Release 20.06
New Features
Unix domain socket forwarding
OpenSSH supports local and remote Unix domain socket forwarding using the “streamlocal” extension. Forwarding is initiated as per TCP sockets but with a single path instead of a host and port. Prior to version 20.06, the OpenSSH protocol extension “Unix domain socket forwarding” were denied with an unknown channel type error.
With version 20.06, you can control whether to allow Unix domain socket forwarding or deny it. Logging of the socket forwarding session is supported as well. Because most applications using sockets run standard TCP communication when communicating over sockets, suSSHi logs all socket communication via SSH in a PCAP file with the pseudo IP address
127.1.1.1
representing the client and127.2.2.2
representing the server. Advanced network diagnostic tools like Wireshark provide a wide range of dissectors to further analyse the captured traffic.By setting the
Permissions
andLogging Mask
within a Access Profile accordingly, domain socket forwarding can be configured.UI and Config API - Remote Proxy Health Monitoring
The new Proxy Health Monitoring feature allows the status of the set up proxies to be queried in the Admin UI and via API. A new menu item “Health” has been added under “Proxies”. When this is called up, a remote health check is performed on all listed proxies via a suSSHi Gateway. The availability and version of each proxy is queried, which allows to check the actuality of the proxy version used. The gateway software must also be updated to at least version 20.06.
Please refer to the API manual under “Health Operations” shipped with suSSHi Chef under Dashboards > API Manual.
Config API - Gateway Health Status
Beside the API for Proxy Health Monitoring, Gateway Health Status can be retrieved via suSSHi Configuration API as well. Please refer to the API manual under “Health Operations” shipped with suSSHi Chef and accessible via Admin UI.
The suSSHi Gateway Health Status can be viewed in the UI already.
Config API - Gateway Public Authentication Key and Public Hostkey GET methods
The configuration API now provides access to the Gateway Public Authentication Keys and Gateway Public Hostkeys as part of Operations-requests. Please refer to the API manual shipped with suSSHi Chef under Dashboards > API Manual.
Improved handling of System-Wide Host-Keys and User-accepted Hostkeys
Various views for Targets and Target Host-Keys have been improved to better distinguish between system-wide and user-accepted hostkeys.
An additional column in the index view for targets has been introduced so that system-wide host keys are counted and displayed separately from user-accepted host keys.
License Expiration Warning
Implemented license expiration warning in dashboard view when license is about to expire within the next 30 days.
Bug Fixes
Fixed an error that occurs when first using an Access Profile that allows the acceptance of hostkeys by the user and later either changing the profile to Host Key Learning “Never” or using a profile with this setting. Then the Target forms showed the user-accepted hostkeys like system-wide host keys which was confusing.
Fixed an error where modal dialogs did not show up in Access and Bastion Policies.
Fix port range in Access Profiles and Bastion Profiles to support forward ports not only up to but including 65535.
Fixed an issue with resizing browser window and responsive theme not working correctly with dropdowns.
Add option to override NGINX
ssl_protocols
andssl_ciphers
with ENV variables when accessing clients do not support TLS 1.2 / 1.3 or actual ciphers.Fixed an issue appeared with version 20.05 when accessing keepalive port 80 a redirection to HTTPS returned. Returned to original behaviour.
Fixed an issue with Target Regex Mappings when a dash ‘-’ appeared in pattern.