suSSHi Chef

Overview

Release

Upgrade Path

Image

21.05

>= 20.12

registry.susshi.io/susshi-chef:21.05

21.03.1

>= 19.12

registry.susshi.io/susshi-chef:21.03.1

20.12

>= 19.12

registry.susshi.io/susshi-chef:20.12

20.08

>= 19.12

registry.susshi.io/susshi-chef:20.08

20.06

>= 19.12

registry.susshi.io/susshi-chef:20.06

20.05

>= 18.12

registry.susshi.io/susshi-chef:20.05

Release 21.05

Warning

Please note, that the previous release 21.03 requires the database extension pg_trgm. So if you update from an earlier version than 21.03 and have not sufficient access permissions to create this extension from suSSHi Chef acting as the database client, create the database extension with a user with sufficient access on the database by CREATE EXTENSION pg_trgm;.

Improvements

  • Updated middleware (Rails 6 and Ruby 2.7) to latest versions.

  • Improved overall server performance.

  • Improve network scan performance by up to a factor of 16 by parallelizing scans.

  • Prevent Can't verify CSRF token authenticity log messages with API calls.

Bug Fixes

  • Fix issue with wrong / incomprehensible sum of total targets in dashboard.

  • Fix issue where adding a new gateway could cause server error.

Release 21.03.1

Warning

Starting with this release, the database extension pg_trgm is required. So if you update from an earlier version than 21.03 and have not sufficient access permissions to create this extension from suSSHi Chef acting as the database client, create the database extension with a user with sufficient access on the database by CREATE EXTENSION pg_trgm;.

New Features

  • New Target Authentication Features for password / keyboard-interactive based authentication:

    • User Dialog (default, same behaviour as today)

    • Dynamic One Time Password (DOTP)

    • Static Password

    • Preserve Password

Improvements

  • Updated container base image to Ubuntu 20.04 LTS and underlying software.

  • Image size decreased by round about 25%.

  • Better indexing algorithm for System Events for larger installations.

  • Update API manual and Postman collection.

  • API: On 401 unauthorized, include WWW-Authenticate header for non-preemptive Basic-Auth.

Bug Fixes

  • Fix issue where gateways could not get triggered for config reload, if one gateway in list throws error.

  • Fix issue where the deletion of a partition could fail.

  • Fix issue with browser title showing quote signs / ticks incorrectly.

  • Fix issue with crontab under unprivileged user susshi, which could lead into not running garbage collection tasks.

  • Fix issue where list of shown Host keys for Network Targets and Network Domains might have been incorrect.

  • Fix UI Navigation issue when menu is in collapsed mode.

  • Fix issue with User-TargetHostKeys recorded under SwiftNetworkHosts, but SwiftTarget exists as well for same target.

  • Fix issue with cached, but wrong proxy names in dual list selector for targets.

  • Fix UI display issue for targets containing ‘ - ‘ in name.

  • Fix issue where proxy could not be deleted if there are still dynamic learned objects attached.

  • Fix issue with warning message not showing up on Target Scan Network dialog.

Release 20.12

Information

  • This is a maintenance release.

Release 20.08

New Features

  • Improved Container Security

    Starting with version 20.08, all web exposed processes of the suSSHi Chef container will be changed to an unprivileged user named “susshi” after startup. This “privilege dropping” increases the security of the container, because in case of a possible security problem an attacker would only inherit the limited rights of the user “susshi” (default UID 900, GID 900).

    For more information regarding unprivileged user and volume mapping, continue reading here.

Improvements

  • Updated user interface with more homogeneous names for the form fields and cleaner layout.

  • Change default number of API Requests per minute (DoS limiter) to 600. See container variable API_REQUEST_PER_MIN to set individual values.

  • Improved stability of System Event collector by switching from GNUTLS to openssl.

Bug Fixes

  • The Gateway Embryonic Control Parameters (DoS limiter) was not set correctly, if changed by the user.

Release 20.06

New Features

  • Unix domain socket forwarding

    OpenSSH supports local and remote Unix domain socket forwarding using the “streamlocal” extension. Forwarding is initiated as per TCP sockets but with a single path instead of a host and port. Prior to version 20.06, the OpenSSH protocol extension “Unix domain socket forwarding” were denied with an unknown channel type error.

    With version 20.06, you can control whether to allow Unix domain socket forwarding or deny it. Logging of the socket forwarding session is supported as well. Because most applications using sockets run standard TCP communication when communicating over sockets, suSSHi logs all socket communication via SSH in a PCAP file with the pseudo IP address 127.1.1.1 representing the client and 127.2.2.2 representing the server. Advanced network diagnostic tools like Wireshark provide a wide range of dissectors to further analyse the captured traffic.

    By setting the Permissions and Logging Mask within a Access Profile accordingly, domain socket forwarding can be configured.

  • UI and Config API - Remote Proxy Health Monitoring

    The new Proxy Health Monitoring feature allows the status of the set up proxies to be queried in the Admin UI and via API. A new menu item “Health” has been added under “Proxies”. When this is called up, a remote health check is performed on all listed proxies via a suSSHi Gateway. The availability and version of each proxy is queried, which allows to check the actuality of the proxy version used. The gateway software must also be updated to at least version 20.06.

    Please refer to the API manual under “Health Operations” shipped with suSSHi Chef under Dashboards > API Manual.

  • Config API - Gateway Health Status

    Beside the API for Proxy Health Monitoring, Gateway Health Status can be retrieved via suSSHi Configuration API as well. Please refer to the API manual under “Health Operations” shipped with suSSHi Chef and accessible via Admin UI.

    The suSSHi Gateway Health Status can be viewed in the UI already.

  • Config API - Gateway Public Authentication Key and Public Hostkey GET methods

    The configuration API now provides access to the Gateway Public Authentication Keys and Gateway Public Hostkeys as part of Operations-requests. Please refer to the API manual shipped with suSSHi Chef under Dashboards > API Manual.

  • Improved handling of System-Wide Host-Keys and User-accepted Hostkeys

    Various views for Targets and Target Host-Keys have been improved to better distinguish between system-wide and user-accepted hostkeys.

    An additional column in the index view for targets has been introduced so that system-wide host keys are counted and displayed separately from user-accepted host keys.

  • License Expiration Warning

    Implemented license expiration warning in dashboard view when license is about to expire within the next 30 days.

Bug Fixes

  • Fixed an error that occurs when first using an Access Profile that allows the acceptance of hostkeys by the user and later either changing the profile to Host Key Learning “Never” or using a profile with this setting. Then the Target forms showed the user-accepted hostkeys like system-wide host keys which was confusing.

  • Fixed an error where modal dialogs did not show up in Access and Bastion Policies.

  • Fix port range in Access Profiles and Bastion Profiles to support forward ports not only up to but including 65535.

  • Fixed an issue with resizing browser window and responsive theme not working correctly with dropdowns.

  • Add option to override NGINX ssl_protocols and ssl_ciphers with ENV variables when accessing clients do not support TLS 1.2 / 1.3 or actual ciphers.

  • Fixed an issue appeared with version 20.05 when accessing keepalive port 80 a redirection to HTTPS returned. Returned to original behaviour.

  • Fixed an issue with Target Regex Mappings when a dash ‘-’ appeared in pattern.

Release 20.05

New Features

  • TargetFusions

    The TargetFusions feature allows a combination of multiple <target_user>@<target> links in Access Policies to prevent a cartesian product of target_users and targets when used as normal.

  • suSSHi Proxy Bastions

    With the suSSHi Proxy Bastions feature, a suSSHi Proxy can act as a SSH endpoint for users having the need for port-forwarding only, but no interactive session is required. This can be used when a proxy is deployed in a remote environment like a cloud tenant and the users don’t need SSH access to a target host within the remote environment, but want to establish a port forwarding to applications like RDP, for example.

    To start a suSSHi Proxy Bastion session, the user just uses <gateway-user>@<proxy-realm> syntax as the gateway user:

    ssh -L 8443:webserver:443 -l myuser@proxy15 <gateway>
    ssh -D 1080 -l myuser@proxy15 <gateway>
    
  • Client and Target Hostkey Exchange Algorithms

    New properties in Partition settings allow control over allowed hostkey algorithms on client and target side. The default is to allow all available algorithms. You may change this to disable RSA-SHA1, for example.

  • Client and Target Key Exchange (KEX) Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over accepted Key Exchange Algorithms (KEX) on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Client and Target HMAC Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over allowed HMAC algorithms beside already existing settings for ciphers on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Hostkey Update and Rotation

    suSSHi supports the OpenSSH “Hostkey update and rotation” protocol extension (hostkeys-00@openssh.com) allowing a server to inform a client of all its hostkeys after user-authentication has completed. With this option enabled, the client gets a list of all configured hostkeys of the suSSHi Gateway and thus can update it’s own list of known hostkeys.

    With this option, all supporting SSH clients can learn new key types they have not encountered before, allowing them to potentially upgrade from weaker key algorithms to better ones. It also supports graceful key rotation, as the gateway may offer multiple keys of the same type for a period of time (to allow customers to learn them with this enhancement) before the obsolete key is removed from those offered.

    suSSHi now supports multiple hostkeys of the same type with sortable order, which gives the opportunity to share / propagate new keys upfront with the Hostkey Update and Rotation feature.

  • Password Split-String

    With this new feature, suSSHi allows a user to provide the password for an authentication at the target during an authentication at the gateway at the same time by specifying the two passwords separated from each other by the specified split-string: <gateway_pw><split-string><target_pw>.

    It is important not to choose a string that is too simple or too short (e.g. only @), as the selected combination must not occur in any password. The default is therefore set to ::@:: (<gateway_pw>::@::<target_pw>).

  • Configuration API Filters

    The configuration API allows query filters on GET calls to filter for specific object attributes. Please refer to the updated suSSHi Configuration API documentation.

Improvements

  • Upgrade all software / middleware to latest versions.

  • Add Free/Libre Open Source Software (FLOSS) information under Dashboards > License.

  • Include ED25519 hostkeys into Proxy configurations, remove SSH-DSS Keys.

  • Harmonisation of the check for destructibility of objects in UI and API.

  • Updated filter option to control / restrict which User Key Types are allowed in UI and Config API. Allow RSA-Keys in all bit ranges instead of fixed lengths.

  • Allow a total of four Syslog target servers instead of two now.

  • UI: Layout improvements.

  • UI: Performance improvements for some forms.

  • UI: Allow to disable dual list box selectors in the Access Policies. With a very large number of objects such as Target Users, Targets etc. this lightens the browser’s rendering load enormously.

  • UI+API: Implement Client Certificate Check for UI and Config API access. See System preferences for configuration details.

  • UI+API: Better access-Logging for UI / API / SIC communication in dedicated directories and log rotation for all access logs per day.

  • UI+API: Better TLS Security by enabling TLS1.2 and TLS1.3 only, disable weaker ciphers, HSTS configuration and stronger cookie security flags.

  • UI+API: HTTP2 is now fully supported beside HTTP/1.1 and HTTP/1.0.

  • API: Improve performance of PATCH operations.

Bug Fixes

  • Fixes in suSSHi Configuration API documentation.

  • Fix issue within Profiles where Logging mask was ignored when creating a new or cloning an existing Profile.

  • Fixed a problem that occurred when network objects were created with an incorrect network address (e.g. host address). Duplicates were not detected correctly and duplicate objects were created.

  • Fix issue with 500 error on editing Accesses.

  • Fix issue in Configuration API with /api/v1/operations/license.

  • Fix dashboard session distribution chart.

  • Fix issue where the user could add members to a group multiple times via the API.