Version 2.9.0 introduces the world to Keeper Connection Manager.

Also, we are proud to announce support for MySQL connections. Easily add database connections to the Keeper Connection Manager platform to secure and protect MySQL databases. Session recording, privileged access management and secrets management capabilities apply to the MySQL connection type.

Features & Improvements

• PRIV-80: Remove file upload limit from SSL termination image

• PRIV-72: Allow installer to be run as an https stream

• PRIV-79: Rebranding of Glyptodon installer to KCM

• PRIV-67: Rebranding of Glyptodon UI to KCM

• PRIV-81: Auto-generate secure credentials for "guacadmin" user

• PRIV-63: Add support for MySQL connection types

• PRIV-55: Disable legacy TLS protocols/ciphers by default

• PRIV-56: Allow custom CSP and HSTS headers to be configured

Features and Improvements

• PAM-16, PAM-5, PAM-18: New user interface with Keeper branding

• PAM-15: Automatically trim trailing whitespace from guacamole.properties

• PAM-6: Add SSH support for ECDSA and ED25519 keys

• PAM-4: Add encrypted vault storage plugin for Keeper Secrets Manager

• PAM-20: Migrate to Gitbook for documentation

Features

• PRIV-149: Support for Domain parameter in Vault integration for Windows logins See: https://docs.keeper.io/keeper-connection-manager/vault-integration/dynamic-tokens#windows-username-domain-parsing

• PRIV-74: Added small margin to SSH connection windows

• PRIV-165: Accept a one-time token for UI-based KSM configuration

• PRIV-108: Added support for multiple KSM applications (at the Connection Group Level)

• PRIV-157: Added support for custom LDAP Root Certificate

• PRIV-160: Added support for signed SAML requests

Bug Fixes

• PRIV-161: Kubernetes support missing from guacd Docker image

• PRIV-168: Add "X-Content-Type-Options" header to SSL termination Docker image

• PRIV-173: Update kcm-setup.run to support Amazon Linux 2

• PRIV-174: Private key authentication fails for VNC with SFTP file transfer option

• PRIV-175: Default CSP ruleset for NGINX image is broken on Safari browsers

Features

• PRIV-184: Updated login screen to say "username" instead of "Email"

• PRIV-40: Added brute-force login protection when multiple incorrect login attempts are attempted based on IP address. See: https://docs.keeper.io/keeper-connection-manager/using-keeper-connection-manager/login-screen#login-attempt-limits

• PRIV-172: Improved FIPS mode support. see https://docs.keeper.io/keeper-connection-manager/security#fips-140-2-validated

• PRIV-109: Added support for Active Directory domain with KSM records that control RDP connections

Features

• Support for Running KCM on ARM

• Per-user KSM Vaults

• KSM Support for Cloud Connector (EC2)

Support for Running KCM on ARM

PRIV-130: The RPMs and Docker images (including kcm-setup.run) now support ARM in addition to x86_64. This doesn't change how anything behaves except that we now support installation on ARM.

Per-user KSM Vaults

PRIV-170: If enabled, users are able to register their own KSM vault within KCM using the “Preferences” tab in the “Settings” screen. That vault will then be used for any connections that the administrator configures to accept user-provided secrets.

This capability is disabled by default. Enabling this capability requires both of the following:

• Setting the ksm-allow-user-config property in guacamole.properties (or the KSM_ALLOW_USER_CONFIG environment variable for the keeper/guacamole Docker image).

• Enabling use of user vaults on any connections that shouldn’t use only the administrator-configured vaults (check the “Allow user-provided KSM configuration“ box for the connections in question).

NOTE: By “administrator-configured vaults”, we mean only those vaults that are purely controlled by administrators: the system-wide vault configured in guacamole.properties and any vaults configured via connection groups.

This was implemented this way because doing otherwise would have security implications. Unless the administrator can also dictate which exact connections should receive credentials from user vaults, allowing users to provide their own vaults would allow those same users to control any connection parameters that use values from KSM. Depending on which connection parameters use KSM tokens, inadvertently allowing a user to control the values of parameters could have profound security implications. For example:

• If the user can control part of the path used for the RDP drive, they will be able to read arbitrary files on the server.

• If the user can control authentication parameters, they can control which credentials are used to connect, perhaps bypassing the intent of the admin.

• If the user can control the hostname or port, they can connect wherever they like with the credentials associated with the connection, again bypassing the intent of the admin.

KSM Support for Cloud Connector (EC2)

PRIV-163: SSH keys and Windows passwords from KSM for machines can now be retrieved for AWS EC2 by the KCM Cloud Connector. This is in addition to the existing support for retrieving SSH keys from the filesystem (beneath /etc/guacamole/cloud-connector-secrets).

Similar to the overall KSM integration, the KSM configuration relevant to AWS must be configured with the aws-discovery-ksm-config property (or the AWS_DISCOVERY_KSM_CONFIG environment variable for Docker).

Relevant records are identified by:

• An "Instance" field that exactly matches the instance ID (if there is only one such record).

  • Some variation in the field naming is tolerated: the field may optionally start with “AWS”, “EC2”, or “Amazon”, may optionally end with “ID”, and is case-insensitive.

• An attachment that exactly matches the key name of the instance plus ".pem" (if there is only one such record).

• A hostname/address field (such as that provided by the “SSH Key” record type) that exactly matches the private IP address of the EC2 instance.

If the SSH key exists on the filesystem, it will always be used in favor of querying KSM.

All Glyptodon Enterprise 2.x releases are API-compatible with Apache Guacamole 1.1.0. Newer releases of Glyptodon Enterprise 2.x may gain compatibility with additional upstream releases of Apache Guacamole beyond 1.1.0 so long as doing so does not break existing compatibility. The most recent release of Glyptodon Enterprise 2.x is compatible with Apache Guacamole 1.3.0 and incorporates a number of improvements from the Apache Guacamole 1.4.0 release. The log entries here describe which changes have been made from the relevant upstream baseline, as well as any changes to the Glyptodon Enterprise repositories and packages.

Release Schedule / History

Version 2.7

• Allow login with standard username/password when SSO is enabled (GLEN-328, GUACAMOLE-1364).

• Automatically clear URL state upon clicking "Re-login" (GLEN-320, GUACAMOLE-680).

• Update webapp dependencies to latest stable versions (GLEN-329, GUACAMOLE-773).

• Update to latest release (9.0.56) of Apache Tomcat (GLEN-329).

• Update to latest release (9.4.1) of SQL Server JDBC driver (GLEN-329).

Version 2.6

• Migrate to header-based transmission of REST API authentication token (GLEN-324, GUACAMOLE-956).

• Add support for authenticating against multiple LDAP servers (GLEN-323, GUACAMOLE-944, GUACAMOLE-957, GUACAMOLE-1130).

• Update to latest release (9.0.55) of Apache Tomcat (GLEN-327).

• Update to latest release (2.4.1) of FreeRDP (GLEN-327).

• Update to latest release (1.10.0) of libssh2 (GLEN-327).

• Update to latest release (4.3.0) of libwebsockets (GLEN-327).

• Update to latest release (9.4.0) of SQL Server JDBC driver (GLEN-327).

Version 2.5

• Add support for broadcasting input events across multiple tiled connections (GLEN-171, GUACAMOLE-724, GUACAMOLE-1204, GUACAMOLE-1381, GUACAMOLE-1383, GUACAMOLE-1398).

• Add support for single sign-on using OpenID Connect (GLEN-133, GUACAMOLE-210, GUACAMOLE-680, GUACAMOLE-805).

• Add support for single sign-on using SAML (GLEN-257, GUACAMOLE-103, GUACAMOLE-680).

• Update webapp dependencies to latest stable versions (GLEN-301, GUACAMOLE-773, GUACAMOLE-1298, GUACAMOLE-1317).

• Update to latest release (2.3.2) of FreeRDP (GLEN-301).

• Update to latest release (4.2.1) of libwebsockets (GLEN-301).

• Update to latest release (9.2.1) of SQL Server JDBC driver (GLEN-301).

• Correct filtering of disconnected/failed connections displayed within the same view (GLEN-171, GUACAMOLE-1387).

• Correct handling of RDP "AUDIO_INPUT" channel (GLEN-242, GUACAMOLE-1201, GUACAMOLE-1283).

• Correct handling of RDP-specific resources when reconnecting to update display size (GLEN-171, GUACAMOLE-1388).

• Correct sort order of connection history within connection edit screen (GLEN-304, GUACAMOLE-1366).

• Create package for standalone Apache Guacamole deployment (GLEN-280).

• Use MariaDB Connector/J driver where MySQL Connector/J is unavailable (GLEN-317, GUACAMOLE-1407).

• Automatically enforce HTTP request size limits (GLEN-301, GUACAMOLE-1298).

• Defer handling of "Meta" key until its identity is confirmed by the browser in context of the current set of pressed keys (GLEN-306, GUACAMOLE-1386).

• Do not automatically reattempt authentication after logging out (GLEN-133, GLEN-257, GUACAMOLE-680).

• Backport latest updates and improvements to translations (GLEN-303, GUACAMOLE-1160, GUACAMOLE-1207, GUACAMOLE-1265, GUACAMOLE-1291, GUACAMOLE-1337, GUACAMOLE-1339, GUACAMOLE-1355).

• Migrate to now-upstreamed version of guacamole-auth-json (GLEN-301, GUACAMOLE-1218).

Version 2.4

• Ensure unexpected failures during session expiration do not prevent other sessions from expiring (GLEN-278, GUACAMOLE-1299).

• Add support for forcing use of lossless compression (GLEN-277, GUACAMOLE-1302).

• Add support for pass-through of multi-touch events (GLEN-276, GUACAMOLE-1204).

• Add package build for CentOS / RHEL 8 (GLEN-182).

• Package support for integrating UDS Enterprise / OpenUDS (GLEN-279).

Version 2.3

This release of Glyptodon Enterprise is a hotfix for an incorrect build of the glyptodon-guacamole-auth-jdbc-sqlserver package which resulted in the SQL Server JDBC driver not loading during web application startup (see GLEN-275). Users of Glyptodon Enterprise that leverage SQL Server for their database should upgrade if they are having trouble as of the 2.2 release. Users that are not leveraging SQL Server will see no difference between 2.3 and 2.2.

• Correct SQL Server driver symbolic link (GLEN-275).

Version 2.2

• Update to upstream 1.3.0 release (GLEN-259)

• Migrate to "/opt/glyptodon" base for installation (GLEN-261)

• Adopt and rebuild against Glyptodon builds of core protocol support libraries (GLEN-261)

• Update build to leverage libuuid instead of OSSP UUID (GLEN-261, GUACAMOLE-1254)

• Correct memory errors related to FreeRDP upgrade (GLEN-261, GUACAMOLE-1191, GUACAMOLE-1259)

Version 2.1

• Correct regressions due to FreeRDP 2.0.0 migration (GLEN-251, GUACAMOLE-1053, GUACAMOLE-1059, GUACAMOLE-1076)

• Backport improved RDP keymap support (GLEN-252, GUACAMOLE-518, GUACAMOLE-859)

Version 2.0

• Update core packaging to use 1.1.0 base version (GLEN-131)

• Package support for TOTP authentication factor (GLEN-134, GUACAMOLE-96)

• Package support for SQL Server authentication and required JDBC driver (GLEN-132, GUACAMOLE-363, GUACAMOLE-525)

• Package support for attaching to Kubernetes pods (GLEN-181, GUACAMOLE-623)

• Update documentation within guacamole.properties to reflect support for user groups (GLEN-184, GUACAMOLE-220)

• Add interface for monitoring and switching between multiple simultaneous connections within the same tab (GLEN-169, GUACAMOLE-723, GUACAMOLE-822)

• Add support for disabling clipboard copy/paste (GLEN-158, GUACAMOLE-381)

• Correct handling of audio input under Chrome (GLEN-223, GUACAMOLE-732, GUACAMOLE-905)

• Correct RDP support regressions due to migration to FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952, GUACAMOLE-962, GUACAMOLE-978, GUACAMOLE-979)

• Add "Hyper-V / VMConnect" security mode option, allowing connections to Hyper-V to continue to work with FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952)

• Ensure guacd has a writable home directory for the sake of FreeRDP, which requires a writable home directory as of 2.0.0 (GLEN-215)

• Correct syntax of SQL Server history queries (GLEN-206, GUACAMOLE-870)

• Provide feedback while user logins are in progress (GLEN-168, GUACAMOLE-742)

• Automatically re-focus relevant fields after login failure (GLEN-220, GUACAMOLE-302)

• Release pressed keys after login succeeds (GLEN-185, GUACAMOLE-817)

• Add RDP keyboard mapping for German non-dead tilde key (GLEN-226, GUACAMOLE-917)

• Add Belgian French keymap for RDP (GLEN-218, GUACAMOLE-901)

• Add Czech translation (GLEN-222, GLEN-237, GUACAMOLE-781)

• Add Hungarian keymap for RDP (GLEN-218, GUACAMOLE-837)

• Add Japanese translation (GLEN-222, GUACAMOLE-821)

• Add Latin American keymap for RDP (GLEN-218, GUACAMOLE-625)

• Ensure SFTP directory listings cannot omit files (GLEN-230, GUACAMOLE-818)

• Explicitly require Java 8, as Java 7 and older are no longer supported by Apache Guacamole since 1.0.0 (GLEN-131, GUACAMOLE-635)

• Tolerate presence of port number within "X-Forwarded-For" headers (GLEN-231, GUACAMOLE-784)

• Do not allow error strings to contain HTML (GLEN-229, GUACAMOLE-955)

• Use correct interface for translatable errors from extensions (GLEN-241, GUACAMOLE-1007)

• Correct REST API caching behavior for IE 11 (GLEN-167, GUACAMOLE-783)

• Remove hard-coded application name and version from Spanish translation (GLEN-221, GUACAMOLE-740, GUACAMOLE-741)

• Correct potential race condition in connection cleanup (GLEN-228, GUACAMOLE-958)

• Correct attribute names declared within guacConfigGroup.schema (GLEN-232, GUACAMOLE-889)

Features and Improvements

• PRIV-59 Session recording playback in the UI

• PRIV-60 Allow admins to reset users' TOTP state

• PRIV-73 Updated FreeRDP packages to the latest release (2.6.1)

• PRIV-50, PRIV-51 Hide dependencies version numbers shown in error messages

Highlight: In-Browser Session Playback

It is now possible to view graphic session recording right in the browser. Once a connection is setup for in-browser recording playback, past sessions can be replayed from the History tab.

• Find more information and setup instructions in the docs: https://docs.keeper.io/glyptodon/using-glyptodon/session-recording#in-browser-session-recording-and-playback

New Features

• KSM now supports CAC/PIV authentication

  • For more information, visit:

• KSM now enables administrators to approve/deny user's ability to authenticate with KSM using SSO

  • For more information, visit:

Improvements

• SAML can now be configured automatically with kcm-setup.run

  • Rather than manually editing the docker-compose.yml file post installation, administrators can now directly configure their deployment to use SAML for SSO with the kcm-setup.run script

• The extension-priority property may now be configured with the EXTENSION_PRIORITY environment variable.

  • Users no longer need use the catch-all ADDITIONAL_GUACAMOLE_PROPERTIES environment variable to set this.

Features

• KCM-155: Add support for interacting directly with SQL Server databases [Details]

• KCM-152: Add support for interacting directly with PostgresSQL databases [Details]

Improvements

• KCM-201: Optimizations to access time limits on active windows sessions

• KCM-198: Added "version" command to verify currently installed versions of KCM

• KCM-195: Optimized the frequency of KSM API calls used when integrated with KCM

• KCM-205: Increased security of locally cached auth token

Bug Fixes

• Various minor bug fixes

Features

• PRIV-121: Amazon AWS EC2 discovery and auto-connect [Documentation]

• PRIV-69: Support for Wayland server

• PRIV-128: Support for ED25519 SSH Keys in Docker Version

• PRIV-82: Ability to reconfigure the installation (for example MySQL to PostgreSQL) using the kcm-setup.run script.

• PRIV-129: Enforce the parameter GUACAMOLE_ADMIN_PASSWORD to prevent "Default" password.

Bug Fixes

• PRIV-137: Sharing Profiles not visible in the Admin UI

Features & Improvements

KCM-83: The kcm-setup.run script now allows administrators to directly configure their deployment to use KSM for retrieval of secrets, rather than requiring manual editing of docker-compose.yml after installation. Additional prompts are presented that allow the administrator to provide a KSM one-time token or a base64-encoded KSM configuration during setup.

KCM-226: The keeper/guacamole-ssl-nginx image can be configured to require SSL/TLS client authentication by specifying the CLIENT_CERTIFICATE_FILE environment variable. A user will only be able to connect to NGINX using their browser if their browser has access to a private key that is signed by this certificate.

This variable is similar to the CERTIFICATE_FILE environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.

Additional environment variables are also available to tweak SSL/TLS auth behavior further:

KCM-227: Multiple Hostnames/Configurations for SSL Termination

The keeper/guacamole-ssl-nginx image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:

ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            SSL_HOSTNAME: "example.net"

As KCM 2.12.0, the keeper/guacamole-ssl-nginx image can be used with multiple hostnames and configurations via a special SERVERS environment variable that accepts YAML (or JSON).

The SERVERS variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. Any variable that is not specified is inherited from the top-level environment. For example:

    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
               - SSL_HOSTNAME: "*.example.net"

The above configuration would result in an NGINX instance that handles both example.net and *.example.net hostnames equivalently. Both will get their own self-signed certificates because SELF_SIGNED is set to Y.

A more complex example:

    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
                 LETSENCRYPT_ACCEPT_TOS: "Y"
                 LETSENCRYPT_EMAIL=your.email@example.net

               - SSL_HOSTNAME: "*.example.net"
                 SELF_SIGNED: "Y"

The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for *.example.net, but obtains a certificate for example.net from Let’s Encrypt.

Bug Fixes

• KCM-223: When joining a shared connection, the joining client appears to hang (does not receive a copy of the current display) until something changes graphically within the session.

• KCM-213: When changing the User Time Zone setting to a specific time zone and then going back to clear that time zone, it doesn’t clear the time zone but instead changes it back to the time zone that was set previously.