Copyright  2018 © SSH Communications Security Corporation


This page summarizes the changes between releases of the PrivX software. To learn more about the product, visit ssh.com.

Supported Operating Systems

  • Red Hat Enterprise Linux, version 7.4 or later, with PostgreSQL version 9.2
  • CentOS, version 7.4 or later, with PostgreSQL version 9.2

For more information, please check the pre-requisites in the PrivX Administrator Manual.

Installation

Install PrivX from the SSH product repository. For more detailed setup instructions, refer to the PrivX Administrator Manual.

Upgrade compatibility to the latest release

(tick) Upgrade supported from PrivX version 2.3 onwards.

(error) Re-installation required if you are running older PrivX releases.




(tick) v4.0

2018-11-01

New features

  • Session recording and playback. Read more about it from the Administrator Manual.
    • Privx can record SSH and RDP sessions. Administrators can later replay these recordings for auditing purposes.
    • Trails are encrypted by PrivX.
    • Encrypted trail data should be saved on an external NFS share configured by PrivX Administrators.
  • View global audit events from Monitor→Events.
  • Enable Single Sign On to PrivX using your preferred OpenID Connect provider such as Okta, AWS Cognito and UbiSecure.
  • Connect to target hosts in your virtual private cloud (VPC) using PrivX Extender component, available as a separate download. For detailed instructions, please check the Administrator Manual.
    • Note: PrivX Extender support for HA deployments will be added in future releases.
  • As an administrator, grant or revoke users' role memberships immediately without approval workflows.

Upgrade notes

For any PrivX deployments using Azure host directories prior to this release, you must delete and re-add the Azure directory to PrivX after upgrade.

Improvements

  • [PX-1036] Performance optimization for the web-UI-based SSH Terminal, especially on IE 11
  • [PX-1038] Better support for LDAP directories
    • PrivX works with directory servers that do not allow searching by entryDN.
    • LDAP directory type now supports mixed case usernames.
    • Note: If your LDAP directory uses non-default attributes, ensure that they are set correctly in PrivX. If you use AD, please set the directory type to be AD and not LDAP.
  • [PX-858] Support for multiple PostgreSQL versions. PrivX verified to work with versions 9.2, 9.3, 9.6 and 10.5.
  • [PX-930] Changes to services on cloud hosts tagged by services or principals are now reflected in PrivX.
  • [PX-602] You can now modify services and principals for manually-added hosts. Those added by scanning cannot be modified via PrivX UI.
  • [PX-602] Host search is now optimized and fine-tuned to reduce false positives.
  • [PX-615] Hosts tab no longer displays hosts from disabled directories.
  • [PX-976], [PX-984] Better handling of host-store database by the migration tool during installation and upgrade.
  • [PX-550] Backup script now works on installations with non-default database name.
  • [PX-862] Search highlighter on/off toggle in PrivX UI now works as expected.
  • [PX-998] All PrivX micro-services now exit on the command 'service privx stop'.
  • [PX-970] Robust handling of PrivX license activation and refresh operations.
  • [PX-1020] Access token is periodically rechecked after a manual connection has been established.
  • [PX-1037] When host deployment fails, deployment script now exits with error.
  • [PX-1041] Fixed an issue in Edge browser where the first entered character after focusing in the SSH terminal is lost.
  • [PX-1053] Fixed the existing services to be present when there is no contact address present in the directory setting.
  • [PX-1070] Host update checks added to login-as-self feature.
  • [PX-1066] Clipboard for RDP connections now works as expected on Firefox.

Known issues

  • [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded.
  • [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work.
    Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection.
  • [PX-342] Once an offline-license request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted.
  • [PX-370] SSH options are not added to role-based public key.
  • [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow.
  • [PX-789] When db connection fails status.html does not show the reason.
  • [PX-861] Deployment script places configuration directives at the end of sshd_config. These may be overriden by existing match blocks in the SSH-server configuration.
    Known workarounds: After running the deployment script, move the PrivX configuration directives above other match blocks, then restart the SSH server.
  • [PX-1092] Due to a recent change in Firefox version 63 on handling text overflow (Bug 1484587), long text spills over table cell borders in PrivX UI.
  • [PX-1146] Not possible to use same attribute mapping source for multiple values.

(tick) v3.0

2018-09-18

New features

  • Get started easily on first use with a guided tutorial
  • Automatically scan tagged cloud hosts and add them to PrivX
  • Improved auto-discovery of Microsoft Azure hosts
  • View hosts accessible by a specific role from its context menu → List access option
  • View the current status of the configured hosts under Settings →Hosts
  • Sort files in the File Transfer view by Name, Permissions, Modified date or Size
  • Option to refresh the user or host directories from the respective context menus under Settings → Directories
  • Simplified UI for managing directories for users and hosts
  • PrivX user now sees a persistent message when an admin terminates the user's ongoing connection

Security updates

  • Randomize keyvault client ID and passphrase on installation and client passphrases on upgrade
  • Ensure that database certificates are both valid and issued by a trusted CA

Other fixes

  • [PX-114] - Accented characters not working for RDP.
  • [PX-297] - Too many hostnames in the system breaks certificate generation in init_db.sh
  • [PX-549] - authorize token invalid after auth restart, prevents login
  • [PX-557] - Users list is sorted differently when refreshing page
  • [PX-596] - Trying to log in with a user which is valid on the AD but not known by role store errors out
  • [PX-631] - Restore script breaks upgrade path
  • [PX-650] - SSH proxy command line argument parsing broken
  • [PX-651] - SSH proxy does not allow connections without connection manager even if in standalone mode
  • [PX-665] - DELETE key not working in SSH terminal with IE11 Windows
  • [PX-677] - New User: Colons can be added to username even though it says they are not allowed
  • [PX-694] - PrivX reports max hosts exceeded error when unable to reach license server
  • [PX-699] - Disabling TTY for a user from sshd_config results in an error in PrivX SSH terminal
  • [PX-700] - Role query validation incorrectly accepts broken queries
  • [PX-729] - Role based access not working as instructed in the manual/UI
  • [PX-730] -RDP connection fails if the windows target host auto-rotated host certificate
  • [PX-742] - TLS encrypted SMTP connection from PrivX does not work
  • [PX-746] - Pagination fails for monitor service
  • [PX-749] - Monitor service fails to fetch audit events
  • [PX-751] - Audit events search should Ignore keys
  • [PX-758] - postinstall.sh fails after offline installation of privx
  • [PX-760] - Check file download filename encoding in http header
  • [PX-762] - Userstore user fetch with limit fails
  • [PX-779] - SSh-Proxy: NewSshProxy() method returns error as "nil" when it cannot read the key
  • [PX-793] - keyvault: Get[As|S]ymmetricBy[Name|Owner] does not check for exact match
  • [PX-794] - Nil pointer deference in rolestore crashes the service periodically
  • [PX-796] - backup/restore handles db server certificate incorrectly
  • [PX-801] - SSH connections disconnects at 60sec idle
  • [PX-803] - keyvault rest client does not return keyvault.NotFound errors
  • [PX-805] - Services panic if DB dies
  • [PX-807] - External DB certificate import error in postinstall script
  • [PX-814] - "Failed to import certificate to database" in postinstall output
  • [PX-815] - Field "key_name" is missing from Postgres certificates table
  • [PX-818] - Rolestore drops user directory refresh timers on create/edit
  • [PX-833] - Editing a single directory causes other cloud directories to scan hosts
  • [PX-839] - Restore script breaks pg_hba.conf
  • [PX-840] - Connection manager panics if channel is already closed
  • [PX-848] - Role members not listing all members (max 25)

Known issues

  • [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
  • [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
    Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
  • [PX-342] Once an offline request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted
  • [PX-370] SSH options are not added to role-based public key
  • [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
  • [PX-615] Hosts page shows hosts from disabled directories
  • [PX-789] When db connection fails status.html does not show the reason
  • [PX-858] init_db.sh script does not support Postgres9.3
  • [PX-861] Deployment script places configuration directives at the end of sshd_config. These may be overriden by existing match blocks in the SSH-server configuration.
    Known workarounds: After running the deployment script, move the PrivX configuration directives above other match blocks, then restart the SSH server.
  • [PX-862] Search highlighter on/off in the PrivX help UI doesnt work



(tick) v2.4.1

2018-08-15


This is a security hotfix on the released version 2.4. It addresses a security vulnerability in the role based access control functionality in the product.

To know if your environment has been compromised by this vulnerability, please download the script linked below and run it on the PrivX server as an admin:

# wget https://info.ssh.com/hubfs/ssh_public_assets/support/px708.py

# ./px708.py


Your environment is OK if you see the following message: 

No evidence of signing with CA keys found.


Your environment has been compromised if you see the following message:

PrivX CA key has been used in a non-standard request. System integrity is at risk, please investigate further using events printed above.


If your environment has been compromised, replace the PrivX CA keys immediately according to instructions Rotating the PrivX CA Keys in the Online Administrator Manual.



(tick) v2.4

2018-07-04


New features

  • As an admin, view past and ongoing connections, and terminate ongoing connections
  • Directory users in PrivX can now be configured to authenticate using OpenID Connect
  • GPG-signed RPM repository available to install and upgrade to the latest PrivX software

Fixes

  • [PX-74] Improved SSH/RDP disconnect visual indication
  • [PX-507] Changed PrivX Certificate to PrivX CA key
  • [PX-513] Setup logs now include installation and PSQL error logs
  • [PX-588] Corrected count returned by host searches
  • [PX-612] Fixed an issue where workflows accepted invalid data for steps

Known issues

  • [PX-87] PrivX uses its loopback interface for login to localhost.
  • [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
  • [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
    Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
  • [PX-114] RDP connections do not support accented characters
  • [PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
  • [PX-342] Once an offline request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted
  • [PX-370] SSH options are not added to role-based public key
  • [PX-386] "backup.sh --help" just runs backup (instead of displaying help)
  • [PX-535] Disabling multifactor authentication does not immediately prevent users from logging in using MFA
  • [PX-557] User entries on Users and Roles pages are not sorted correctly
  • [PX-625] END/HOME keys do not scroll to the end/start of the file in the SSH terminal GUI
  • [PX-627] Unable to type pipe on Edge browser in Windows 10 using the SSH terminal GUI



(tick) v2.3.1

2018-06-07


PrivX 2.3.1 patches a few issues related to Kerberos and LDAP authentication. Users running PrivX 2.3 should consider upgrading to this release under the following circumstances:

  • You use Kerberos authentication to access PrivX
  • You have had trouble with PrivX LDAP configuration.

Fixes

  • [PX-543] Kerberos now works for directory users with differing User Principal Name and sAMAccountName
  • [PX-551] Fixed an issue where some LDAP queries were not interpreted correctly
  • Fixed a memory leak that caused memory consumption to exceed recommended specs under expected loads



(tick) v2.3

2018-05-31


(warning) This update breaks upgrade compatibility. Please re-install PrivX if you are running an older version of the software.

New features

  • Support for login with personal accounts: You may now allow PrivX users to access their personal accounts. Access is granted in a role-based manner, without having to specify principals for individual target accounts.
  • Kerberos SSO support for PrivX login. Users with valid Kerberos tickets may now log into PrivX without having to specify their credentials again.
  • Support for scanning Azure hosts.

Fixes

  • [PX-195] File transfer is terminated gracefully when target disk runs out of space
  • [PX-292] Fixed an issue where roles were created without public keys
  • [PX-405] Resolved access requests can no longer be deleted
  • [PX-417] Correctly email behavior where multiple approvers have no email address
  • [PX-419] Users page now displays user principals instead of names
  • [PX-423] Default LDAPS port changed to 636
  • [PX-462] Fixed an issue where installing a new license always resulted in the host limit being exceeded
  • [PX-489] Regular local users can no longer change passwords for superuser accounts via the PrivX API
  • [PX-517] Parentheses in LDAP search filters are now handled correctly

Known issues

  • [PX-87] PrivX uses its loopback interface for login to localhost
  • [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
  • [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
    Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
  • [PX-114] RDP connections do not support accented characters
  • [PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
  • [PX-342] Once an offline request activation/deactivation certificate is generated, there is no way to abort the activation/deactivation process
  • [PX-370] SSH options are not added to role-based public key
  • [PX-386] "backup.sh --help" just runs backup (instead of displaying help)



(error) v2.2

2018-04-24

PrivX shared configuration is not automatically preserved in upgrades from2.0 or 2.1. You must manually back up and restore the shared configuration during upgrade from these versions.

To upgrade while preserving shared configurations, perform the following:

  1. Stop the PrivX service on all PrivX servers: # systemctl stop privxoam
  2. Back up the shared configuration to a safe location on all PrivX servers: # cp /opt/privx/etc/shared-config.toml /opt/privx/etc/shared-config.toml_old
  3. Install the new PrivX RPM on all PrivX servers: # yum install -y PrivX-OAM-*.rpm
  4. Restore the shared configuration on all PrivX servers: # cp /opt/privx/etc/shared-config.toml_old /opt/privx/etc/shared-config.toml
  5. Run the post-installation script on all PrivX servers: # /opt/privx/scripts/postinstall.sh
  6. If you are running a multiple-server deployment, migrate the database once: # /opt/privx/bin/migration-tool -migrate-services-only

Other customizations to PrivX configurations are automatically preserved through the upgrade.

New features

  • Support for native clients for SSH on Linux & Mac
  • Software update notification in the admin UI when a new PrivX version available for download
  • Passwordless RDP login with an ephemeral certificate
  • Users' connection history and settings persisted between browsers and computers
  • Font size selection to SSH terminal
  • Display enaled features against a license code in the UI
  • Support for offline license activation
  • Possibility to deactivate license

Fixes

  • [PX-89] Restore script does not restore deleted directories
  • [PX-103] Workflow not updated when role is removed
  • [PX-104] Workflow steps can be approved out of order
  • [PX-100] Editing copied text on clipboard deletes newlines
  • [PX-110] Test mail not sent on "Test SMTP settings" when email notifications option is disabled
  • [PX-192] Resizing RDP window too often stops the session from working
  • [PX-196] In rare cases PrivX shared drive disappears from Windows file explorer after changing terminal settings
  • [PX-248] Host count is not updated correctly in HA deployments
  • [PX-411] Auth: MFA step can be bypassed

Known issues

  • [PX-87] PrivX uses its loopback interface for login to localhost
  • [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
  • [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
    Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
  • [PX-114] RDP connections do not support accented characters
  • [PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
  • [PX-342] Once an offline request activation/deactivation certificate is generated, there is no way to abort the activation/deactivation process
  • [PX-370] SSH options are not added to role-based public key
  • [PX-386] "backup.sh --help" just runs backup (instead of displaying help)
  • [PX-388] After upgrade from 2.1 to 2.2 the TLS trust anchor on trusted clients page doe not contain sha1/sha256 fingerprints



(error) v2.1

2018-03-19

New features

  • PrivX now manages license subscriptions online
    • New licenses are automatically installed to your PrivX deployment after you update your subscription
    • Note that Internet connectivity is required to activate/update trials and commercial subscriptions
  • Analytics on the environment where PrivX is installed is collected to understand the usage pattern and improve our product
    • The data sent is anonymous
    • Data includes operating system, CPU, memory, device name, geographic location and the version of PrivX
    • You may opt out from sending analytics at any time
    • Note that Internet connectivity is required for sending analytics
  • Utility script troubleshoot.sh automatically generates troubleshooting data of your PrivX deployment
    • Eases troubleshooting: run this script and attach the archive to your support tickets
    • Gathers system configuration into a tar archive

Fixes

  • [56033] It is no longer possible to delete directories that are already used in role configurations
  • [56714, PX-85] Connections are terminated once the user's GUI session or required role memberships expire
  • [56733] SSH Client correctly re-evaluates the available authentication methods for each authentication attempt
  • [57557] Host-deployment script deploy.py automatically restarts OpenSSH server on Ubuntu and Debian
  • [57728] Not a bug: Role extensions are no longer configurable
  • [57776] Fixed removing user from role members

Known issues

  • [PX-87] PrivX uses its loopback interface for login to localhost
  • [PX-88] PrivX file transfer does not allow uploading folders
  • [PX-89] restore script does not restore deleted directories
  • [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
  • [PX-93] PrivX does not receive updated system trust anchors until PrivX is restarted
  • [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
    Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
  • [PX-100] Editing copied text on clipboard deletes newlines
  • [PX-104] Workflow steps can be approved out of order
  • [PX-110] Test mail not sent on "Test SMTP settings" when email notifications option is disabled
  • [PX-112] Requests cannot be used to remove roles granted via rules
  • [PX-114] RDP connections do not support accented characters
  • [PX-178] Membership with floating time window starts from the approval, not from initial login
  • [PX-192] Resizing RDP window too often stops the session from working
  • [PX-196] In rare cases PrivX shared drive disappears from Windows file explorer after changing terminal settings
  • [PX-248] Host count is not updated correctly in HA deployments