Release 20.05

New Features

  • TargetFusions

    The TargetFusions feature allows a combination of multiple <target_user>@<target> links in Access Policies to prevent a cartesian product of target_users and targets when used as normal.

  • suSSHi Proxy Bastions

    With the suSSHi Proxy Bastions feature, a suSSHi Proxy can act as a SSH endpoint for users having the need for port-forwarding only, but no interactive session is required. This can be used when a proxy is deployed in a remote environment like a cloud tenant and the users don’t need SSH access to a target host within the remote environment, but want to establish a port forwarding to applications like RDP, for example.

    To start a suSSHi Proxy Bastion session, the user just uses <gateway-user>@<proxy-realm> syntax as the gateway user:

    ssh -L 8443:webserver:443 -l myuser@proxy15 <gateway>
ssh -D 1080 -l myuser@proxy15 <gateway>

  • Client and Target Hostkey Exchange Algorithms

    New properties in Partition settings allow control over allowed hostkey algorithms on client and target side. The default is to allow all available algorithms. You may change this to disable RSA-SHA1, for example.

  • Client and Target Key Exchange (KEX) Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over accepted Key Exchange Algorithms (KEX) on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Client and Target HMAC Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over allowed HMAC algorithms beside already existing settings for ciphers on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Hostkey Update and Rotation

    suSSHi supports the OpenSSH “Hostkey update and rotation” protocol extension (hostkeys-00@openssh.com) allowing a server to inform a client of all its hostkeys after user-authentication has completed. With this option enabled, the client gets a list of all configured hostkeys of the suSSHi Gateway and thus can update it’s own list of known hostkeys.

    With this option, all supporting SSH clients can learn new key types they have not encountered before, allowing them to potentially upgrade from weaker key algorithms to better ones. It also supports graceful key rotation, as the gateway may offer multiple keys of the same type for a period of time (to allow customers to learn them with this enhancement) before the obsolete key is removed from those offered.

    suSSHi now supports multiple hostkeys of the same type with sortable order, which gives the opportunity to share / propagate new keys upfront with the Hostkey Update and Rotation feature.

  • Password Split-String

    With this new feature, suSSHi allows a user to provide the password for an authentication at the target during an authentication at the gateway at the same time by specifying the two passwords separated from each other by the specified split-string: <gateway_pw><split-string><target_pw>.

    It is important not to choose a string that is too simple or too short (e.g. only @), as the selected combination must not occur in any password. The default is therefore set to ::@:: (<gateway_pw>::@::<target_pw>).

  • Configuration API Filters

    The configuration API allows query filters on GET calls to filter for specific object attributes. Please refer to the updated suSSHi Configuration API documentation.

Improvements

  • Upgrade all software / middleware to latest versions.

  • Add Free/Libre Open Source Software (FLOSS) information under Dashboards > License.

  • Include ED25519 hostkeys into Proxy configurations, remove SSH-DSS Keys.

  • Harmonisation of the check for destructibility of objects in UI and API.

  • Updated filter option to control / restrict which User Key Types are allowed in UI and Config API. Allow RSA-Keys in all bit ranges instead of fixed lengths.

  • Allow a total of four Syslog target servers instead of two now.

  • UI: Layout improvements.

  • UI: Performance improvements for some forms.

  • UI: Allow to disable dual list box selectors in the Access Policies. With a very large number of objects such as Target Users, Targets etc. this lightens the browser’s rendering load enormously.

  • UI+API: Implement Client Certificate Check for UI and Config API access. See System preferences for configuration details.

  • UI+API: Better access-Logging for UI / API / SIC communication in dedicated directories and log rotation for all access logs per day.

  • UI+API: Better TLS Security by enabling TLS1.2 and TLS1.3 only, disable weaker ciphers, HSTS configuration and stronger cookie security flags.

  • UI+API: HTTP2 is now fully supported beside HTTP/1.1 and HTTP/1.0.

  • API: Improve performance of PATCH operations.

Bug Fixes

  • Fixes in suSSHi Configuration API documentation.

  • Fix issue within Profiles where Logging mask was ignored when creating a new or cloning an existing Profile.

  • Fixed a problem that occurred when network objects were created with an incorrect network address (e.g. host address). Duplicates were not detected correctly and duplicate objects were created.

  • Fix issue with 500 error on editing Accesses.

  • Fix issue in Configuration API with /api/v1/operations/license.

  • Fix dashboard session distribution chart.

  • Fix issue where the user could add members to a group multiple times via the API.