Universal SSH Key Manager (UKM) Product Update

1. About this release

Universal SSH Key Manager 5.1.0 includes new functionality, improvements, and bug fixes. Most notably, this release introduces automatic privileged account onboarding for UKM Zero Trust Edition and real-time transitive trust analysis capabilities.

2. Automatic privileged account onboarding 

For those customers who are using our UKM Zero Trust Edition, it is now possible to automatically discover and deploy privileged local administrator and root accounts as targets in PrivX, the Zero Trust module. This enables an effortless management flow of newly created privileged accounts and seamless access provisioning without undue delays.

3. Real-time transitive trusts analysis

UKM administrators can now see the transitive trust map for resulting accesses before approving an authorization request. This enables UKM admins to evaluate the security implications of a new access request in before hand, improving their abilities to proactively react to emerging risky access patterns and better safeguard their environment against undesired lateral movement.

4. CVS output sanitization

UKM administrators can set the level of sanitization of CSV exports requested from GUI. This setting prevents anything executable from being included in the CSV files in a format where it could interact with the operating system via Microsoft Excel or a similar spreadsheet program.

5.   Other updates

This release also includes the following improvements and bug fixes:

• RHEL 9 is now supported as an installation OS for UKM and UP

• APIv3 endpoints for creating, editing, and setting delegations for applications

• Xz compression algorithm support for Key Activity scans

• UKM Internal OpenSSH upgraded and patched against Terrapin vulnerability

6.   Deprecations

UKM 5.1.0 Django 4.2.x upgrade drops support for older Database versions. Oracle < 19 and PostgreSQL < 12 are no longer supported.

UKM 5.1.0 marks the end of support for Perl in script-based scans. If you have any older, script-based scanned UNIX servers that only support Perl, you should install Python 1.5+ on the target hosts or change those to use UKM's shell-based scan mode. 

1. About this release

Universal SSH Key Manager 5.0.0 includes new capabilities, improvements, and bug fixes. Most notably, this release introduces capabilities including custom metrics tracking, transitive trust analysis, and agentless scanning of Windows hosts.

2. Custom metrics tracking

UKM admins can now track custom metrics to assess the progress of their most important data points. Daily usage of SSH keys to access privileged accounts, password ages violating set policies, or reporting on 10-year-old SSH keys in active use are just a few examples of the fully customizable metrics that admins can track. Tracked parameters can be included in the home page dashboard or within PDF reports to be distributed to relevant parties.

3. Reporting on transitive trusts

UKM now has the ability to display transitive trusts between user accounts. These trust relationships enable users to traverse the environment in sometimes unintended paths. This newly gained visibility into the matter enables UKM admins to address unwanted and excessive access they may find in their environment.

4. Agentless scanning on Windows

UKM expands its current capabilities to allow the discovery of local and domain user accounts and their keys on Windows using agentless connections via WinRM. In addition, UKM expands the reporting capabilities including reporting on enabled/disabled accounts, last login, password age, and password expiration dates. This increases the visibility into potential risks and policy violations.

5.   Other updates

This release also includes the following improvements and bug fixes:

• The user portal now provides a warning for application owners of potentially stale data when viewing SSH key details depending on how recently those keys have been scanned or when gaps in key usage audit logs have been identified.

• Introduced HTTP only cookie in addition to theJWT token for increased protection of the Web GUI [UKM-2881]

• Introduced support for agents on AIX 7.3 [UKM-2850]

• Introduces improved protection against content-injection attacks by implementing a stronger Content Security Policy (CSP). The policy is enabled by default for new installations of UKM. To enable the policy when upgrading UKM from earlier versions, follow the instructions outlined in chapter 8.2.4 of the installation manual [UKM-2358]

• Corrected an issue which prevented setting Never/no date value for date filters. [UKM-2903]

• Corrected an issue which in some cases caused users to be redirected back to the login page even after successful login. [UKM-2893]

6.   Deprecation Warnings

Due to third-party component requirements, the upcoming release UKM 5.1.0 supports Oracle Databases version 19+ and PostgreSQL 12+. Earlier database versions will not be supported. 

1. About this release

Universal SSH Key Manager 4.3.0 includes new capabilities, improvements, and bug fixes. Most notably, this release introduces capabilities including Quantum-Safe Key exchange (KEX) algorithms available for management connections; evaluation and reporting on risks associated with user passwords as well as submission of access requests in bulk by end users.

2. Submitting bulk access requests by end users using CSV input

User Portal expands its current capabilities which help application owners with managing their SSH keys to power users who are responsible for tens of thousands of keys.

Power users can now submit access requests in bulk directly in the graphical user interface. No need for scripting, using API calls, or engaging admin users.

3. Report on violations of password security policies

UKM expands its policy capabilities into analysis and reporting on user account passwords. UKM brings to light violations of best practices associated with an increased security risk.

In this release, the capabilities include the collection and reporting of password parameters such as password changes and validity, in addition to providing policies identifying potential risk vectors on Linux operating systems. Future releases will expand the OS coverage as well as the data analysis and reporting.

4. Quantum-safe management communications 

UKM now fully supports available Quantum-Safe KEX algorithms for both agentless and agent-based management connections to managed hosts.

5. Other updates 

This release also includes the following improvements and bug fixes:

  * Validation rules for eligibility of migrating SSH accessing from using existing SSH keys to ephemeral certificates are relaxed. UKM admins can now proceed with the migration process even if not all targets can be transitioned to access using ephemeral certificates. Ineligible targets are clearly identified and an explicit approval step is required [UKM-2736]

  * UKM can now recognize and report the use of OpenSSH keys for accessing Windows hosts where OpenSSH Server is enabled. [UKM-2649]
  * This version introduces improved protection against content-injection attacks by implementing a stronger Content Security Policy (CSP). The policy is enabled by default for new installations of UKM. [UKM-2358]
  * Added persistency for the timeout setting applied to script-based scan jobs. The value is no longer reset to default after upgrade. [UKM-2591]
  * This version expands support for agents to RedHat 9. [UKM-2443]
  * Corrected a regression affecting UKM version 4.2. where executing an "Export Public Key" action via the GUI only listed the key data portion of the key, excluding known SSH key options (such as from stanza, commands, etc). [UKM-2709]
  * Addressed an issue where editing the value of custom fields for multiple objects (hosts, users or keys) was applied only to the first object instead of to all intended ones. [UKM-2682]

1. Migrate all user keys to Zero Trust SSH access using ephemeral certificates

This release removes the prior restriction which required that users have only one private key in order to proceed with migrating to ephemeral certificates.

This change eliminates restrictions and in effect allows any account to be migrated without jeopardizing the continuity of operation for existing automation workflows and integrations.

2. Support for OpenSSH client/server on Windows

This release introduces support for the native OpenSSH client/server software on Windows including account listing and key discovery, key provisioning, as well as remediation actions such as removal, restoring, and setting options.

This feature improves the trust relationship dataset for more complete visibility into the key sprawl and expands the management capability reach in their key estate.

For more details consult the Product Description document.

3. Automatic management of audit events

This functionality adds automatic data management for audit events generated by UKM, in order to reduce the risk of running out of disk on the database server.

Its aim is to prevent outages and the need for maintenance work due to the accumulation of audit events in the database.

A new setting introduces automatic purging capabilities for audit events with a configurable retention period.

• By default, audit events are retained indefinitely.

• Similar to other purging tasks, deleted audits are not archived.

• The previous capability to archive audit events to external storage is unaffected

4. Introducing an improved graphical user interface 

The newly released UKM admin GUI supports a modern frontend framework that allows faster implementation cycles for new feature development and, at the same time, eliminates dependencies on outdated technologies which are no longer supported. 

The core functionality is now enhanced by introducing: 

• A redesigned home page offering widget selection for configurable dashboards

• A global quick search on the home page

• A Settings page search to quickly find any setting based on a key word

5. Other updates 

This release also includes the following updates:

• PostgreSQL 14 is supported as a Database for UKM and User Portal
• Tectia server included with UKM is now updated to PQC version 6.6.1 in preparation for providing Quantum-Safe connections during management tasks when using agents.