Universal SSH Key Manager (UKM) Product Update

1. About this release

This release of UKM introduces significant new capabilities for enterprise security, such as automatic host key distribution to hosts during new access provisioning, just-in-time (JIT) authorization for executing privileged commands on target servers, and enhancements in automatic load balancing for backend servers handling job execution.

2. Host key distribution 

When UKM establishes new SSH key-based connections between servers, UKM administrators can now task UKM with distributing host keys from target hosts to source servers. This new capability ensures that every step of provisioning new authentication is secure. One challenge with SSH connections is verifying the trustworthiness of the target, as administrators are expected to validate new host keys from a centralized, trusted source. This step is often skipped due to the time-consuming nature of managing these lists. UKM is well-positioned to leverage its existing knowledge of valid host keys, streamlining the process by automatically updating the known_hosts file on the source server, removing the need for explicit host key approval.

3. Sudo password

Another new feature caters to organizations aiming to maintain JIT authentication and authorization at every level. For this purpose, we have introduced the option for UKM to retrieve short-term credentials that authorize privileged tasks on target hosts as it manages SSH keys.

4. Automatic job execution balancing

Large-scale UKM deployments typically use our “script-based scan” method to reduce the overhead associated with shell-based scanning. However, an issue with the script-based scan architecture was that, in certain situations, too many jobs accumulated on a few backends that the system identified as more reliable, creating an artificial bottleneck in job execution. In this release, UKM now assesses backend performance more dynamically to prevent this problem.

5. Other updates

- As of this version, RHEL 7 and Amazon Linux 2 are no longer supported as UKM installation platforms.

- Warning: Support for Windows versions older that Windows 2012R2 as target hosts will be removed in the next release.

- Warning: Agent-based management of any HP-UX targets will be discontinued in anundetermined future version of UKM.

1. About this release

UKM 5.2 update emphasizes product usability all around. We have opened and documented our core API endpoints, filled gaps in the supported product and functionality matrix, improved the scalability of the product in large environments, and built on previously implemented features.

2. APIv2 documentation 

We have documented and published our core API (APIv2), the functionality of which has only been available to our customers via command line API and our web UI. We believe that the most valuable UKM is the one that our customers can seamlessly integrate with their daily workflows with minimal friction.

3. Zero Trust migration extended to Tectia (Linux/UNIX installation)

Zero Trust migration support has now been implemented on our company’s very own SSH client/server implementation, Tectia. This features brings synergies to our loyal customers who are using our Zero Trust Suite’s components together, as they should be used.

4. Bulk key actions now possible via User Portal

As an answer to the calls to reduce the time it takes application owners to send out key requests for admin approval, we have implemented bulk key actions via User Portal. Now, just like with access requests, application owners can provide detailed actions that they want to execute on different keys in a single large CSV file, uploaded via User Portal.

5. Transitive trust evaluation during access requests

Building onto the transitive analysis engine published in UKM 5.0, we have made the trust map available for application owners as well. They can now review the potential impacts of a new authorization just as UKM admins can when it comes to the application they are in charge of.

6. Other updates

The release also includes the following improvements and bug fixes:

• Standard policies are now deployable during UKM installation

• Customers can name their UKM however they want. This name is displayed in the web UI at the top

• Multiselection key renew implemented for User Portal users

• z/OS key activity scan had issues recognized certain activities. This has been now fixed

• Ubuntu versions 20 and 22 added as supported target operating systems

7. Discontinued support

• UKM script-based scan no longer works with perl. Python interpreter must be present on these hosts as of this release.

• Warning: support for RHEL 7 as UKM and User Portal installation OS is ending in next UKM version (UKM 5.3.0). Please ensure that you have UKM and User Portal installed on RHEL 8 or newer, Rocky Linux 8.4 or newer or Amazon Linux 2 by then.

1. About this release

Universal SSH Key Manager 5.1.0 includes new functionality, improvements, and bug fixes. Most notably, this release introduces automatic privileged account onboarding for UKM Zero Trust Edition and real-time transitive trust analysis capabilities.

2. Automatic privileged account onboarding 

For those customers who are using our UKM Zero Trust Edition, it is now possible to automatically discover and deploy privileged local administrator and root accounts as targets in PrivX, the Zero Trust module. This enables an effortless management flow of newly created privileged accounts and seamless access provisioning without undue delays.

3. Real-time transitive trusts analysis

UKM administrators can now see the transitive trust map for resulting accesses before approving an authorization request. This enables UKM admins to evaluate the security implications of a new access request in before hand, improving their abilities to proactively react to emerging risky access patterns and better safeguard their environment against undesired lateral movement.

4. CVS output sanitization

UKM administrators can set the level of sanitization of CSV exports requested from GUI. This setting prevents anything executable from being included in the CSV files in a format where it could interact with the operating system via Microsoft Excel or a similar spreadsheet program.

5.   Other updates

This release also includes the following improvements and bug fixes:

• RHEL 9 is now supported as an installation OS for UKM and UP

• APIv3 endpoints for creating, editing, and setting delegations for applications

• Xz compression algorithm support for Key Activity scans

• UKM Internal OpenSSH upgraded and patched against Terrapin vulnerability

6.   Deprecations

UKM 5.1.0 Django 4.2.x upgrade drops support for older Database versions. Oracle < 19 and PostgreSQL < 12 are no longer supported.

UKM 5.1.0 marks the end of support for Perl in script-based scans. If you have any older, script-based scanned UNIX servers that only support Perl, you should install Python 1.5+ on the target hosts or change those to use UKM's shell-based scan mode. 

1. About this release

Universal SSH Key Manager 5.0.0 includes new capabilities, improvements, and bug fixes. Most notably, this release introduces capabilities including custom metrics tracking, transitive trust analysis, and agentless scanning of Windows hosts.

2. Custom metrics tracking

UKM admins can now track custom metrics to assess the progress of their most important data points. Daily usage of SSH keys to access privileged accounts, password ages violating set policies, or reporting on 10-year-old SSH keys in active use are just a few examples of the fully customizable metrics that admins can track. Tracked parameters can be included in the home page dashboard or within PDF reports to be distributed to relevant parties.

3. Reporting on transitive trusts

UKM now has the ability to display transitive trusts between user accounts. These trust relationships enable users to traverse the environment in sometimes unintended paths. This newly gained visibility into the matter enables UKM admins to address unwanted and excessive access they may find in their environment.

4. Agentless scanning on Windows

UKM expands its current capabilities to allow the discovery of local and domain user accounts and their keys on Windows using agentless connections via WinRM. In addition, UKM expands the reporting capabilities including reporting on enabled/disabled accounts, last login, password age, and password expiration dates. This increases the visibility into potential risks and policy violations.

5.   Other updates

This release also includes the following improvements and bug fixes:

• The user portal now provides a warning for application owners of potentially stale data when viewing SSH key details depending on how recently those keys have been scanned or when gaps in key usage audit logs have been identified.

• Introduced HTTP only cookie in addition to theJWT token for increased protection of the Web GUI [UKM-2881]

• Introduced support for agents on AIX 7.3 [UKM-2850]

• Introduces improved protection against content-injection attacks by implementing a stronger Content Security Policy (CSP). The policy is enabled by default for new installations of UKM. To enable the policy when upgrading UKM from earlier versions, follow the instructions outlined in chapter 8.2.4 of the installation manual [UKM-2358]

• Corrected an issue which prevented setting Never/no date value for date filters. [UKM-2903]

• Corrected an issue which in some cases caused users to be redirected back to the login page even after successful login. [UKM-2893]

6.   Deprecation Warnings

Due to third-party component requirements, the upcoming release UKM 5.1.0 supports Oracle Databases version 19+ and PostgreSQL 12+. Earlier database versions will not be supported. 

1. About this release

Universal SSH Key Manager 4.3.0 includes new capabilities, improvements, and bug fixes. Most notably, this release introduces capabilities including Quantum-Safe Key exchange (KEX) algorithms available for management connections; evaluation and reporting on risks associated with user passwords as well as submission of access requests in bulk by end users.

2. Submitting bulk access requests by end users using CSV input

User Portal expands its current capabilities which help application owners with managing their SSH keys to power users who are responsible for tens of thousands of keys.

Power users can now submit access requests in bulk directly in the graphical user interface. No need for scripting, using API calls, or engaging admin users.

3. Report on violations of password security policies

UKM expands its policy capabilities into analysis and reporting on user account passwords. UKM brings to light violations of best practices associated with an increased security risk.

In this release, the capabilities include the collection and reporting of password parameters such as password changes and validity, in addition to providing policies identifying potential risk vectors on Linux operating systems. Future releases will expand the OS coverage as well as the data analysis and reporting.

4. Quantum-safe management communications 

UKM now fully supports available Quantum-Safe KEX algorithms for both agentless and agent-based management connections to managed hosts.

5. Other updates 

This release also includes the following improvements and bug fixes:

  * Validation rules for eligibility of migrating SSH accessing from using existing SSH keys to ephemeral certificates are relaxed. UKM admins can now proceed with the migration process even if not all targets can be transitioned to access using ephemeral certificates. Ineligible targets are clearly identified and an explicit approval step is required [UKM-2736]

  * UKM can now recognize and report the use of OpenSSH keys for accessing Windows hosts where OpenSSH Server is enabled. [UKM-2649]
  * This version introduces improved protection against content-injection attacks by implementing a stronger Content Security Policy (CSP). The policy is enabled by default for new installations of UKM. [UKM-2358]
  * Added persistency for the timeout setting applied to script-based scan jobs. The value is no longer reset to default after upgrade. [UKM-2591]
  * This version expands support for agents to RedHat 9. [UKM-2443]
  * Corrected a regression affecting UKM version 4.2. where executing an "Export Public Key" action via the GUI only listed the key data portion of the key, excluding known SSH key options (such as from stanza, commands, etc). [UKM-2709]
  * Addressed an issue where editing the value of custom fields for multiple objects (hosts, users or keys) was applied only to the first object instead of to all intended ones. [UKM-2682]

1. Migrate all user keys to Zero Trust SSH access using ephemeral certificates

This release removes the prior restriction which required that users have only one private key in order to proceed with migrating to ephemeral certificates.

This change eliminates restrictions and in effect allows any account to be migrated without jeopardizing the continuity of operation for existing automation workflows and integrations.

2. Support for OpenSSH client/server on Windows

This release introduces support for the native OpenSSH client/server software on Windows including account listing and key discovery, key provisioning, as well as remediation actions such as removal, restoring, and setting options.

This feature improves the trust relationship dataset for more complete visibility into the key sprawl and expands the management capability reach in their key estate.

For more details consult the Product Description document.

3. Automatic management of audit events

This functionality adds automatic data management for audit events generated by UKM, in order to reduce the risk of running out of disk on the database server.

Its aim is to prevent outages and the need for maintenance work due to the accumulation of audit events in the database.

A new setting introduces automatic purging capabilities for audit events with a configurable retention period.

• By default, audit events are retained indefinitely.

• Similar to other purging tasks, deleted audits are not archived.

• The previous capability to archive audit events to external storage is unaffected

4. Introducing an improved graphical user interface 

The newly released UKM admin GUI supports a modern frontend framework that allows faster implementation cycles for new feature development and, at the same time, eliminates dependencies on outdated technologies which are no longer supported. 

The core functionality is now enhanced by introducing: 

• A redesigned home page offering widget selection for configurable dashboards

• A global quick search on the home page

• A Settings page search to quickly find any setting based on a key word

5. Other updates 

This release also includes the following updates:

• PostgreSQL 14 is supported as a Database for UKM and User Portal
• Tectia server included with UKM is now updated to PQC version 6.6.1 in preparation for providing Quantum-Safe connections during management tasks when using agents.