Skip to main content
Version: v42

Release Notes for This Release

42.0

2025-12-04

PrivX 42.0 is a major release that adds many new features, such as REST-API access management, an improved Extender v2, and Proxmox VE support.

After this release, we provide security and stability fixes for PrivX 42.x, 41.x, and 40.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Supported upgrade paths to this release are:

  • Upgrade with downtime: 39.x, 40.x, 41.x.
  • Zero-downtime upgrade: 41.x.

The latest PrivX LTS version is v36, which can be obtained here.

Important Notes for This Release

Kubernetes 1.23 required from PrivX v42

Kubernetes deployments of PrivX 42 and later will require the Kubernetes to be version 1.23 or later.

Direct upgrade won't work from v36 and earlier

Direct upgrade to v42 from v36 and earlier is known to break. To upgrade from such versions you will first need to:

  1. Upgrade to a PrivX version v37 - v41.

  2. Wait until migrations are completed: the following command on PrivX Servers should return no lines:

    zdu bgm list --unfinished

    After that you can upgrade to v42.

License required for FIPS mode (since v41)

From v41 and later, PrivX requires a license for enabling FIPS mode: If you are running PrivX v40 in FIPS mode, ensure that your license allows FIPS before upgrading to v41 or later.

New PrivX documentation website (since v41)

We have renewed the look and feel of the PrivX documentation at https://privx.docs.ssh.com/. We have also made some improvements to the doc search, which should return more relevant results compared to the previous.

v41 Extenders not backwards-compatible (since v41)

Due to Extender protocol change, v41 PrivX Extenders can't be used with prior PrivX versions. However, older PrivX-Extender versions will still work with PrivX v41.

Deprecation Warnings

Bitnami Ingress Controller deprecated

The Bitnami public catalog has disabled new versions, and we have decided to move PrivX away from supporting Bitnami.

In PrivX 42 the example Kubernetes setups are described with an Nginx Ingress Controller. However, you may choose any Ingress Controller that satisfies the requirements described here.

privx-agent to be deprecated

Due to low usage and alternative features available in PrivX, we plan to drop privx-agents starting from a future PrivX release. These are initial plans and we are open to feedback regarding this matter.

New Features

  • [PX-3887] RDP connection support for Windows RDS targets.
  • [PX-3891] Control and provide role-based access to REST API targets, for example Kubernetes clusters.
  • [PX-4596] Enable interactive authentication for public-key authentication against PrivX Bastion.
    • Enabled per public key using the Enable Interactive Authentication option. When enabled, native-client connections using public-key authentication can now interact with host-key prompts.
  • [PX-4673] Support for Proxmox VE as a Host Directory.
  • [PX-5916] New PrivX Extender v2 supporting quantum-safe connections, multiple operation modes, and improved scalability.
  • [PX-6636] VNC protocol support for web connections, which provides better keyboard support HTML5 based web consoles (e.g., vCenter).
  • [PX-7112] Host configuration supports multiple directory accounts.
  • [PX-7837] Touchscreen support in PrivX web RDP client.
  • [PX-8142] PrivX GUI now displays a warning about session expiry 15 minutes in advance.

Bug Fixes and Improvements

  • [PX-7350] RDP MITM logs extra targets in device string
  • [PX-7351] The /auth/api/v1/sessionstorage/sessions/search API reports zero value for token_expires property for PrivX SSO session, which should be skipped
  • [PX-7938] UI improvement: workflow editing moved to its own page.
  • [PX-7946] When login with PrivX SSO, session state token missing AuthenticationMethod
  • [PX-7950] Extender names >50 characters result to truncated OU in PrivV issued certificate, causing Extender to re-request certificate
  • [PX-7972] ssh-proxy connection to Cisco IOS-XR router fail to establish
  • [PX-7978] Clipboard stops working in web connections
  • [PX-7979] Missing indexes in role-store user tables
  • [PX-8009] Too large btree index on hosts table
  • [PX-8029] New option "Allow repeated registration" to Extender configuration. Applicable to Extender v1 only.
  • [PX-8041] UI improvement: Various user credentials are organized in tabs.
  • [PX-8061] Enabling "Kiosk Mode" breaks UI by hiding other options
  • [PX-8063] PrivX OIDC login fails when it encounters unsupported elliptic curve algorithm
  • [PX-8072] Fixed several broken download link in UI for example the Extender download link.
  • [PX-8073] Extender disk space warning suppresses extender remote upgrade status
  • [PX-8081] Carrier connection fails to launch because of UID/GID conflict
  • [PX-8155] Auxiliary components duplicated on status page
  • [PX-8170] Broken user caching
  • [PX-8187] privx-cmd http connect request is missing host header, causing some firewalls to drop non-compliant packets

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location: 
      # scp -i key.pem principals_command.sh user@target:/tmp/
      # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
  • [PX-2947] No sound when viewing recorded rdp-mitm connection.
  • [PX-3086] PrivX role mapping to AD OU not working as expected.
  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-3655] remoteApp cannot be restored after it's minimized
  • [PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4778] RDP-PROXY: file under scanning can not be overwritten
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
  • [PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser
  • [PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end
  • [PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase
  • [PX-6464] Secret-manager crash if database doesn't have valid TLS certificate
  • [PX-6490] PrivX RDP session screen corrupts in Windows 2008 via Chrome and Edge browsers
  • [PX-6636] Web-target vCenter key strokes is not working properly in Bios/Grub menu
  • [PX-7393] Role mapping rules: an "Any Rule Matches" group with nested groups causes an error
  • [PX-7771] Certificates→Manage shows empty page for Authorizer certificates.
  • [PX-8185] Extender v2 in HA setup does not support load balancing to node with least connections.

Notable API Changes

Support for the new Extender v2 introduces some new fields to some of the existing endpoints:

  • GET /authorizer/api/v1/extender/conf/{trusted_client_id}/{session_id} has a new query parameter called version. It determines which Extender configuration to download. version defaults to v1 when undefined, and should not break any existing automation scripts.

  • POST endpoint /local-user-store/api/v1/trusted-clients. A new field extender_mode is now required when creating a trusted client type of EXTENDER. Additionally, the following new fields are available for EXTENDER type clients:

    • extender_ssh_address
    • extender_ssh_port
    • extender_public_key

RDS-target support introduces some new fields to some of the existing endpoints:

  • Host services (RDP service) now have additional fields for RDS information (for RDP, if applicable)
  • License data contains a field for the RDS farm feature.

The RDS-related API changes aren't expected to break any existing automation scripts.