suSSHi Chef
Overview
Release |
Upgrade Path |
Image |
|---|---|---|
24.02 |
>= 21.03 |
|
24.01.1 |
>= 21.03 |
|
23.10 |
>= 21.03 |
|
22.10 |
>= 21.03 |
|
21.10 |
>= 21.03 |
|
21.05 |
>= 20.12 |
|
21.03.1 |
>= 19.12 |
|
20.12 |
>= 19.12 |
|
20.08 |
>= 19.12 |
|
20.06 |
>= 19.12 |
|
20.05 |
>= 18.12 |
|
Release 24.02
Information
This release also includes library and container updates.
Changes
Improved Dashboard by performing cleanup tasks, enhancing overall user experience and interface consistency.
Updated supported HMACs in OpenSSH for improved security and compatibility with modern standards and protocols.
Added Gem ‘x25529’ to Net::SSH to facilitate Curve25519 support for Key Exchange, enhancing security and cryptographic capabilities.
These changes enhance the security, compatibility, and user experience of the application while ensuring support for modern cryptographic standards and protocols.
Release 24.01.1
Information
This release also includes library and container updates.
Improvements
Introduce the configuration of allowed Public-Key Algorithms per Partition.
Improve speed of health detection for Gateways and Proxies.
Alignment of the health views for Gateways and Proxies.
Minor layout change of the Access Rules dialog.
Bug Fixes
Fixed wrong representation of the logging mask entry for unix domain socket forwarding in Profiles.
Fixed a situation where user accepted hostkeys are not mapped to the target server when the policy is reapplied.
Fixed HTTP 500 error message when missing to select a certificate in the upload dialog.
Release 23.10
Information
This is a maintenance release including library and container updates.
Improvements
Use action queues in rsyslogd configuration to prevent head of line locking in ingress queue.
Enable keep-alive packets in rsyslogd configuration.
Improve TOTP Handling with parallel initiated sessions.
Enable IPv6 in NGINX configuration.
Allow TOTP drift of up to 30 seconds behind.
Code cleanup, replace several deprecated functions.
Bug Fixes
Fix Puma issue ‘Permission denied @ rb_sysopen (Errno::EACCES)’.
Fix issue with Rsyslog not removing the PID file in time.
Fix wrong named Hmac-Algorithm hmac-ripemd160@openssh.com.
Release 22.10
Improvements
Updated middleware to latest versions
Information
This is a maintenance release including library and container updates.
Release 21.10
New Features
Implementation of usage statistics for Gateway users, Access rules and Bastion rules
Improvements
Updated middleware (Rails 6 and Ruby 2.7) to latest versions
Bug Fixes
Fix issue with API where objects with relations could be created incorrectly with wrong mandatory parameters.
Fix issue with target IPs when a trailing space was included in ip address.
Fix issue with wrong API documentation: Health operations call on gateway will return
running, notreachablewhen up and running.Fix wrong letter C into Z for compression flag in reports view.
Fix issue when creating a new bastion policy could have been rejected.
Fix issue where license details differ between API and UI.
Fix issue with missing information on bastion profile’s detail view.
Fix issue with dashboard statistics showing weird dent in the current UTC time range.
Fix issue with built-in db backup method (please refer to the Backup & Restore section).
Release 21.05
Warning
Please note, that the previous release 21.03 requires the database extension pg_trgm.
So if you update from an earlier version than 21.03 and have not sufficient access permissions to create this extension
from suSSHi Chef acting as the database client, create the database extension with a user with sufficient access on the
database by CREATE EXTENSION pg_trgm;.
Improvements
Updated middleware (Rails 6 and Ruby 2.7) to latest versions.
Improved overall server performance.
Improve network scan performance by up to a factor of 16 by parallelizing scans.
Prevent
Can't verify CSRF token authenticitylog messages with API calls.
Bug Fixes
Fix issue with wrong / incomprehensible sum of total targets in dashboard.
Fix issue where adding a new gateway could cause server error.
Release 21.03.1
Warning
Starting with this release, the database extension pg_trgm is required.
So if you update from an earlier version than 21.03 and have not sufficient access permissions to create this extension
from suSSHi Chef acting as the database client, create the database extension with a user with sufficient access on the
database by CREATE EXTENSION pg_trgm;.
New Features
New Target Authentication Features for password / keyboard-interactive based authentication:
User Dialog (default, same behaviour as today)
Dynamic One Time Password (DOTP)
Static Password
Preserve Password
Improvements
Updated container base image to Ubuntu 20.04 LTS and underlying software.
Image size decreased by round about 25%.
Better indexing algorithm for System Events for larger installations.
Update API manual and Postman collection.
API: On 401 unauthorized, include WWW-Authenticate header for non-preemptive Basic-Auth.
Bug Fixes
Fix issue where gateways could not get triggered for config reload, if one gateway in list throws error.
Fix issue where the deletion of a partition could fail.
Fix issue with browser title showing quote signs / ticks incorrectly.
Fix issue with crontab under unprivileged user susshi, which could lead into not running garbage collection tasks.
Fix issue where list of shown Host keys for Network Targets and Network Domains might have been incorrect.
Fix UI Navigation issue when menu is in collapsed mode.
Fix issue with User-TargetHostKeys recorded under SwiftNetworkHosts, but SwiftTarget exists as well for same target.
Fix issue with cached, but wrong proxy names in dual list selector for targets.
Fix UI display issue for targets containing ‘ - ‘ in name.
Fix issue where proxy could not be deleted if there are still dynamic learned objects attached.
Fix issue with warning message not showing up on Target Scan Network dialog.
Release 20.12
Information
This is a maintenance release.
Release 20.08
New Features
Improved Container Security
Starting with version 20.08, all web exposed processes of the suSSHi Chef container will be changed to an unprivileged user named “susshi” after startup. This “privilege dropping” increases the security of the container, because in case of a possible security problem an attacker would only inherit the limited rights of the user “susshi” (default UID 900, GID 900).
For more information regarding unprivileged user and volume mapping, continue reading here.
Improvements
Updated user interface with more homogeneous names for the form fields and cleaner layout.
Change default number of API Requests per minute (DoS limiter) to 600. See container variable
API_REQUEST_PER_MINto set individual values.Improved stability of System Event collector by switching from GNUTLS to openssl.
Bug Fixes
The Gateway Embryonic Control Parameters (DoS limiter) was not set correctly, if changed by the user.
Release 20.06
New Features
Unix domain socket forwarding
OpenSSH supports local and remote Unix domain socket forwarding using the “streamlocal” extension. Forwarding is initiated as per TCP sockets but with a single path instead of a host and port. Prior to version 20.06, the OpenSSH protocol extension “Unix domain socket forwarding” were denied with an unknown channel type error.
With version 20.06, you can control whether to allow Unix domain socket forwarding or deny it. Logging of the socket forwarding session is supported as well. Because most applications using sockets run standard TCP communication when communicating over sockets, suSSHi logs all socket communication via SSH in a PCAP file with the pseudo IP address
127.1.1.1representing the client and127.2.2.2representing the server. Advanced network diagnostic tools like Wireshark provide a wide range of dissectors to further analyse the captured traffic.By setting the
PermissionsandLogging Maskwithin a Access Profile accordingly, domain socket forwarding can be configured.UI and Config API - Remote Proxy Health Monitoring
The new Proxy Health Monitoring feature allows the status of the set up proxies to be queried in the Admin UI and via API. A new menu item “Health” has been added under “Proxies”. When this is called up, a remote health check is performed on all listed proxies via a suSSHi Gateway. The availability and version of each proxy is queried, which allows to check the actuality of the proxy version used. The gateway software must also be updated to at least version 20.06.
Please refer to the API manual under “Health Operations” shipped with suSSHi Chef under Dashboards > API Manual.
Config API - Gateway Health Status
Beside the API for Proxy Health Monitoring, Gateway Health Status can be retrieved via suSSHi Configuration API as well. Please refer to the API manual under “Health Operations” shipped with suSSHi Chef and accessible via Admin UI.
The suSSHi Gateway Health Status can be viewed in the UI already.
Config API - Gateway Public Authentication Key and Public Hostkey GET methods
The configuration API now provides access to the Gateway Public Authentication Keys and Gateway Public Hostkeys as part of Operations-requests. Please refer to the API manual shipped with suSSHi Chef under Dashboards > API Manual.
Improved handling of System-Wide Host-Keys and User-accepted Hostkeys
Various views for Targets and Target Host-Keys have been improved to better distinguish between system-wide and user-accepted hostkeys.
An additional column in the index view for targets has been introduced so that system-wide host keys are counted and displayed separately from user-accepted host keys.
License Expiration Warning
Implemented license expiration warning in dashboard view when license is about to expire within the next 30 days.
Bug Fixes
Fixed an error that occurs when first using an Access Profile that allows the acceptance of hostkeys by the user and later either changing the profile to Host Key Learning “Never” or using a profile with this setting. Then the Target forms showed the user-accepted hostkeys like system-wide host keys which was confusing.
Fixed an error where modal dialogs did not show up in Access and Bastion Policies.
Fix port range in Access Profiles and Bastion Profiles to support forward ports not only up to but including 65535.
Fixed an issue with resizing browser window and responsive theme not working correctly with dropdowns.
Add option to override NGINX
ssl_protocolsandssl_cipherswith ENV variables when accessing clients do not support TLS 1.2 / 1.3 or actual ciphers.Fixed an issue appeared with version 20.05 when accessing keepalive port 80 a redirection to HTTPS returned. Returned to original behaviour.
Fixed an issue with Target Regex Mappings when a dash ‘-’ appeared in pattern.
Release 20.05
New Features
TargetFusions
The TargetFusions feature allows a combination of multiple
<target_user>@<target>links in Access Policies to prevent a cartesian product oftarget_usersandtargetswhen used as normal.suSSHi Proxy Bastions
With the suSSHi Proxy Bastions feature, a suSSHi Proxy can act as a SSH endpoint for users having the need for port-forwarding only, but no interactive session is required. This can be used when a proxy is deployed in a remote environment like a cloud tenant and the users don’t need SSH access to a target host within the remote environment, but want to establish a port forwarding to applications like RDP, for example.
To start a suSSHi Proxy Bastion session, the user just uses
<gateway-user>@<proxy-realm>syntax as the gateway user:ssh -L 8443:webserver:443 -l myuser@proxy15 <gateway> ssh -D 1080 -l myuser@proxy15 <gateway>
Client and Target Hostkey Exchange Algorithms
New properties in Partition settings allow control over allowed hostkey algorithms on client and target side. The default is to allow all available algorithms. You may change this to disable
RSA-SHA1, for example.Client and Target Key Exchange (KEX) Algorithms
New properties in suSSHi Chef’s Partition settings allow control over accepted Key Exchange Algorithms (KEX) on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.
Client and Target HMAC Algorithms
New properties in suSSHi Chef’s Partition settings allow control over allowed HMAC algorithms beside already existing settings for ciphers on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.
Hostkey Update and Rotation
suSSHi supports the OpenSSH “Hostkey update and rotation” protocol extension (
hostkeys-00@openssh.com) allowing a server to inform a client of all its hostkeys after user-authentication has completed. With this option enabled, the client gets a list of all configured hostkeys of the suSSHi Gateway and thus can update it’s own list of known hostkeys.With this option, all supporting SSH clients can learn new key types they have not encountered before, allowing them to potentially upgrade from weaker key algorithms to better ones. It also supports graceful key rotation, as the gateway may offer multiple keys of the same type for a period of time (to allow customers to learn them with this enhancement) before the obsolete key is removed from those offered.
suSSHi now supports multiple hostkeys of the same type with sortable order, which gives the opportunity to share / propagate new keys upfront with the Hostkey Update and Rotation feature.
Password Split-String
With this new feature, suSSHi allows a user to provide the password for an authentication at the target during an authentication at the gateway at the same time by specifying the two passwords separated from each other by the specified split-string:
<gateway_pw><split-string><target_pw>.It is important not to choose a string that is too simple or too short (e.g. only @), as the selected combination must not occur in any password. The default is therefore set to ::@:: (
<gateway_pw>::@::<target_pw>).Configuration API Filters
The configuration API allows query filters on GET calls to filter for specific object attributes. Please refer to the updated suSSHi Configuration API documentation.
Improvements
Upgrade all software / middleware to latest versions.
Add Free/Libre Open Source Software (FLOSS) information under Dashboards > License.
Include ED25519 hostkeys into Proxy configurations, remove SSH-DSS Keys.
Harmonisation of the check for destructibility of objects in UI and API.
Updated filter option to control / restrict which User Key Types are allowed in UI and Config API. Allow RSA-Keys in all bit ranges instead of fixed lengths.
Allow a total of four Syslog target servers instead of two now.
UI: Layout improvements.
UI: Performance improvements for some forms.
UI: Allow to disable dual list box selectors in the Access Policies. With a very large number of objects such as Target Users, Targets etc. this lightens the browser’s rendering load enormously.
UI+API: Implement Client Certificate Check for UI and Config API access. See System preferences for configuration details.
UI+API: Better access-Logging for UI / API / SIC communication in dedicated directories and log rotation for all access logs per day.
UI+API: Better TLS Security by enabling TLS1.2 and TLS1.3 only, disable weaker ciphers, HSTS configuration and stronger cookie security flags.
UI+API: HTTP2 is now fully supported beside HTTP/1.1 and HTTP/1.0.
API: Improve performance of PATCH operations.
Bug Fixes
Fixes in suSSHi Configuration API documentation.
Fix issue within Profiles where Logging mask was ignored when creating a new or cloning an existing Profile.
Fixed a problem that occurred when network objects were created with an incorrect network address (e.g. host address). Duplicates were not detected correctly and duplicate objects were created.
Fix issue with 500 error on editing Accesses.
Fix issue in Configuration API with
/api/v1/operations/license.Fix dashboard session distribution chart.
Fix issue where the user could add members to a group multiple times via the API.