PostgreSQL version 11.x or later before upgrading PrivX.
Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.
If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.
Increased upgrade duration
Upgrading to this version from PrivX 35 or older may take somewhat longer, especially in environments with many hosts and principals. The information for connections (disconnected prior to the upgrade) under the Monitoring page might not appear for some time (proportionally longer based on the amount of data).
Deprecation Warnings
New Go SDK to replace old version
This will be the final major release of Go SDK V1.
Starting with the upcoming Version 2.38.0, the SDK will introduce significant changes, including breaking backward compatibility.
We will continue to provide critical bug fixes for Version 1, there will be no new features or support for PrivX versions greater than 37 in this version.
Pure whitespace names disallowed
From version 37 and onward PrivX no longer be able to create items whose names consist purely of spaces. Also, you will be unable to update such items until their names are changed to contain some visible character(s).
agent-proxy Deprecation Imminent
The agent-proxy functionality shall be removed in PrivX versions 38 and later.
The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.
Amazon Linux 2 support Ending
PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.
PostgreSQL 11.x Support Ending
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in a future release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
New Features
- [PX-3390] - Allow updating Extenders via the PrivX GUI
- [PX-4467] - Support CipherTrust Manager as HSM Provider
- [PX-6617] - Carrier browser configuration under target-hosts' Services configuration
- [PX-6684] - Rotating Extender, db-proxy, Web-Proxy CA certificates via the PrivX GUI
- [PX-6977] - UI: target domain account and managed account support search
- [PX-7124] - Configurable "Scrollback Length" for SSH web client
- [PX-7032] - role-store: OIDC/SCIM attribute mapping supports windows_sid
- [PX-7040] - Configurable idle timeout for Carrier web connections
Improvements
- [PX-3172] - New Audit Rate Limiting setting for reducing duplicate audit events.
- Applies to Host-modified, RoleContext-usage-alert, and Directory-authentication-failed audit events.
- [PX-3405] - Deploy script support for Oracle Linux
- [PX-6428] -
privx.conf
is no longer overriden by each upgrade. - [PX-6873] - Target domains for host accounts can be configured via tags or deploy script
- [PX-7089] - You can no longer create target domains with duplicate names.
- On upgrade to this version, target domains with duplicate names will be automatically renamed e.g. from "td_name" to "td_name (1)".
- [PX-7012] - Refactored role-store node cache sync mechanism
- [PX-7036] - Clearer message when restart PrivX via webUI and number of active connections is unknown
- [PX-7042] - Allow host management without target-domain permissions.
- [PX-7059] - Host accounts: a deleted target domain is now shown as (deleted) instead of an empty line.
- [PX-7070] - Migrate PrivX docs to Doctave v2
- [PX-7192] - A setting to control including SID extension in RDP X.509 certificates
Bug Fixes
- [PX-6531] - Logout expired session not working properly
- [PX-6930] - It's possible to revoke a role directly after the role is already revoked with an approved request
- [PX-6989] - It's possible to save space characters' names in several places in PrivX
- [PX-7027] - Misfired audit event on .toml config changes in HA environment
- [PX-7028] - Carrier does not list all the running containers
- [PX-7064] - rdp-mitm connection fail occationally due to /tmp folder permission error
- [PX-7066] - Target domain disabled scanning affects managed accounts' rotation
- [PX-7074] - If carrier browser is changed in host config, user reload should launch a new browser container
- [PX-7076] - Browser container launch fails or takes a very long time
- [PX-7089] - Target domain names are not uniquely constraint
- [PX-7098] - deploy script inconsistent behaviour
- [PX-7110] - Deployment via extender fails with Python 3.12
- [PX-7116] - RPD-Proxy: all pending dialogs should be closed when disconnected
- [PX-7117] - Extender uptime is calculated incorrectly
- [PX-7121] - When using PrivX as OIDC provider, OIDC client config does not get synced between nodes
- [PX-7156] - PrivX workflows doesn't show the maximum time access can be requested.
- [PX-7164] - Create managed account UI toggle has opposite meaning of functionality
- [PX-7194] - Users can only request role revocation for other users if they have the same role themselves
- [PX-7280] - Old audit events are prematurely housekept on upgrade
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
-
[PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase
-
[PX-6464] Secret-manager crash if database doesn't have valid TLS certificate
-
[PX-7106] VMWare uuid detection by deploy script does not match VMWare API uuid on host scan
-
[PX-7277] Password rotation certificate validation fails in some cases
36.3.LTS.3
2025-07-14
36.3.LTS.3 is an incremental release focusing on stability and performance improvements.
New Features
-
[PX-7819] Host-key algorithms are now configurable via ssh-algorithms.toml
- Specify which host-key algorithms are sent by the client and in which order. Can be specified separately per target host(s).
- You can revert to the default host-key algorithm order using
nosort
. This can be useful if upgrading to 36.0 or later has caused some hosts in your environment to prompt users to accept a new host key. Withnosort
, PrivX won't prioritize those host-key algorithms for which a key has been saved in PrivX.
For example, to revert to the old (v35.x and earlier) host-key algorithm behavior, specify the following in
ssh-algorithms.toml
on all your PrivX Servers:hostkeys = [
"*:nosort"
]As another example, to revert host-key algorithm behavior for some hosts only:
hostkeys = [
"cidr(192.0.2.100):nosort",
"cidr(192.0.2.101):nosort"
]Then, restart your PrivX Servers to apply the changes.
For more information about host-key configuration syntax, see
/opt/privx/etc/ssh-algorithms.toml
.
36.3.LTS.2
2025-04-07
36.3.LTS.2 is an incremental release focusing on stability and performance improvements.
Bug Fixes
- [PX-7594] Directory scan fails to update host running status if the host is configured with command restrictions.
36.3.LTS.1
2025-01-22
36.3.LTS.1 is the first version of PrivX 36 LTS releases. We aim to provide two year of support for PrivX 36 LTS releases. During the supported period, we'll provide security and major bug fixes for the releases.
Read more: PrivX LTS introduction
When you run an LTS version, PrivX GUI will continue to show the new version available notification. To disable the notification, you can edit /opt/etc/shared-config.toml to ssh_product_versions_check_interval = 0
and restart PrivX. Repeat the step in all PrivX nodes.
This version supports following operation systems.
- Red Hat Enterprise Linux 8.x, 9.2 or later 9.x
- Rocky Linux 8.4 or later 8.x, 9.2 or later 9.x
Bug Fixes
- [PX-7263] No banner message displayed in UI when user counts exceeds the license limit.
36.2
2024-12-10
36.2 is an incremental release with stability fixes. You can upgrade 36.2 to the upcoming LTS version (whereas 37.0 cannot).
Important Notes for this Release
v36.2 Retaining SID extensions in RDP-certificate authentication
In PrivX 36.0 and 36.1, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. In PrivX 36.2, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.
If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade to 36.2:
Option 1: Configure before upgrade
Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.
-
Gain root terminal access to any PrivX Server, add the following lines right after the
AUTHORIZER.logging
section in/opt/privx/etc/settings-default-config.toml
:[AUTHORIZER.ca_settings]
rdp_x509_include_sid = true -
Apply the new settings with:
sudo /opt/privx/bin/settings-tool -command migrate
RDP-certificate authentication will work as normal throughout the upgrade process.
Option 2: Configure after upgrade
If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.
-
After upgrade to 36.2, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.
Save your changes. RDP-certificate authentication should function normally again.
Bug Fixes
- [PX-7121] auth: OIDC provider client config does not get synced between nodes
- [PX-7192] A setting to control including SID extension in RDP X.509 certificates
- [PX-7263] UI banner for user license related grace period is not shown
- [PX-7265] Custom attribute mapping for AD only works in lowercase
- [PX-7280] Old audit events are prematurely housekept on upgrade
36.1.1
2024-10-11
This minor release fixes Carrier browser images(firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Firefox lite container image on PrivX Carrier 36.1:
docker pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:36.1.1
docker tag public.ecr.aws/sshprivx/privx_browser_firefox_lite:36.1.1 public.ecr.aws/sshprivx/privx_browser_firefox_lite:36.1
36.1
2024-09-30
36.1 is an incremental release with stability fixes.
Bug Fixes
- [PX-7064] RDP-Bastion connections fail occationally due to /tmp folder permission error.
36.0
2024-09-02
36.0 is a major release with new features.
After this release, we provide security and stability fixes for PrivX 36.x, 35.x, and 34.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 33.x, 34.x, 35.x
- Zero-downtime upgrade: 35.x
Important Notes for This Release
UEBA-Server upgrade required
If you are using UEBA Server from PrivX version 35 or earlier, you must upgrade the UEBA Server as follows:
- Before PrivX upgrade, disable UEBA Server.
- After PrivX upgrade, download and run the UEBA-Server install script. Doing this upgrades and restarts UEBA services.
Upgrade not supported with old PostgreSQL versions
You cannot upgrade to PrivX 35 or 36 if your PrivX deployment uses PostgreSQL version 10 or earlier. You must upgrade the PrivX database to PostgreSQL version 11.x or later before upgrading PrivX.
Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.
If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.
API Endpoint GET /role-store/api/v1/roles Breaking Changes
Starting from PrivX version 36 the API endpoint GET /role-store/api/v1/roles
will start using a default limit=50
and enforcing a maximum allowed limit=1000
.
Due to these changes API clients can no longer rely on fetching all roles with one API call. The API clients are required to make multiple API calls with explicit limit
and increasing offset
until all roles - as indicated by the API response's count
property - have been fetched.
Increased upgrade duration
Upgrading to this version may take somewhat longer, especially in environments with many hosts and principals.
Deprecation Warnings
Pure whitespace names will be disallowed in PrivX 37
PrivX 36 and earlier allowed item names consisting of one or more spaces. Such names will be disallowed in PrivX 37 and later. We recommend you check your environment and rename any such items to names containing actual characters.
Pure whitespace names were allowed in:
- Hosts
- Network Targets
- Directories
- Workflows
- Cloud Log Collectors
- External Token Providers
- Identity Provider Clients
- Target Domains
From PrivX 37 onward, items named with spaces only will continue to function. However, you will be unable to edit and save such items unless their names are also changed to something valid.
agent-proxy Deprecation Imminent
The agent-proxy functionality shall be removed in PrivX versions 38 and later.
The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.
CentOS/RHEL 7 support Ended
CentOS 7 and RHEL 7 are no longer supported as PrivX platforms. If you are running PrivX on CentOS 7 or RHEL 7, see Migrate from EOL Operating Systems.
Amazon Linux 2 support Ending
PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.
PostgreSQL 11.x Support Ending
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in a future release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
New Features
- [PX-6698] - Windows RDP certificate authentication support in Full-Enforcement domains
- [PX-6886] - Allow user to copy text in disconnected ssh-proxy sessions
- [PX-6922] - Windows local account password rotation supports hosts behind PrivX Extenders
- [PX-6940] - Domain password login supports Tectia server
Improvements
- [PX-5797] - PrivX does not need precompiled python anymore, upgrade will remove /opt/py folder.
- [PX-6880] - Clearer error messages at AD account login failure.
- [PX-6923] - RDP connections over Extender are more latency resistant.
- [PX-6972] - Upgraded UEBA dependencies with new images
- [PX-6745] - pkcs11vault: support splitting AES/GCM inputs in chunks for AWS CloudHSM
Bug Fixes
- [PX-6863] - OU field in access group CA certificate should be less than 64 chars
- [PX-6889] - Disabled target domain causes false scanning errors
- [PX-6902] - PrivX may mistake saved ssh target host keys as new keys
- [PX-6909] - Removed accounts in target domain should not be convertible to a managed account.
- [PX-6916] - Logconf collectors endpoint logs are too spammy.
- [PX-6929] - Incorrect error logs when target domain is deleted
- [PX-6931] - secrets-manager events are not sent to cloud log collectors
- [PX-6938] - "Add Passkey" button is shown to user who doesn't have permission to see it.
- [PX-6939] - User with privx-admin role only cannot add passkey.
- [PX-6946] - Directory user with TOTP MFA enabled can't login into PrivX in restricted mode
- [PX-6947] - Managed account status in a domain is sometimes incorrect
- [PX-6950] - Saving expired certificate for access group should not be allowed.
- [PX-6957] - In target domain, account sorting on some columns malfunctions
- [PX-6962] - Directory one-to-many custom attribute mapping does not work
- [PX-6968] - Script templates with empty names shouldn't be allowed to save
- [PX-6985] - Role request rejection from one approver does not finalize the rejection.
- [PX-6988] - Workflow created via API without specifying max_active_requests does not work
- [PX-6999] - connection_permissions table is not cleaned up when connections are removed
- [PX-7025] - Scanned accounts status may be incorrect when multiple target domains point to the same AD endpoint
- [PX-7033] - Unable to add or modify hosts via UI with host-manage and host-view permissions
- [PX-7066] - Target domain disabled scanning affects managed accounts' rotation
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
-
[PX-6809] Local-account password rotation does not support Windows Server behind PrivX Extenders.
-
[PX-6989] It's possible to save space characters' names in several places in PrivX
-
[PX-7120] When PrivX is configured as OIDC Provider, OIDC client token refresh does not work
Notable API Changes
Secrets Manager API
- New optional string property
domain_name
has been added to the target domain object. This property specifies the Windows domain name when using the legacy username format (DOMAIN\USER) instead of the upn format in the host account configuration. - New optional property
sam_account_name
has been added to the managed account object. This property is prerequisite for using the legacy username format with this managed account. - New boolean property
disable_rdp_cert_auth
has been added to the managed account object. This property disables the RDP certificate authentication for this target domain user causing RDP login to fall back to password authentication.
Local User Store API
-
New optional object array property
attributes
has been added to local user object. PrivX uses these attributes for role mapping and host principal username selection in a similar way AD user attributes are used.NOTE: Local user attributes can be modified with the
users-manage
API permission. As a consequence an admin user withusers-manage
API permission is able to influence which roles are implicitly mapped for local users. This affects only those roles that have mapping rules targetting to users in the local user directory.
35.4
2024-12-10
35.4 is an incremental release focusing on stability fixes.
Upgrading to this version may cause audit-event housekeeping to prematurely remove audit events. See PX-7280 under Known Issues
If you are planning to upgrade to the upcoming LTS version (based on PrivX 36), we recommend you upgrade to 36.2 for now. Alternatively, you may upgrade to the latest v37.0, where PX-7280 has been resolved as well.
35.3.1
2024-10-11
This minor release fixes Carrier browser images(firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Firefox lite container image on PrivX Carrier 35.3:
docker pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:35.3.1
docker tag public.ecr.aws/sshprivx/privx_browser_firefox_lite:35.3.1 public.ecr.aws/sshprivx/privx_browser_firefox_lite:35.3
35.3
2024-09-30
35.3 is an incremental release focusing on stability fixes.
35.2
2024-08-09
35.2 is an incremental release focusing on stability fixes.
35.1
2024-08-06
35.1 is an incremental release focusing on stability fixes.
Bug Fixes
- [PX-6946] Directory user with TOTP MFA enabled can't login into PrivX in restricted mode during zero-downtime upgrade
- [PX-6985] Role request rejection from one approver does not finalize the rejection.
- [PX-6988] Workflow created via API without specifying max_active_requests does not work
35.0
2024-06-25
35.0 is a major release with new features such as password management for Active Directory and Entra domains, and Carrier support for Podman.
After this release, we provide security and stability fixes for PrivX 35.x, 34.x, and 33.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 32.x, 33.x, 34.x
- Zero-downtime upgrade: 34.x
Important Notes for This Release
Upgrade not supported with old PostgreSQL versions
You cannot upgrade to PrivX 35 if your PrivX deployment uses PostgreSQL version 10 or earlier. You must upgrade the PrivX database to PostgreSQL version 11.x or later before upgrading PrivX.
Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.
If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.
Increased upgrade duration
Upgrading to this version may take somewhat longer, especially in environments with many hosts and principals.
Deprecation Warnings
CentOS/RHEL 7 support Ending
CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.
PostgreSQL 11.x Support Ending
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in a future release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
API Endpoint GET /role-store/api/v1/roles Breaking Changes
Starting from PrivX version 36 the API endpoint GET /role-store/api/v1/roles
will start using a default limit=50
and enforcing a maximum allowed limit=1000
.
Due to these changes API clients can no longer rely on fetching all roles with one API call. The API clients are required to make multiple API calls with explicit limit
and increasing offset
until all roles - as indicated by the API response's count
property - have been fetched.
New Features
- [PX-6004] Password rotation for domain accounts
- Automatically rotate domain-account passwords according to custom password policies
- Allow PrivX users to access domain accounts without knowing the password
- Mechanisms for checking out domain-account passwords, can be enabled where necessary.
- [PX-5494] PrivX Carrier supports Podman containerization
- Instead of Docker as root, you can run Carrier on Podman with an unprivileged account.
- [PX-3439] Allow defining SSH host key via host tags
- [PX-6797] Bookmark contexts are permission aware
Improvements
- [PX-6772] Remove "serialize-ops" HSM feature from CloudHSM
- [PX-6759] Contextual information written to SSH and RDP bastion logs to help error investigation
- [PX-6532] Kerberos key and config files dropped from backup scripts
- [PX-6347] Performance enhancement with MS Graph user directory
- [PX-6740] Connection tags are made case-sensitive
- [PX-6842] Upgrade script only kill nginx process bound to port 443
Bug Fixes
- [PX-6314] Duplicate components sometimes appear in monitoring status page
- [PX-6651] Disabling UEBA causes errors in log
- [PX-6654] connection-manager: SQL query to connection_tags does not always return the correct count
- [PX-6712] Timestamp properties are not properly validated
- [PX-6747] role-store fails to return error while persist user info
- [PX-6750] Customised backup directory name not accepted in restore.sh
- [PX-6776] "Configuration-error 1" event not created when certificate about to expire
- [PX-6779] Japanese keyboard half-width/full-width keys are not linked
- Pass Japanese IME keys through RDP keyboard events according to the Windows docs for layout keys such as Zenkaku, Hankaku, Convert, NonConvert. Specific to the interaction between the English 102 and the Japanese 106/109 keyboard layouts.
- [PX-6811] User is not prompted for password when MaxAuthTries configured on ssh target host is reached
- [PX-6838] Carrier browser does not fullscreen when it does not have public internet access
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
-
[PX-6809] Local account password rotation does not support Windows server behind PrivX extenders
-
[PX-6893] Target Domain account password login may fail against Windows OpenSSH servers
-
[PX-6940] Target domain account login to Windows Tectia server does not work
-
[PX-7033] Unable to add or modify hosts with only Hosts-view & Host-manage permission
- Workaround: Also grant target-domains-view permission to users who need to add hosts, then retry adding/modifying hosts.
-
[PX-7039] monitor-service fatal error if PrivX was inactive for over a month.
- Note: This will be fixed in PrivX 36 and later.
-
[PX-7280] Old audit events are prematurely housekept on upgrade, which can result in loss of audit events. This will be fixed in 35.4, 36.2 and 37.0.
Notable API Changes
- New optional property
target_domain
has been added to the host principal object used in the host-store hosts API endpoints. - Password policy object in the secrets-manager API has changed:
- Allowed value range for property
rotation_interval
has changed, new minimum value isPT1H
, new maximum value isPT8640H
- Allowed value range for property
retry_interval
has changed, new minimum value isPT10S
, new maximum value isPT1H
- New required property
max_concurrent_checkouts
has been added, minimum value is1
, maximum value is100
- New required property
max_checkout_duration
has been added, minimum value isPT30S
, maximum value isPT8H
- New boolean property
rotate_on_release
has been added, default value isfalse
- New boolean property
verify_after_rotation
has been added, default value isfalse
- Property
delete_version_after
has been removed, secrets-manager will ignore it in POST/PUT requests - Property
fallback_to_previous
has been removed, secrets-manager will ignore it in POST/PUT requests
- Allowed value range for property
- New endpoints have been added to Authorizer API under
/authorizer/api/v1/secrets
path - New endpoints have been added to Secrets-manager API under
/secrets-manager/api/v1/targetdomains
path - New API permissions
target-domains-view
andtarget-domains-manage
have been added
34.3.1
2024-10-11
This minor release fixes Carrier browser images(firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Firefox lite container image on PrivX Carrier 34.3:
docker pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:34.3.1
docker tag public.ecr.aws/sshprivx/privx_browser_firefox_lite:34.3.1 public.ecr.aws/sshprivx/privx_browser_firefox_lite:34.3
34.3
2024-09-30
34.3 is an incremental release focusing on stability fixes.
34.2
2024-08-06
PrivX 34.2 is an incremental release focusing on stability fixes.
Bug Fixes
- [PX-6946] Directory user with TOTP MFA enabled can't login into PrivX in restricted mode during zero-downtime upgrade
- [PX-6985] Role request rejection from one approver does not finalize the rejection.
- [PX-6988] Workflow created via API without specifying max_active_requests does not work
- [PX-6811] ssh: bookkeeping of tried authentication methods is broken
34.1
2024-04-26
PrivX 34.1 is an incremental release with security and bug fixes.
- [PX-6790] Session recording for native RDP client connections does not work
- [PX-6801] Configuring routing prefix for HA Carriers results in a duplicated name error
- [PX-6813] Connection search timeout
34.0
2024-04-08
PrivX 34.0 is a maintenance release focusing primarily on stability improvements.
Important Notes for This Release
Issues in RDP native-client connections! (2024-04-17)
We identified a major bug in PrivX 34.0 that affects native RDP client connections. If you use RDP native-client connectivity, we recommend against upgrading to this version. We are working on a point release to fix this issue.
For more detailed information about the issue, please contact SSH support.
RDP connections via the PrivX GUI work as intended.
Upgrade to 34 Only Supported from 32.x and later
Upgrade to this version is only supported from versions 32.x and later! To upgrade from previous versions such as 31.x, you must upgrade to 32.x first, before you can upgrade to 34.
Supported upgrade paths to this release are:
- Upgrade with downtime: 32.x, 33.x
- Zero-downtime upgrade: 33.x
For more information about upgrading from older versions, see Upgrade from Older Releases.
After this release, we provide security and stability fixes for PrivX 34.x, 33.x, and 32.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Deprecation Warnings
PostgreSQL 11.x Support Ended
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in future releases.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
CentOS/RHEL 7 support Ending
CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.
New Features
- [PX-6201] Support Universal SSH Key Manager as a host directory
Improvements
- [PX-6609] Support Microsoft Graph custom attributes
- [PX-6584] Role store API support pagination
- [PX-6674] Configurable timeout values for PrivX Web Proxy
- [PX-6580] PrivX UI: improved instruction on PrivX Authorizer (mobile app) pairing
- [PX-6444] New sub-admin permissions: mobilegw-view and mobilegw-manage
- [PX-6578] Improved connection-manager error responses
- [PX-6682] Connection and event search default time range set to one week
- [PX-6198] Redis is no longer supported for notifications
- [PX-6597] Enforce reasonable minimum value to 2 minutes for access_token_valid, refresh_token_valid, session_valid and authorize_token_valid in oauth-shared-config.toml
- [PX-6204] Allow setting maximum TLS version for RDP connections
Bug fixes
- [PX-6647] Search SSH trail in maintenance mode causes page reload
- [PX-6606] Windows line endings break offline license
- [PX-6677] Non-admin users should be able to see service status of Auxiliary Instances
- [PX-6621] Setting equal port min and port max in Extender service may crash the service
- [PX-6616] license-manager: changing statistics collection opt-in in PrivX UI does not reflect to all HA nodes before license refresh
- [PX-6620] Connection trail and metadata removal end time keeps on changing
- [PX-6695] "Allow modified url params" in web host does not allow credentials being filled properly
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
- [PX-6669] Kerberos login does not work if LDAP user does not have sAMAccountName
33.1
2024-03-27
PrivX 33.1 is an incremental release with security and bug fixes.
33.0
2024-02-15
Important Notes for This Release
Upgrade to 33 Only Supported from 32.x
Upgrade to this version is supported from the previous major release 32.x only! To upgrade from previous versions such as 31.x or 30.x, you must upgrade to 32.2 first, before you can upgrade to 33.
For more information about upgrading from older versions, see Upgrade from Older Releases.
After this release, we provide security and stability fixes for PrivX 33.x, 32.x, and 31.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
PrivX Documentation Moved to New Documentation Platform
The move is transparent for users. You may access the latest version of PrivX docs as usual at https://privx.docs.ssh.com
If you need to access older documentation versions, specify the version in the URL. For example, PrivX 29 at https://privx.docs.ssh.com/v29
privx-cmd and PrivX-Agent support for old platforms ended
privx-cmd and agents from this release may not support old platforms:
- Windows 7, 8, Server 2008 and Server 2012.
- MacOS versions 10.14 and older.
If you use agents or privx-cmd for enabling native-client connections, ensure that the users' OS is updated.
Deprecation Warnings
Redis Support Ending
Redis support will be ended in a future release. We recommend you change to PostgreSQL for PrivX microservice notifications. Please Change Notification Mechanism to PostgreSQL if your PrivX still uses Redis for notifications.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
CentOS/RHEL 7 support Ending
CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.
New Features
- [PX-5699] Zero downtime upgrade in high-availability setup.
- Allow users to log in and connect to hosts during upgrade.
- Supports upgrade from previous major version.
- [PX-6167] Change logging level without restarting microservices.
- [PX-6455] Contextual information written to logs to help error investigation.
- [PX-4896] Restrict role requests to target users only.
Improvements
- [PX-6503] Implement an optional support of "Set-Cookie" header for Python SDK
- [PX-6586] Show number of active connections in PrivX restart dialog
- [PX-6427] "Pair New Device" button is not shown under Account page if PrivX is not registered to mobile gateway
- [PX-6013] New design of PrivX landing UI
- [PX-6473] Entra ID (Azure AD) user directory support for additional and custom attributes
- [PX-6424] PrivX install supports PostgreSQL 15 and 16
- [PX-6502] Content-Type header added to PrivX SDK requests
- [PX-6369] The role list no longer displays member counts automatically for performance reasons. Accurate role member counts are now shown on the role details page.
- [PX-6364] Trail integrity check improvements
- [PX-6627] Loading larger amount of secrets is faster
- [PX-6577] Statistics collection job waits to start until previous job is completed
- [PX-6565] GET /users{id}/resolve to return user object and user's roles
Bug fixes
- [PX-6610] Issuing certificates fails when there is an expired access group CA certificate
- [PX-6576] Navibar autohide does not work in Firefox Carrier browser
- [PX-6566] Incorrect help texts on deployment page
- [PX-6515] Upgrade on Kubernetes doesn't clean up PrivX CA Key
- [PX-6482] Setting user directory TTL to 0 or below 0 behaves incorrectly
- [PX-6481] Web container (firefox) allows to install extensions
- [PX-6458] PrivX RPM upgrade backs up incorrect version of config file
- [PX-6417] Editing a Microsoft Graph user directory may result in multiple synchronization tasks running concurrently
- [PX-6387] workflow-engine send more queries to role-store than needed
- [PX-6348] Stopping PrivX directory sync does not work properly
- [PX-6343] MS Graph directory logs are too verbose
- [PX-6334] Numerous concurrent logins using the same user account result in a high number of slow database insert operations
- [PX-6211] AWS roles page is sometimes showing the same role multiple times
- [PX-6184] "User-authentication-failed" error should only be logged when login failed in the end.
Known Issues
-
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
-
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
-
-
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
-
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
-
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
-
[PX-2947] No sound when viewing recorded rdp-mitm connection.
-
[PX-3086] PrivX role mapping to AD OU not working as expected.
-
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
-
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
-
[PX-4352] UI shows deleted local user after delete
-
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
-
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
-
[PX-4689] PrivX Linux Agent leaving folders in /tmp
-
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
-
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
32.2
2024-01-10
32.2 is an incremental release to address the Terrapin vulnerability. The fix includes the following changes:
- PrivX SSH Proxy and SSH Bastion enable the OpenSSH strict KEX protocol extension when the target server and client express support for it during the initial KEX exchange.
chacha20-poly1305@openssh.com
algorithm is removed from the sets of default sshtarget and sshclient ciphers.hmac-sha2-512-etm@openssh.com
andhmac-sha2-256-etm@openssh.com
algorithms are removed from the sets of default sshtarget and sshclient macs.
It is possible to revert to using the vulnerable algorithm combinations by editing the /opt/privx/etc/ssh-algorithms.toml file. This is not recommended unless you are certain that all target servers and clients, that PrivX communicates with, support the OpenSSH strict KEX protocol extension.
32.1.1
2023-12-05
This minor release fixes Carrier browser images(chromium, chromium_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Chromium container image on PrivX Carrier 32.1
docker pull public.ecr.aws/sshprivx/privx_browser_chromium:32.1.1
docker tag public.ecr.aws/sshprivx/privx_browser_chromium:32.1.1 public.ecr.aws/sshprivx/privx_browser_chromium:32.1
32.1
2023-12-01
32.1 is an incremental release that fixes some performance and stability issues found in 32.0.
Bug Fixes
- [PX-6334] User login timestamp is updated more often than necessary
- [PX-6364] Trail integrity housekeeping improvement
- [PX-6387] workflow-engine spams rolestore
- [PX-6464] panic in secrets-manager
32.0
2023-11-23
Important Notes for This Release
Update to API Roles Parameters
The Role-Store API has been updated for managing user roles in the /role-store/api/v1/users{user_id}/roles endpoint, affecting both GET and PUT requests. The method for defining validity periods for time-limited roles has changed. Previously, these periods were set using grant_start and grant_end attributes in the root object. Now, they are specified within the grant_validity_periods array, which supports multiple time ranges.
See API specifications.
Monitor-service instance status endpoint at /monitor-service/api/v1/instance/status used for load balancer status checks is no longer returning JSON body for unauthenticated requests. Status codes (200 for OK, 500 for instance down) still remain the same and should be used for LB health checks.
PostgreSQL 9.x and 10.x Support Ended
PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and official support for these database is ended from this release. To upgrade the PrivX database, see Upgrade PrivX Database to Supported Version.
Preserve Custom Browsers when Updating Carrier Configuration
If you use a custom-browser image, and upgrade Carriers and their configurations, ensure that your custom-browser image is specified in the Carrier configuration carrier-config.toml
. The name of the custom-browser image must be specified in the default
setting under the [web_browsers]
section.
** Rocky Linux/RHEL 9 official support added and CentOS/RHEL 7 support Ending **
CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.
Deprecation Warnings
Redis Support Ending
Redis support will be ended in a future release. We recommend you change to PostgreSQL for PrivX microservice notifications. Please change notification mechanism to PostgreSQL if your PrivX still uses Redis for notifications.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
privx-cmd and PrivX-Agent support for old platforms ending
privx-cmd and agents released in PrivX v33 and later may not support old platforms:
- Windows 7, 8, Server 2008 and Server 2012.
- MacOS versions 10.14 and older.
If you use agents or privx-cmd for enabling native-client connections, ensure that the users' OS is updated.
Supported releases and upgrade path
After this release, we provide security and stability fixes for PrivX 32.x, 31.x, and 30.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (31.x, 30.x, 29.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New Features
- [PX-2314] VMWare vSphere as a supported host directory.
- [PX-3940] Session-Password Authentication, which allows OIDC login for native RDP/DB connections.
- [PX-4299] Support for granting multiple validity periods for the same user role via workflows.
Note that such requests must be requested and approved one at a time. - [PX-5418] Multi-Factor Authentication with PrivX Authorizer, a mobile app developed by us.
- [PX-6142] Dark mode GUI support.
- [PX-6174] Exporting List Data to CSV or JSON.
- [PX-6176] Options to omit clipboard and/or file transfers from session recordings.
- [PX-6273] Initiate connections to target host straight from the host configuration page. Useful for testing connections.
- [PX-5215] UI shows file upload status on terminal view
- [PX-5778] UDP protocol support for network targets through Extender
- [PX-6165] Option to configure web service specific browser version for Carrier connections
Improvements
- [PX-5630] Password Rotation automatic selection of operating system
- [PX-6088] ssh-algorithms.toml: prefer aes256 over aes128 ciphers.
- diffie-hellman-group1-sha1 SSH kex algorithm was dropped from default algorithms. The cipher suite can be re-enabled from ssh-algorithms.toml.
- [PX-6247] Increase the max file transfer size limit for web connections
- [PX-6251] web-proxy: allow server responses to take longer than 60 seconds to complete
- [PX-6389] UI pagination loading improvement
- [PX-6208] AWS directory does not stop scanning other regions if one region fails. Added region filter feature for cloud host directories.
Bug fixes
- [PX-5763] Error code for missing workflow step name is incorrect
- [PX-6086] Fixed Carrier Chromium browser startup issue
- [PX-6153] PrivX Web-Proxy in HA doesn't do the failover.
- [PX-6158] PrivX Carrier browsers - dial down the policies to allow viewing HTTPS certificate for web site
- [PX-6173] Renaming role does not work correctly
- [PX-6175] SSH Proxy crash issue fixed
- [PX-6177] OIDC userinfo endpoint does not obey TLS trust anchors file in shared-config
- [PX-6178] File upload cookies are not expired when the upload request happens.
- [PX-6187] Incorrect error shown in logs when deleting key on HSM environment
- [PX-6224] Using role name with space causes issues with Chrome container
- [PX-6235] Problem with alt key capturing in web session.
- [PX-6254] Disabling urlbar and navibar doesn't work for Carrier Chromium
- [PX-6284] RDP-PROXY connectivity broken for legacy ciphers TLS 1.2 and TLS 1.1/TLS 1.0.
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5558] Privx does not support password change required option for user in auth flow via passkey.
31.3
2024-03-27
PrivX 31.3 is an incremental release with security and bug fixes.
31.2
2024-01-10
PrivX 31.2 is an incremental release to address the Terrapin vulnerability. The fix includes the following changes:
- PrivX SSH Proxy and SSH Bastion enable the OpenSSH strict KEX protocol extension when the target server and client express support for it during the initial KEX exchange.
chacha20-poly1305@openssh.com
algorithm is removed from the sets of default sshtarget and sshclient ciphers.hmac-sha2-512-etm@openssh.com
andhmac-sha2-256-etm@openssh.com
algorithms are removed from the sets of default sshtarget and sshclient macs.
It is possible to revert to using the vulnerable algorithm combinations by editing the /opt/privx/etc/ssh-algorithms.toml file. This is not recommended unless you are certain that all target servers and clients, that PrivX communicates with, support the OpenSSH strict KEX protocol extension.
31.1.1
2023-10-12
This minor release fixes Carrier browser images(chromium, chromium_lite, firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Chromium container image on PrivX Carrier 31.1
docker pull public.ecr.aws/sshprivx/privx_browser_chromium:31.1.1
docker tag public.ecr.aws/sshprivx/privx_browser_chromium:31.1.1 public.ecr.aws/sshprivx/privx_browser_chromium:31.1
You don't need to restart PrivX Carrier after the commands.
31.1
2023-09-21
PrivX 31.1 is an incremental release on top of PrivX 31.0 with security and bug fixes
- [PX-6244] Channel may get closed in ssh-mitm exec connections before the output is sent to client
31.0
2023-09-04
PrivX 31.0 is a maintenance release focused on technical enhancements.
Important Notes for This Release
Azure-Directory Migration to MS Graph
If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to this release. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:
Microsoft Graph→Application Permissions
- User.Read.All
- GroupMember.Read.All
Azure AD Graph API was deprecated in June 2023. <https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview\>
For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.
Required actions to optimize PrivX performance
As part of our ongoing effort to optimize PrivX performance, we have introduced additional indexing support from PrivX 28. Some improvements require pg_trgm
extension to be installed to the PrivX database. For more information about enabling indexing, see Improve Performance with Indexing before upgrade.
Deprecation Warnings
Redis Support Ending
Redis support will be ended in a future release. We recommend you change to PostgreSQL for PrivX microservice notifications. Please change notification mechnism to PostgreSQL if your PrivX still uses Redis for notifications.
PostgreSQL 9.x and 10.x Support Ending
PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions shall be dropped in a future PrivX release. For more information about upgrading the PrivX database, see Upgrade PrivX Database to Supported Version.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
privx-cmd and PrivX agent support for old Windows versions ending
privx-cmd and agent released after Q3/2023 may not support Windows 7, 8, Server 2008 and Server 2012. If you use native ssh client on Windows by connecting directly using privx-cmd, or Windows version of PrivX agent, please update your Windows.
Supported releases and upgrade path
After this release, we provide security and stability fixes for PrivX 31.x, 30.x, and 29.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (30.x, 29.x, 28.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New Features
- [PX-3504] PrivX Authorizer CA key rotation
- [PX-5179] Support tagging connections. You can do this via Monitoring→Connections.
Improvements
- [PX-4820] Show progress while fetching lots of users/hosts from directories
- [PX-5874] Support database certificates in Kubernetes
- [PX-5978] Deployment script supports "--offline" option
- [PX-5156] Carrier container follows user browser's timezone
- [PX-5925] Hosts in unusable statuses are filtered out from import
- [PX-6041]
aes256-gcm@openssh.com
is supported and added to ssh-algorithms.toml - [PX-6047] In an active connection in web client, pressing Ctrl-w does not close connection abruptly
- [PX-6160] Support additional Graph API attributes for attribute mapping
- [PX-6143] Improved UX for multiple files uploading
- [PX-6129] web-proxy: domain pattern based certificate validation error suppression
- [PX-6132] web-proxy: proxy chaining support with http connect and SOCKS proxies
- [PX-6146] [PX-6105] web-proxy: internal enhancements to ssl bumped certificate generation
- [PX-6162] web-proxy: support legacy x.509 certificates
Bug fixes
- [PX-4411] RDP-PROXY: "Default access group not found" warning on manual connection for no reason
- [PX-4650] Setting access_token_valid to "1m" kicks the user out to the login page
- [PX-5076] Housekeeping task to delete inactive user data doesn't work with a lot users
- [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
- [PX-5786] Empty trail folders left after housekeeping
- [PX-5875] Incorrect message when SSO session expired when login to PrivX UI
- [PX-5943] nginx default.conf in /etc/nginx/conf.d overrides privx.conf
- [PX-5968] Disclaimer popup and preview issues
- [PX-5979] Host tags are returned in random non-deterministic order
- [PX-6016] Missing end slash in connection url will cause web connection to fail
- [PX-6027] The UI suggests the wrong role mapping example when a Graph directory is selected
- [PX-6073] Deleting user directory does not clean up role mapping rules.
- [PX-6075] Typo in PrivX sshexec router README file
- [PX-6094] MFA tokens can be overwritten in cases of DB connectivity issues
- [PX-6136] Trails for active SSH connections may be corrupted when ssh-proxy is stopped
- [PX-6139] Health check status for web services is broken if the host has other services configured
- [PX-6185] Connection-manager search API with sortKey "id" returns BAD_REQUEST.
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5558] Privx does not support password change required option for user in auth flow via passkey.
- [PX-6261] Revoking default access group initial CA in HA env doesn't remove its key from all nodes
- Workaround 1: Leave the old CA key. Once a new key has been set as the primary CA key, the old one should not adversely affect PrivX functionality.
- Workaround 2: Revoke the old CA key from Administration->Access Groups, then run the following command on each PrivX Server:
Verify the key was deleted:
/opt/privx/bin/keyvault-tool -name "PrivX CA Key" delete-asymmetric
The key was deleted successfully if the previous command outputs nothing. If the command returned a UUID, run the following command once on any PrivX Server (replace <cert_id> with the output of the previous command):/opt/privx/bin/cert-tool -command list -type authorizer-ca -short | grep "OU=PrivX Authorizer CA/" | cut -f 4
/opt/privx/bin/cert-tool -command delete -id <cert_id>
- [PX-6284] RDP-PROXY connectivity broken for legacy ciphers TLS 1.2 and TLS 1.1/TLS 1.0
30.3
2024-01-10
PrivX 30.3 is an incremental release to address the Terrapin vulnerability. The fix includes the following changes:
- PrivX SSH Proxy and SSH Bastion enable the OpenSSH strict KEX protocol extension when the target server and client express support for it during the initial KEX exchange.
chacha20-poly1305@openssh.com
algorithm is removed from the sets of default sshtarget and sshclient ciphers.hmac-sha2-512-etm@openssh.com
andhmac-sha2-256-etm@openssh.com
algorithms are removed from the sets of default sshtarget and sshclient macs.
It is possible to revert to using the vulnerable algorithm combinations by editing the /opt/privx/etc/ssh-algorithms.toml file. This is not recommended unless you are certain that all target servers and clients, that PrivX communicates with, support the OpenSSH strict KEX protocol extension.
30.2.1
2023-10-12
This minor release fixes Carrier browser images(chromium, chromium_lite, firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Chromium container image on PrivX Carrier 30.2.
docker pull public.ecr.aws/sshprivx/privx_browser_chromium:30.2.1
docker tag public.ecr.aws/sshprivx/privx_browser_chromium:30.2.1 public.ecr.aws/sshprivx/privx_browser_chromium:30.2
You don't need to restart PrivX Carrier after the command.
30.2
2023-09-21
PrivX 30.2 is an incremental release on top of PrivX 30.1 with security and bug fixes
- [PX-6244] Channel may get closed in ssh-mitm exec connections before the output is sent to client
30.1
2023-07-13
PrivX 30.1 is an incremental release on top of PrivX 30.0. This release contains a few important bug fixes
- [PX-6087] rdp-proxy can crash with an runtime error
- [PX-6085] a role-store crash with fatal error is observed.
- [PX-6076] privx-carrier status update causes slow memory leak
30.0
2023-07-03
Important Notes for This Release
Azure-Directory Migration to MS Graph
If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to this release. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:
Microsoft Graph→Application Permissions
- User.Read.All
- GroupMember.Read.All
Azure AD Graph API shall be deprecated in June 2023.
For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.
Required actions to optimize PrivX performance
As part of our ongoing effort to optimize PrivX performance, we have introduced additional indexing support from PrivX 28. Some improvement requires pg_trgm
extension to PrivX database. Please read Improve Performance with Indexing before upgrade.
Deprecation Warnings
Redis Support Ending
We recommend you to use PostgreSQL PrivX inter microservice notifications. Please change notificaiton mechnism to PostgreSQL if your PrivX still uses Redis for notifications. Redis support will be ended in future releases
PostgreSQL 9.x and 10.x Support Ending
PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions will be dropped in a future PrivX release. If you are running an old version for PrivX, please Upgrade PrivX Database to Supported Version
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self signed certificates. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX micro services and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
privx-cmd and PrivX agent support for old Windows versions ending
privx-cmd and agent released after Q3/2023 may not support Windows 7, 8, Server 2008 and Server 2012. If you use native ssh client on Windows by connecting directly using privx-cmd, or Windows version of PrivX agent, please update your Windows.
Supported releases and upgrade path
After this release, we provide security and stability fixes for PrivX 30.x, 29.x, and 28.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (29.x, 28.x, 27.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New Features
- [PX-4465] Accessing database through PrivX
- [PX-5163] PrivX OIDC SSO to web target via Web Carrier
- [PX-5889] Chromium browser in Web Carrier supports password manager
- [PX-3971] PrivX license model based on users and api clients
Improvements
- [PX-5553] Allow listing all connections associated with one login session
- [PX-5880] Troubleshooting script collects additional information
- [PX-5996] Trail timestamp obfuscation is now configurable
- [PX-5205] Send audit event before user's authorized key is going to expire
- [PX-5928] Optimized audit event removal during housekeeping
Bug fixes
- [PX-4436] Error in log when deleting user without secret
- [PX-4794] Service status shows green even when there's no connection to connection manager
- [PX-5232] Bad error message for duplicate authorized keys when using privx-cmd
- [PX-5575] Monitoring status page components disappear too soon after disconnect
- [PX-5760] RDP Proxy fails to start on some environments
- [PX-5798] Typing becomes slower while mouse is hovering over clickable link in web client
- [PX-5881] Secret search filters returns secrets that shouldn't be returned
- [PX-5932] Passkey doesn't work with Graph directory users
- [PX-5949] rdp-mitm fails when setting "Allow Role IP Restrictions" to false
- [PX-5976] Using '!' character in web url breaks the url
- [PX-5980] Target account of to AD Protected Groups does not work for RDP connection
- [PX-6025] API returns wrong result when searching by user tag
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail (there's a workaround in Nginx config since PrivX 27.0)
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting access_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
- [PX-5558] Privx does not support password change required option for user in auth flow via passkey.
- [PX-6061] Web target configured with Directory account type shows unix username to user but the username is not in use