UKM Product Update
Release notes for UKM 4.0.0
Table of Contents
1. Release Highlights
2. New Features
3. Improvements and Bug Fixes
4. Known Issues
5. Deprecations
6. Further Information
Release Highlights
Version 4.0 of Universal SSH Key Manager (UKM) is a Feature Release, and it is supported for 2 years from its release date. The end of support dates are listed at: https://www.ssh.com/products/support/end-of-support .
Notable functionality released in this version includes:
Migration of existing SSH keys to achieve a Zero Trust SSH access using ephemeral certificates
This capability allows UKM admins to execute migration action on existing private SSH keys with a single click to replace static SSH keys with ephemeral certificates as the user authentication. The migration is done transparently to eliminate the need to change automation flows and scripts.
This, in practice, eliminates the need for management and rotation of keys at large. It introduces role-based access control (RBAC) for SSH access with full control of the sessions as well as audit, record, and replay capabilities.
Retry capabilities for failed access requests
It is now possible to retry failed or partially failed access requests in the User portal, UKM admin, and CLI.
This improvement eliminates the need to recreate the request anew and preserves previously submitted approvals. Instead, users can retry the request once the issues causing the failure are resolved. UKM also allows for updates of the changed ticket if necessary.
Post-Quantum Crypto Agility Assessment
With the advancements in the field of quantum computing, a large quantum computer will be capable of breaking communication encrypted with classical cryptographic algorithms. While large enough quantum computers do not exist today, encrypted communication can be stored today and decrypted once they become available.
With the implications above in mind, the development of hybrid key exchange algorithms, believed to resist attacks enabled by future quantum computes, already exist and are available in the latest versions of SSH Client/Server software such as Tectia Quantum-Safe Edition as well as Tectia Zero Trust Edition and OpenSSH.
UKM is capable of evaluating your SSH Client and Server estate, if quantum-safe algorithms are being actively used, and assessing your overall post-quantum crypto agility. For installation and upgrade instructions, refer to the Universal SSH Key Manager’s Admin Manual.
2. New Features
The following new features and support continuity have been introduced in UKM 4.0:
(UKM-1918)
- Ability to migrate existing SSH trusts from using SSH keys to instead utilizing short-lived certificates for authentication.
(UKM-2176)
- Retry capability for failed access requests without the need to repeat the approval process. The retry action can be executed in either the User portal, UKM's admin, or CLI/API interfaces and does allow the possibility to submit a new ticket number or maintenance window if necessary.
(UKM-1485)
- UKM admins can now update SSH key associations for individual applications
(UKM-2188)
- Added SSH configuration management and key relocation support on SUSE 15.
(UKM-2289)
- Added protection again brute force password attacks on local accounts in User Portal.
(UKM-2269)
- Support for Rocky Linux as User Portal installation platform.
(UKM-2315)
- Support for Amazon Aurora PostgreSQL database.
(UKM-2330)
- Support for Amazon Linux 2 as managed host.
(UKM-2296)
- Support for Windows 2022 as managed host.
3. Improvements and Bug Fixes
The following improvements and bug fixes have been implemented in UKM 4.0:
(UKM-2331)
- Added the ability to filter hosts by IP in APIv3.
(UKM-2362)
- Improved the performance of the job responsible for assigning SSH keys to the chosen application.
(UKM-1839)
- Login to UKM is no longer blocked if the primary Active Directory is offline. AD-related queries are now correctly redirected to other ADs in the configuration.
(UKM-2427)
- Add authorization via API no longer blocked in case source or target username contains a backslash.
4. Known Issues
- [43454] It is difficult to distinguish leading and trailing whitespaces in passphrases displayed by the UKM’s admin GUI.
- [52702] Host Utility ssh-mgr-host-utility.exe, used in offline scanning, does not detect Tectia keys properly if Tectia Server is configured to use openssh-authorized-keys-file only.
- [58911] Custom logging settings inside localsettings.py file cause database migration to fail.
- [59280] For access requests, the Key Path is not automatically cleared when Key Manager administrators change the source account/host. access-request jobs fail if the new source user is not in control of the specified Key Path.
- [UKM-192] Key-activity scan may not log all failed login attempts on Red Hat and Tectia hosts.
- [UKM-247] On AIX, offline scan with the scan-without-nfs option mounts all NFS home directories.
- [UKM-389] If a Key Manager administrator tries to approve actions initiated by themselves, the approval is rejected as expected, but no error message is shown in the GUI.
- [UKM-450] "Set Passphrase" operation fails for Attachmate private keys.
- [UKM-463] GUI does not correctly display all key IDs affected by rollback actions. However, rollback actions are still performed correctly.
- [UKM-734] In the global setting 'List of allowed application-owner roles' leading and trailing whitespaces in values are considered part of the names. For example, if the value is set to "role_1, role2, role_3", you will have roles named "role_1", "role_2", and " role_3". CAUTION: Do not change the leading/trailing whitespaces! Doing so irrevocably removes all the application associations and delegations of the affected roles.
- [UKM-898] Setting private-key passphrase on agent-based CentOS-7 hosts with SELinux enforcing fails with 'Permission denied' error
- [UKM-1062] If the ssh-agent-monitor process is killed, the associated ssh-key-agent process is left alive. Known workaround: Kill the orphaned ssh-key-agent process manually.
- [UKM-2238] UKM incorrectly reports successfully completing the remove action for private keys for which the ownership has been changed and the user no longer has appropriate permissions.
5. Deprecations
The following OS versions are no longer officially supported:
- SUSE Linux Enterprise Desktop and Server Editions 10 and 11
- Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2
- Ubuntu 14 and 16
- OS distributions with 32bit instruction sets (x86)
In this and future releases, the OS versions mentioned above are expected to operate as before, however, there will be no further support or development efforts, should any issues be encountered with those platforms related to using UKM.
(UKM-2063)
- In the User portal, it is no longer possible for application owners to modify access request parameters such as validity period during the approval step. This does not affect the ability of the initiator of the request to specify a validity for a given key or the ability of UKM admin to modify that validity period in UKM admin GUI as part of the approval process.
6. Further Information
More information, including end-user and administrative documentation, can be found on the customer download center from https://cdc.ssh.com