Product updates of PrivX Key Manager

PrivX Key Manager 6 Release notes

26/05/2025

 

1. About this release

In this release, we are rebranding Universal SSH Key Manager (UKM) as PrivX Key Manager. This rebranding has no other implications on customers’ installations, licensing, or support. Going forward, we are denoting the releases by default with the major digit only, unless specifically addressing a maintenance version (e.g. 6.1) or wanting to be very clear in which version is being referenced.

In addition to the rebranding, we have implemented a new, interactive, way to view and examine transitive trusts within the scanned environment. Continued effort has been put to improve script-based scanning and we have implemented PQC status attribute for hosts along with out-of-the-box PQC policies for easy monitoring and measuring of PQC readiness.

 

2. Interactive transitive trusts

An interactive transitive trust page has been implemented to replace the old pdf-based report to allow our users to better gain an understanding of chained trust relationships which SSH keys naturally form when left unchecked. The new implementation is a significant improvement over the batch-processed reports in previous versions and is especially useful for newer customers.

 

3. PQC policies

It is now possible to check “PQC status” for SSH products, enabling users to better monitor and assess PQC readiness and the status of their environment. PQC policies are also included out-of-the-box with the built-in policy tool, and PQC status metrics are by default included in the environment reports.

 

4. Script-based scan improvements

Script-based scan jobs are now resistant to connection issues and front-end server restart mid-job, improving the robustness of overall job execution. It is also possible to optimize the PrivX Key Manager setup further by allocating script executors to communicate with certain front-end servers. Furthermore, resources are being saved due to the executors' new way of storing tasks and results on a local disk instead of RAM. This has minor implications on disk space usage on PKM backend servers.

 

5. Other updates

• A new agent built on the Tectia client is now being shipped with Privx Key Manager

• Support for PostgreSQL 12 has been ended

• Support for PostgreSQL versions 15 and 16 added

Universal SSH Key Manager (UKM) 5.3 Release notes

14/11/2024

 

1. About this release

This release of UKM introduces significant new capabilities for enterprise security, such as automatic host key distribution to hosts during new access provisioning, just-in-time (JIT) authorization for executing privileged commands on target servers, and enhancements in automatic load balancing for backend servers handling job execution.

 

2. Host key distribution

When UKM establishes new SSH key-based connections between servers, UKM administrators can now task UKM with distributing host keys from target hosts to source servers. This new capability ensures that every step of provisioning new authentication is secure. One challenge with SSH connections is verifying the trustworthiness of the target, as administrators are expected to validate new host keys from a centralized, trusted source. This step is often skipped due to the time-consuming nature of managing these lists. UKM is well-positioned to leverage its existing knowledge of valid host keys, streamlining the process by automatically updating the known_hosts file on the source server, removing the need for explicit host key approval.

 

3. Sudo password

Another new feature caters to organizations aiming to maintain JIT authentication and authorization at every level. For this purpose, we have introduced the option for UKM to retrieve short-term credentials that authorize privileged tasks on target hosts as it manages SSH keys.

 

4. Automatic job execution balancing

Large-scale UKM deployments typically use our “script-based scan” method to reduce the overhead associated with shell-based scanning. However, an issue with the script-based scan architecture was that, in certain situations, too many jobs accumulated on a few backends that the system identified as more reliable, creating an artificial bottleneck in job execution. In this release, UKM now assesses backend performance more dynamically to prevent this problem.

 

5. Other updates

• As of this version, RHEL 7 and Amazon Linux 2 are no longer supported as UKM installation platforms.

• Warning: Support for Windows versions older that Windows 2012R2 as target hosts will be removed in the next release.

• Warning: Agent-based management of any HP-UX targets will be discontinued in anundetermined future version of UKM.

Universal SSH Key Manager (UKM) 5.2 Release notes

05/06/2024

 

1. About this release

UKM 5.2 update emphasizes product usability all around. We have opened and documented our core API endpoints, filled gaps in the supported product and functionality matrix, improved the scalability of the product in large environments, and built on previously implemented features.

 

2. APIv2 documentation

We have documented and published our core API (APIv2), the functionality of which has only been available to our customers via command line API and our web UI. We believe that the most valuable UKM is the one that our customers can seamlessly integrate with their daily workflows with minimal friction.

 

3. Zero Trust migration extended to Tectia (Linux/UNIX installation)

Zero Trust migration support has now been implemented on our company’s very own SSH client/server implementation, Tectia. This features brings synergies to our loyal customers who are using our Zero Trust Suite’s components together, as they should be used.

 

4. Bulk key actions now possible via User Portal

As an answer to the calls to reduce the time it takes application owners to send out key requests for admin approval, we have implemented bulk key actions via User Portal. Now, just like with access requests, application owners can provide detailed actions that they want to execute on different keys in a single large CSV file, uploaded via User Portal.

 

5. Transitive trust evaluation during access requests

Building onto the transitive analysis engine published in UKM 5.0, we have made the trust map available for application owners as well. They can now review the potential impacts of a new authorization just as UKM admins can when it comes to the application they are in charge of.

 

6. Other updates

The release also includes the following improvements and bug fixes:

• Standard policies are now deployable during UKM installation

• Customers can name their UKM however they want. This name is displayed in the web UI at the top

• Multiselection key renew implemented for User Portal users

• z/OS key activity scan had issues recognized certain activities. This has been now fixed

• Ubuntu versions 20 and 22 added as supported target operating systems

 

7. Discontinued support

UKM script-based scan no longer works with perl. Python interpreter must be present on these hosts as of this release.

Warning: support for RHEL 7 as UKM and User Portal installation OS is ending in next UKM version (UKM 5.3.0). Please ensure that you have UKM and User Portal installed on RHEL 8 or newer, Rocky Linux 8.4 or newer or Amazon Linux 2 by then.

Universal SSH Key Manager (UKM) 5.1 Release notes

21/12/2023

 

1. About this release

Universal SSH Key Manager 5.1.0 includes new functionality, improvements, and bug fixes. Most notably, this release introduces automatic privileged account onboarding for UKM Zero Trust Edition and real-time transitive trust analysis capabilities.

 

2. Automatic privileged account onboarding

For those customers who are using our UKM Zero Trust Edition, it is now possible to automatically discover and deploy privileged local administrator and root accounts as targets in PrivX, the Zero Trust module. This enables an effortless management flow of newly created privileged accounts and seamless access provisioning without undue delays.

 

3. Real-time transitive trusts analysis

UKM administrators can now see the transitive trust map for resulting accesses before approving an authorization request. This enables UKM admins to evaluate the security implications of a new access request in before hand, improving their abilities to proactively react to emerging risky access patterns and better safeguard their environment against undesired lateral movement.

 

4. CVS output sanitization

UKM administrators can set the level of sanitization of CSV exports requested from GUI. This setting prevents anything executable from being included in the CSV files in a format where it could interact with the operating system via Microsoft Excel or a similar spreadsheet program.

 

5. Other updates

This release also includes the following improvements and bug fixes:

• RHEL 9 is now supported as an installation OS for UKM and UP

• APIv3 endpoints for creating, editing, and setting delegations for applications

• Xz compression algorithm support for Key Activity scans

• UKM Internal OpenSSH upgraded and patched against Terrapin vulnerability

 

6. Deprecations

UKM 5.1.0 Django 4.2.x upgrade drops support for older Database versions. Oracle < 19 and PostgreSQL < 12 are no longer supported.

UKM 5.1.0 marks the end of support for Perl in script-based scans. If you have any older, script-based scanned UNIX servers that only support Perl, you should install Python 1.5+ on the target hosts or change those to use UKM's shell-based scan mode.

Universal SSH Key Manager (UKM) 5.0 Release notes

09/05/2023

 

1. About this release

Universal SSH Key Manager 5.0.0 includes new capabilities, improvements, and bug fixes. Most notably, this release introduces capabilities including custom metrics tracking, transitive trust analysis, and agentless scanning of Windows hosts.

2. Custom metrics tracking

UKM admins can now track custom metrics to assess the progress of their most important data points. Daily usage of SSH keys to access privileged accounts, password ages violating set policies, or reporting on 10-year-old SSH keys in active use are just a few examples of the fully customizable metrics that admins can track. Tracked parameters can be included in the home page dashboard or within PDF reports to be distributed to relevant parties.

 

3. Reporting on transitive trusts

UKM now has the ability to display transitive trusts between user accounts. These trust relationships enable users to traverse the environment in sometimes unintended paths. This newly gained visibility into the matter enables UKM admins to address unwanted and excessive access they may find in their environment.

 

4. Agentless scanning on Windows

UKM expands its current capabilities to allow the discovery of local and domain user accounts and their keys on Windows using agentless connections via WinRM. In addition, UKM expands the reporting capabilities including reporting on enabled/disabled accounts, last login, password age, and password expiration dates. This increases the visibility into potential risks and policy violations.

5. Other updates

This release also includes the following improvements and bug fixes:

• The user portal now provides a warning for application owners of potentially stale data when viewing SSH key details depending on how recently those keys have been scanned or when gaps in key usage audit logs have been identified.

• Introduced HTTP only cookie in addition to theJWT token for increased protection of the Web GUI [UKM-2881]

• Introduced support for agents on AIX 7.3 [UKM-2850]

• Introduces improved protection against content-injection attacks by implementing a stronger Content Security Policy (CSP). The policy is enabled by default for new installations of UKM. To enable the policy when upgrading UKM from earlier versions, follow the instructions outlined in chapter 8.2.4 of the installation manual [UKM-2358]

• Corrected an issue which prevented setting Never/no date value for date filters. [UKM-2903]

• Corrected an issue which in some cases caused users to be redirected back to the login page even after successful login. [UKM-2893]

6. Deprecation Warnings

Due to third-party component requirements, the upcoming release UKM 5.1.0 supports Oracle Databases version 19+ and PostgreSQL 12+. Earlier database versions will not be supported.

Universal SSH Key Manager (UKM) 4.3.0 Release notes

24/04/2023

 

1. About this release

Universal SSH Key Manager 4.3.0 includes new capabilities, improvements, and bug fixes. Most notably, this release introduces capabilities including Quantum-Safe Key exchange (KEX) algorithms available for management connections; evaluation and reporting on risks associated with user passwords as well as submission of access requests in bulk by end users.

 

2. Submitting bulk access requests by end users using CSV input

User Portal expands its current capabilities which help application owners with managing their SSH keys to power users who are responsible for tens of thousands of keys.

Power users can now submit access requests in bulk directly in the graphical user interface. No need for scripting, using API calls, or engaging admin users.

 

3. Report on violations of password security policies

UKM expands its policy capabilities into analysis and reporting on user account passwords. UKM brings to light violations of best practices associated with an increased security risk.

In this release, the capabilities include the collection and reporting of password parameters such as password changes and validity, in addition to providing policies identifying potential risk vectors on Linux operating systems. Future releases will expand the OS coverage as well as the data analysis and reporting.

 

4. Quantum-safe management communications

UKM now fully supports available Quantum-Safe KEX algorithms for both agentless and agent-based management connections to managed hosts.

 

5. Other updates

This release also includes the following improvements and bug fixes:

* Validation rules for eligibility of migrating SSH accessing from using existing SSH keys to ephemeral certificates are relaxed. UKM admins can now proceed with the migration process even if not all targets can be transitioned to access using ephemeral certificates. Ineligible targets are clearly identified and an explicit approval step is required [UKM-2736]

* UKM can now recognize and report the use of OpenSSH keys for accessing Windows hosts where OpenSSH Server is enabled. [UKM-2649]
* This version introduces improved protection against content-injection attacks by implementing a stronger Content Security Policy (CSP). The policy is enabled by default for new installations of UKM. [UKM-2358]
* Added persistency for the timeout setting applied to script-based scan jobs. The value is no longer reset to default after upgrade. [UKM-2591]
* This version expands support for agents to RedHat 9. [UKM-2443]
* Corrected a regression affecting UKM version 4.2. where executing an "Export Public Key" action via the GUI only listed the key data portion of the key, excluding known SSH key options (such as from stanza, commands, etc). [UKM-2709]
* Addressed an issue where editing the value of custom fields for multiple objects (hosts, users or keys) was applied only to the first object instead of to all intended ones. [UKM-2682]

Universal SSH Key Manager (UKM) 4.2.0 Release notes

13/12/2022

 

1. Migrate all user keys to Zero Trust SSH access using ephemeral certificates

This release removes the prior restriction which required that users have only one private key in order to proceed with migrating to ephemeral certificates.

This change eliminates restrictions and in effect allows any account to be migrated without jeopardizing the continuity of operation for existing automation workflows and integrations.

 

2. Support for OpenSSH client/server on Windows

This release introduces support for the native OpenSSH client/server software on Windows including account listing and key discovery, key provisioning, as well as remediation actions such as removal, restoring, and setting options.

This feature improves the trust relationship dataset for more complete visibility into the key sprawl and expands the management capability reach in their key estate.

For more details consult the Product Description document.

 

3. Automatic management of audit events

This functionality adds automatic data management for audit events generated by UKM, in order to reduce the risk of running out of disk on the database server.

Its aim is to prevent outages and the need for maintenance work due to the accumulation of audit events in the database.

A new setting introduces automatic purging capabilities for audit events with a configurable retention period.

By default, audit events are retained indefinitely.

Similar to other purging tasks, deleted audits are not archived.

The previous capability to archive audit events to external storage is unaffected.

 

4. Introducing an improved graphical user interface

The newly released UKM admin GUI supports a modern frontend framework that allows faster implementation cycles for new feature development and, at the same time, eliminates dependencies on outdated technologies which are no longer supported.

The core functionality is now enhanced by introducing:

• A redesigned home page offering widget selection for configurable dashboards

• A global quick search on the home page

• A Settings page search to quickly find any setting based on a key word

 

5. Other updates

This release also includes the following updates:

• PostgreSQL 14 is supported as a Database for UKM and User Portal

• Tectia server included with UKM is now updated to PQC version 6.6.1 in preparation for providing Quantum-Safe connections during management tasks when using agents.

Universal SSH Key Manager (UKM) 4.1.0 Release notes

 

1. Release highlights

Universal SSH Key Manager (UKM) 4.1.0 includes new functionality, improvements, and bug fixes.

Most notably, this release introduces the ability to expand search locations of private SSH keys and to evaluate and report on the Post-Quantum readiness of the Tectia SSH server estate.

UKM 4.1.0 also introduces advanced alert management to focus on what matters, avoid alert fatigue, and improve data management.

 

2. New features

This release introduces the following new capabilities.

UKM adds the ability to assess your SSH client/server estate and report on your adoption of Quantum-Resistant Cryptographic algorithms such as NIST's finalist CRYSTALS-Kyber among others. UKM provides the ability to:

• transition away from insecure communication standards, such as SHA1-based algorithms, which are known to be insecure today

• implement the mixed use of Quantum-Resistant and Classical algorithms during a transition period from a centralized platform [UKM-2460]

• It is now possible to define custom locations where UKM will search for private SSH keys. User home directories are always scanned. [UKM-1448]

 

3. Improvements

This release includes the following improvements and continuity updates:

• UKM and User Portal can be now installed on Amazon Linux 2 [UKM-2348]

• Scheduled purging task will now delete all alerts that qualify, i.e. alerts older than the defined preservation period. This includes active alerts which, in prior versions, were explicitly omitted even if they were older then the defined preservation period [UKM-2373]

• Alerts issued by UKM can be now explicitly disabled [UKM-2373]

• Private SSH keys part of the Zero Trust authentication flow can now be rotated in UKM [UKM-2174]

 

4. Bug fixes

Addressed an issue that prevented modifying existing applications featuring domain user in the format domain\username. Application can now be edited and domain users can be successfully added to the include/exclude lists [UKM-2488]

Address an issue that prevented successful scanning when user inquiry in a target server returned disabled users [UKM-2477]

Change ticket fields in the User Portal are now properly validated. The value can consist of alphanumeric, dash, underscore and dot characters with a maximum length of 100 symbols [UKM-2489]

 

5. Deprecation warnings

Support for Postgre SQL database versions 9.9 and 10 will be deprecated in UKM version 4.2.

 

6. Known issues

[43454] It is difficult to distinguish leading and trailing whitespaces in passphrases displayed by the Key Manager GUI.

[52702] Host Utility ssh-mgr-host-utility.exe does not detect Tectia keys properly if Tectia Server is configured to use openssh-authorized-keys-file only.

[58911] Custom logging settings inside localsettings.py file cause database migration to fail.

[59280] For access requests, the Key Path is not automatically cleared when Key Manager administrators change the source account/host. access-request jobs fail if the new source user is not in control of the specified Key Path.

[UKM-192] Key-activity scan may not log all failed login attempts on Red Hat and Tectia hosts.

[UKM-247] On AIX, offline scan with the scan-without-nfs option mounts all NFS home directories.

[UKM-389] If a Key Manager administrator tries to approve actions initiated by themselves, the approval is rejected as expected, but no error message is shown in the GUI.

[UKM-450] "Set Passphrase" operation fails for Attachmate private keys.

[UKM-463] GUI does not correctly display all key IDs affected by rollback actions. However, rollback actions are still performed correctly.

[UKM-734] In the global setting 'List of allowed application-owner roles' leading and trailing whitespaces in values are considered part of the names. For example, if the value is set to "role_1, role2, role_3", you will have roles named "role_1", "role_2", and " role_3".

CAUTION: Do not change the leading/trailing whitespaces! Doing so irrevocably removes all the application associations and delegations of the affected roles.

[UKM-898] Setting private-key passphrase on agent-based CentOS-7 hosts with SELinux enforcing fails with 'Permission denied' error

[UKM-1062] If the ssh-agent-monitor process is killed, the associated ssh-key-agent process is left alive.

Known workaround: Kill the orphaned ssh-key-agent process manually.

[UKM-2238] UKM incorrectly reports successfully completing remove action for private keys for which the ownership has been changed and the user no longer has appropriate permissions.

[UKM-2486] Tags submitted via CLI are not properly validated. It is possible to create tags which include invalid characters.

 

Further information

More information, including end-user and administrative documentation, can be found in the Customer Download Center.

Universal SSH Key Manager (UKM) 4.0.0 Release notes

 

Release highlights

Version 4.0 of Universal SSH Key Manager (UKM) is a Feature Release, and it is supported for 2 years from its release date. The end of support dates are listed at: https://www.ssh.com/products/support/end-of-support .

Notable functionality released in this version includes:

 

Migration of existing SSH keys to achieve a Zero Trust SSH access using ephemeral certificates

This capability allows UKM admins to execute migration action on existing private SSH keys with a single click to replace static SSH keys with ephemeral certificates as the user authentication. The migration is done transparently to eliminate the need to change automation flows and scripts.

This, in practice, eliminates the need for management and rotation of keys at large. It introduces role-based access control (RBAC) for SSH access with full control of the sessions as well as audit, record, and replay capabilities.

 

Retry capabilities for failed access requests

It is now possible to retry failed or partially failed access requests in the User portal, UKM admin, and CLI.

This improvement eliminates the need to recreate the request anew and preserves previously submitted approvals. Instead, users can retry the request once the issues causing the failure are resolved. UKM also allows for updates of the changed ticket if necessary.

 

Post-Quantum Crypto Agility Assessment

With the advancements in the field of quantum computing, a large quantum computer will be capable of breaking communication encrypted with classical cryptographic algorithms. While large enough quantum computers do not exist today, encrypted communication can be stored today and decrypted once they become available.

With the implications above in mind, the development of hybrid key exchange algorithms, believed to resist attacks enabled by future quantum computes, already exist and are available in the latest versions of SSH Client/Server software such as Tectia Quantum-Safe Edition as well as Tectia Zero Trust Edition and OpenSSH.

UKM is capable of evaluating your SSH Client and Server estate, if quantum-safe algorithms are being actively used, and assessing your overall post-quantum crypto agility. For installation and upgrade instructions, refer to the Universal SSH Key Manager’s Admin Manual.

 

2. New features

The following new features and support continuity have been introduced in UKM 4.0:

(UKM-1918)
- Ability to migrate existing SSH trusts from using SSH keys to instead utilizing short-lived certificates for authentication.

(UKM-2176)
- Retry capability for failed access requests without the need to repeat the approval process. The retry action can be executed in either the User portal, UKM's admin, or CLI/API interfaces and does allow the possibility to submit a new ticket number or maintenance window if necessary.

(UKM-1485)
- UKM admins can now update SSH key associations for individual applications

(UKM-2188)
- Added SSH configuration management and key relocation support on SUSE 15.

(UKM-2289)
- Added protection again brute force password attacks on local accounts in User Portal.

(UKM-2269)
- Support for Rocky Linux as User Portal installation platform.

(UKM-2315)
- Support for Amazon Aurora PostgreSQL database.

(UKM-2330)
- Support for Amazon Linux 2 as managed host.

(UKM-2296)
- Support for Windows 2022 as managed host.

 

 3. Improvements and bug fixes

The following improvements and bug fixes have been implemented in UKM 4.0:

(UKM-2331)
- Added the ability to filter hosts by IP in APIv3.

(UKM-2362)
- Improved the performance of the job responsible for assigning SSH keys to the chosen application.

(UKM-1839)
- Login to UKM is no longer blocked if the primary Active Directory is offline. AD-related queries are now correctly redirected to other ADs in the configuration.

(UKM-2427)
- Add authorization via API no longer blocked in case source or target username contains a backslash.

 

4. Known issues

- [43454] It is difficult to distinguish leading and trailing whitespaces in passphrases displayed by the UKM’s admin GUI.
- [52702] Host Utility ssh-mgr-host-utility.exe, used in offline scanning, does not detect Tectia keys properly if Tectia Server is configured to use openssh-authorized-keys-file only.
- [58911] Custom logging settings inside localsettings.py file cause database migration to fail.
- [59280] For access requests, the Key Path is not automatically cleared when Key Manager administrators change the source account/host. access-request jobs fail if the new source user is not in control of the specified Key Path.
- [UKM-192] Key-activity scan may not log all failed login attempts on Red Hat and Tectia hosts.
- [UKM-247] On AIX, offline scan with the scan-without-nfs option mounts all NFS home directories.
- [UKM-389] If a Key Manager administrator tries to approve actions initiated by themselves, the approval is rejected as expected, but no error message is shown in the GUI.
- [UKM-450] "Set Passphrase" operation fails for Attachmate private keys.
- [UKM-463] GUI does not correctly display all key IDs affected by rollback actions. However, rollback actions are still performed correctly.
- [UKM-734] In the global setting 'List of allowed application-owner roles' leading and trailing whitespaces in values are considered part of the names. For example, if the value is set to "role_1, role2, role_3", you will have roles named "role_1", "role_2", and " role_3". CAUTION: Do not change the leading/trailing whitespaces! Doing so irrevocably removes all the application associations and delegations of the affected roles.
- [UKM-898] Setting private-key passphrase on agent-based CentOS-7 hosts with SELinux enforcing fails with 'Permission denied' error
- [UKM-1062] If the ssh-agent-monitor process is killed, the associated ssh-key-agent process is left alive. Known workaround: Kill the orphaned ssh-key-agent process manually.
- [UKM-2238] UKM incorrectly reports successfully completing the remove action for private keys for which the ownership has been changed and the user no longer has appropriate permissions.

 

5. Deprecations

The following OS versions are no longer officially supported:

• SUSE Linux Enterprise Desktop and Server Editions 10 and 11

• Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2

• Ubuntu 14 and 16

• OS distributions with 32bit instruction sets (x86)

 

In this and future releases, the OS versions mentioned above are expected to operate as before, however, there will be no further support or development efforts, should any issues be encountered with those platforms related to using UKM.

(UKM-2063)
- In the User portal, it is no longer possible for application owners to modify access request parameters such as validity period during the approval step. This does not affect the ability of the initiator of the request to specify a validity for a given key or the ability of UKM admin to modify that validity period in UKM admin GUI as part of the approval process.

 

6. Further information

More information, including end-user and administrative documentation, can be found on the customer download center from https://cdc.ssh.com