Upgrading from 2.20.0

From the Linux command line, update to the latest installer script using the curl command.

curl -O https://keepersecurity.com/kcm/kcm-setup.run

To update all of the underlying software and Docker containers when using the Docker Automated Install method, run the below commands:

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

Select "Y" when prompted.

Upgrading from 2.19.3 or Older

If you are migrating from a KCM version 2.19.3 or older, there is a breaking change with Remote Browser Isolation (RBI) documented below.

Required Action: Download the latest version of the kcm-setup.run script:

curl -O https://keepersecurity.com/kcm/kcm-setup.run

Option 1: Add the AppArmor profile automatically using kcm-setup.run

If you have not modified your own docker-compose.yml since installing KCM, you can apply these changes automatically by:

1. Downloading the latest copy of kcm-setup.run from Keeper Security.

2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

3. Running sudo ./kcm-setup.run reconfigure to regenerate docker-compose.yml.

Option 2: Adding the AppArmor profile to a modified docker-compose.yml

If you have modified your own docker-compose.yml, these changes require some manual editing of docker-compose.yml to point the “guacd” container at the new profile:

1. Downloading the latest copy of kcm-setup.run from Keeper Security.

2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

3. Editing /etc/kcm-setup/docker-compose.yml, adding an additional "apparmor:..." option to the security_opt section of the “guacd” container such that the section now matches the following:

security_opt:
    - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
    - "apparmor:guacd-apparmor-profile"

1. Running sudo ./kcm-setup.run apply to apply these latest changes from docker-compose.yml.

Manually extracting the AppArmor profile

Only if necessary, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:

sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profile

The profile should then be copied beneath /etc/apparmor.d so that it is automatically loaded on boot:

sudo cp guacd-apparmor-profile /etc/apparmor.d/

The new profile can then be loaded either by rebooting or by manually running apparmor_parser:

sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile

Do not use the docker.io package provided by Ubuntu. Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.

Instead, use the official Docker packages provided by Docker themselves: https://docs.docker.com/engine/install/ubuntu/

As long as Docker isn’t already installed, kcm-setup.run will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.

Bug Fixes

• Resolved regression issues in release 2.18.0

  • KCM-295: Keeper Favicon Display causing improper rendering causing white dots to be viewable

  • KCM-298: SSH connections were interrupted when changing font in the menu

  • KCM-316: Eliminated a race condition when configuring RDP with SFTP that cause the connection to fail

  • KCM-294: Incorrectly set Connection user concurrency limit to 1 by default

Improvements

• KCM-408: Added EL9 build for KCM

  • KCM has historically support EL7 and EL8 versions of Red Hat and derivatives, with EL7 support having been dropped in our previous release. KCM 2.20.1 introduces package builds and support for EL9.

• KCM-429: Added SBOMs to KCM packages and Docker images

  • Each RPM package produced as part of KCM now includes at least one SBOM describing its contents, and the Docker images that contain KCM packages also contain these SBOM files.

    The files can be found beneath /opt/keeper/share for each relevant component of each KCM package installed.

See Upgrading page for instructions.

New Features

• A visual notification now appears in the upper-right corner of the UI to indicate when a user has joined a shared connection. This notification will remain visible to the original user for as long as there are other users on the connection. Hovering a cursor over the indicator, will reveal a tooltip showing the usernames of all other users and how many concurrent connections they have to the current shared connection.

Bug Fixes

• Various minor bug fixes

Below is a summary of all user-facing and administrator-facing changes in the KCM 2.22.0 release.

• License expiration reminder/warning notification

• Support for VT100-style function key / keypad console codes

• Open new RBI tabs/windows within main frame

• Miscellaneous fixes/improvements

License expiration reminder/warning notification

KCM-462: Add grace period on license expiration

KCM now includes an automatic notification that advises users when the overall KCM license is nearing its expiration date:

By default, this notification will appear when the license is expiring within the next week. Administrators can lengthen/shorten this period by setting the healthcheck-license-grace-period property (if using the RPMs) or the HEALTHCHECK_LICENSE_GRACE_PERIOD environment variable (if using kcm-setup.run or the Docker images).

Support for VT100-style function key / keypad console codes

KCM-460: Support controlling console codes sent for function keys

Different CLI applications expect different console codes sequences to be sent for function keys (F1, F2, F3, etc.) and numeric keypad keys, but KCM has historically only supported the console code format used by the Linux console. The format used by VT100+ terminals is now supported and may be selected by the administrator when configuring the connection.

Open new RBI tabs/windows within main frame

KCM-475: Implement workaround for lack of tab/window support

RBI does not currently support opening multiple tabs or windows within the same connection. Until this support is added, RBI will now redirect any attempt top open a new tab or window to the main frame, allowing the user to interact. Tab support is coming in 2.23.0.

Miscellaneous fixes/improvements

KCM-466: RBI autofill using dynamic tokens is not working on an EL9 2.20.1 docker installation

KCM-476: Autofill against Google no longer successfully authenticates (HTTP 400)

KCM-477: Defunct RBI processes accumulate after termination

KCM-479: Healthcheck API causes memory leak

KCM-480: RBI autofill fails after certain type of Angular page redirects

KCM-485: Add support for accept-language HTTP header

KCM-487: Logins to X fail via RBI

KCM-507: Established kcm-setup.run is no longer compatible with the latest release of Docker Engine

KCM-508: Update RBI to latest Chromium (CVE-2025-13223 and CVE-2025-13224)

Support for EL9

KCM-408: Add EL9 build for Keeper Connection Manager

KCM has historically support EL7 and EL8 versions of Red Hat and derivatives, with EL7 support having been dropped in our previous release. This release introduces package builds and support for EL9.

Production of SBOMs as part of KCM build

KCM-429: Produce SBOM for all packages included with Keeper Connection Manager

Each RPM package produced as part of KCM now includes at least one SBOM describing its contents, and the Docker images that contain KCM packages also contain these SBOM files.

The files can be found beneath /opt/keeper/share for each relevant component of each KCM package installed.

New Features

• KSM now supports CAC/PIV authentication

  • For more information, visit: https://docs.keeper.io/keeper-connection-manager/authentication/piv-cac

• KSM now enables administrators to approve/deny user's ability to authenticate with KSM using SSO

  • For more information, visit: https://docs.keeper.io/keeper-connection-manager/authentication/account-approve-deny-workflow

Improvements

• SAML can now be configured automatically with kcm-setup.run

  • Rather than manually editing the docker-compose.yml file post installation, administrators can now directly configure their deployment to use SAML for SSO with the kcm-setup.run script

• The extension-priority property may now be configured with the EXTENSION_PRIORITY environment variable.

  • Users no longer need use the catch-all ADDITIONAL_GUACAMOLE_PROPERTIES environment variable to set this.

Bug Fixes

• KCM-328: Eliminated an issue present in release 2.18.0 and 2.18.1 that placed an artificial limit on large-scale, repeated connection creation necessitating guacd service restart

Bug Fixes

• Resolved an issue where a regression in KCM 2.16.0 caused the MySQL database connection to enforce SSL verifications that cannot succeed when using the Docker images.

New Features

• KCM now enables administrators to batch import connections via API or by uploading a CSV, JSON, or YAML file

  • Visit this doc for more info

This latest release updates to Keeper's latest GPG signing key (relevant only to RPM-based installs), updates to the latest compatible versions of all dependencies, and addresses the following issues.

Bug Fixes

• KCM-332: Incorrect timeout behavior while RDP connections are waiting for the user to enter their credentials.

• KCM-309: Confusing prompt wording in kcm-setup.run regarding the customer's KCM server's domain, which is not necessarily a public-facing FQDN under all circumstances.

• KCM-339: Incorrect handling of the (attribute) suffix when importing connections from CSV.

• KCM-341: An "Unable to create injector" error that prevents the "Encrypted JSON Authentication" extension from loading, regardless of how it has been configured.

Features

• Support for Running KCM on ARM

• Per-user KSM Vaults

• KSM Support for Cloud Connector (EC2)

Support for Running KCM on ARM

PRIV-130: The RPMs and Docker images (including kcm-setup.run) now support ARM in addition to x86_64. This doesn't change how anything behaves except that we now support installation on ARM.

Per-user KSM Vaults

PRIV-170: If enabled, users are able to register their own KSM vault within KCM using the “Preferences” tab in the “Settings” screen. That vault will then be used for any connections that the administrator configures to accept user-provided secrets.

This capability is disabled by default. Enabling this capability requires both of the following:

• Setting the ksm-allow-user-config property in guacamole.properties (or the KSM_ALLOW_USER_CONFIG environment variable for the keeper/guacamole Docker image).

• Enabling use of user vaults on any connections that shouldn’t use only the administrator-configured vaults (check the “Allow user-provided KSM configuration“ box for the connections in question).

NOTE: By “administrator-configured vaults”, we mean only those vaults that are purely controlled by administrators: the system-wide vault configured in guacamole.properties and any vaults configured via connection groups.

This was implemented this way because doing otherwise would have security implications. Unless the administrator can also dictate which exact connections should receive credentials from user vaults, allowing users to provide their own vaults would allow those same users to control any connection parameters that use values from KSM. Depending on which connection parameters use KSM tokens, inadvertently allowing a user to control the values of parameters could have profound security implications. For example:

• If the user can control part of the path used for the RDP drive, they will be able to read arbitrary files on the server.

• If the user can control authentication parameters, they can control which credentials are used to connect, perhaps bypassing the intent of the admin.

• If the user can control the hostname or port, they can connect wherever they like with the credentials associated with the connection, again bypassing the intent of the admin.

KSM Support for Cloud Connector (EC2)

PRIV-163: SSH keys and Windows passwords from KSM for machines can now be retrieved for AWS EC2 by the KCM Cloud Connector. This is in addition to the existing support for retrieving SSH keys from the filesystem (beneath /etc/guacamole/cloud-connector-secrets).

Similar to the overall KSM integration, the KSM configuration relevant to AWS must be configured with the aws-discovery-ksm-config property (or the AWS_DISCOVERY_KSM_CONFIG environment variable for Docker).

Relevant records are identified by:

• An "Instance" field that exactly matches the instance ID (if there is only one such record).

  • Some variation in the field naming is tolerated: the field may optionally start with “AWS”, “EC2”, or “Amazon”, may optionally end with “ID”, and is case-insensitive.

• An attachment that exactly matches the key name of the instance plus ".pem" (if there is only one such record).

• A hostname/address field (such as that provided by the “SSH Key” record type) that exactly matches the private IP address of the EC2 instance.

If the SSH key exists on the filesystem, it will always be used in favor of querying KSM.

Bug Fixes

• KCM-418: SSH connections to RHEL machines in FIPS mode fail

• KCM-423: Session recording playback throws errors based on specific content

• KCM-420: RBI autofill domain name maching fails for single-word domains (e.g. http://ldapadmin)

• KCM-424: PostgreSQL sessions crash when typing "\c" command

Improvements

• KCM-422: Update to the latest Keeper Secrets Manager SDK for compatibility with new record types.

Features and Improvements

• PAM-16, PAM-5, PAM-18: New user interface with Keeper branding

• PAM-15: Automatically trim trailing whitespace from guacamole.properties

• PAM-6: Add SSH support for ECDSA and ED25519 keys

• PAM-4: Add encrypted vault storage plugin for Keeper Secrets Manager

• PAM-20: Migrate to Gitbook for documentation

New Features

• KCM-164: Remote Browser Isolation Protocol See documentation here

• KCM-345: Enforcement of KCM license keys

Important License Changes

As part of the upgrade to KCM 2.19, customers will now be required to obtain a license key from Keeper in order to continue the use of Keeper Connection Manager (KCM). Without a valid license key, users and admins will be unable to use KCM after the update is applied.

This is a new process and the appropriate steps to maintain access to KCM are outlined below.

To obtain a license key, please contact Keeper Support directly at: https://www.keepersecurity.com/support.html

Upon request, Keeper will generate and send a copy of your license key.

To configure KCM with your license key, follow the steps below:

Features

• PRIV-121: Amazon AWS EC2 discovery and auto-connect []

• PRIV-69: Support for Wayland server

• PRIV-128: Support for ED25519 SSH Keys in Docker Version

• PRIV-82: Ability to reconfigure the installation (for example MySQL to PostgreSQL) using the kcm-setup.run script.

• PRIV-129: Enforce the parameter GUACAMOLE_ADMIN_PASSWORD to prevent "Default" password.

Bug Fixes

• PRIV-137: Sharing Profiles not visible in the Admin UI

Features

• KCM-155: Add support for interacting directly with SQL Server databases []

• KCM-152: Add support for interacting directly with PostgresSQL databases []

Improvements

• KCM-201: Optimizations to access time limits on active windows sessions

• KCM-198: Added "version" command to verify currently installed versions of KCM

• KCM-195: Optimized the frequency of KSM API calls used when integrated with KCM

• KCM-205: Increased security of locally cached auth token

Bug Fixes

• Various minor bug fixes

Security Updates

• Base version of Apache Guacamole updated to 1.5.2 from 1.3.0

  • KCM has been using Apache Guacamole 1.3.0 as its basis for some time now, backporting changes from upstream over time. With the latest upstream release being 1.5.2, we should bring our packages up-to-date with that release and remove any patches that are no longer necessary.

  • The upstream Apache Guacamole 1.5.2 release contains changes that address issues with security implications. The issues in question:

    • CVE-2023-30575: Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths

    • CVE-2023-30576: Apache Guacamole: Use-after-free in handling of RDP audio input buffer

  • With this base version update, there are no implications for compatibility. Extensions that worked with previous versions of KCM should continue to work identically.

• Dependency updates

  • The various C, Java, and JavaScript dependencies used by KCM are brought up-to-date with their latest available and compatible versions.

New Features

• apply command for kcm-setup.run

  • The kcm-setup.run installation script now provides an apply command to more easily allow administrators to apply changes made to docker-compose.yml: ./kcm-setup.run apply

    • Unlike upgrade, the apply command strictly applies changes made externally to docker-compose.yml and does not pull new images.

    • The installation script has also been updated to use depends_on within declared services to ensure that stop need not be run before upgrade or apply are used. Administrators can simply run the command and rely on the script and Docker Compose to automatically stop/start services as needed.

Bug Fixes

• Resolved Issue where Batch import does not support some unicode characters

Features

• PRIV-149: Support for Domain parameter in Vault integration for Windows logins See: https://docs.keeper.io/keeper-connection-manager/vault-integration/dynamic-tokens#windows-username-domain-parsing

• PRIV-74: Added small margin to SSH connection windows

• PRIV-165: Accept a one-time token for UI-based KSM configuration

• PRIV-108: Added support for multiple KSM applications (at the Connection Group Level)

• PRIV-157: Added support for custom LDAP Root Certificate

• PRIV-160: Added support for signed SAML requests

Bug Fixes

• PRIV-161: Kubernetes support missing from guacd Docker image

• PRIV-168: Add "X-Content-Type-Options" header to SSL termination Docker image

• PRIV-173: Update kcm-setup.run to support Amazon Linux 2

• PRIV-174: Private key authentication fails for VNC with SFTP file transfer option

• PRIV-175: Default CSP ruleset for NGINX image is broken on Safari browsers

Version 2.9.0 introduces the world to Keeper Connection Manager.

Also, we are proud to announce support for MySQL connections. Easily add database connections to the Keeper Connection Manager platform to secure and protect MySQL databases. Session recording, privileged access management and secrets management capabilities apply to the MySQL connection type.

Features & Improvements

• PRIV-80: Remove file upload limit from SSL termination image

• PRIV-72: Allow installer to be run as an https stream

• PRIV-79: Rebranding of Glyptodon installer to KCM

• PRIV-67: Rebranding of Glyptodon UI to KCM

• PRIV-81: Auto-generate secure credentials for "guacadmin" user

• PRIV-63: Add support for MySQL connection types

• PRIV-55: Disable legacy TLS protocols/ciphers by default

• PRIV-56: Allow custom CSP and HSTS headers to be configured

Features and Improvements

• PRIV-59 Session recording playback in the UI

• PRIV-60 Allow admins to reset users' TOTP state

• PRIV-73 Updated FreeRDP packages to the latest release (2.6.1)

• PRIV-50, PRIV-51 Hide dependencies version numbers shown in error messages

Highlight: In-Browser Session Playback

It is now possible to view graphic session recording right in the browser. Once a connection is setup for in-browser recording playback, past sessions can be replayed from the History tab.

• Find more information and setup instructions in the docs: https://docs.keeper.io/glyptodon/using-glyptodon/session-recording#in-browser-session-recording-and-playback

Features

• PRIV-184: Updated login screen to say "username" instead of "Email"

• PRIV-40: Added brute-force login protection when multiple incorrect login attempts are attempted based on IP address. See:

• PRIV-172: Improved FIPS mode support. see

• PRIV-109: Added support for Active Directory domain with KSM records that control RDP connections

TOTP autofill support for RBI

In addition to autofill support of usernames and passwords, RBI can now autofill TOTP codes. The field that should receive the TOTP code must be declared in the autofill rules with a totp-code-field property:

For RBI to be able to generate TOTP codes, the TOTP secret must be provided ahead of time, along with any required details like the hash algorithm and the number of digits in each generated code:

Additional ${*_TOTP_SECRET} tokens are provided to allow the TOTP secret to be dynamically retrieved from the Keeper Vault using KSM. For example, to pull the TOTP code for the user account associated with an RBI connection, you would use the ${KEEPER_USER_TOTP_SECRET} parameter token.

The following tokens are technically also defined, but do not currently have any practical use (there is no TOTP code generation needed for RDP):

Migration from Duo v2 to v4

Any customer that has been using v2 and cannot yet change their settings to migrate to v4 will need to continue using KCM 2.19.0 or older until they can migrate.

Duo ceased supporting v2 of their “Web SDK” in favor of v4 (also known as the Duo “Universal Prompt”) some time ago, maintaining availability of v2 only for customers that require and request this. KCM has now been updated to use this new version. Duo’s Web SDK v4 is incompatible with v2 and uses different configuration options:

The duo-application-key, duo-integration-key, and duo-secret-key properties (and the DUO_APPLICATION_KEY, DUO_INTEGRATION_KEY, and DUO_SECRET_KEY variables) are specific to v2 of Duo’s Web SDK and no longer have any effect.

Verbose mode for KCM install script (kcm-setup.run)

This new debug/verbose mode for the KCM install script is mainly of use for obtaining debugging information that the KCM development team can use to troubleshoot customer issues that otherwise have no explanation. It’s unlikely that this variable will be useful to customers outside that context and the sheer verbosity resulting from using it might cause confusion.

The kcm-setup.run script now supports a KCM_SETUP_DEBUG environment variable that causes the script to run in verbose mode, printing out all commands run and all output from those commands. This debug output can be sent directly to the terminal or to a file depending on the value of KCM_SETUP_DEBUG.

export KCM_SETUP_DEBUG=/path/to/file
sudo -E ./kcm-setup.run

Features & Improvements

KCM-83: The kcm-setup.run script now allows administrators to directly configure their deployment to use KSM for retrieval of secrets, rather than requiring manual editing of docker-compose.yml after installation. Additional prompts are presented that allow the administrator to provide a KSM one-time token or a base64-encoded KSM configuration during setup.

KCM-226: The keeper/guacamole-ssl-nginx image can be configured to require SSL/TLS client authentication by specifying the CLIENT_CERTIFICATE_FILE environment variable. A user will only be able to connect to NGINX using their browser if their browser has access to a private key that is signed by this certificate.

This variable is similar to the CERTIFICATE_FILE environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.

Additional environment variables are also available to tweak SSL/TLS auth behavior further:

KCM-227: Multiple Hostnames/Configurations for SSL Termination

The keeper/guacamole-ssl-nginx image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:

ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            SSL_HOSTNAME: "example.net"

As KCM 2.12.0, the keeper/guacamole-ssl-nginx image can be used with multiple hostnames and configurations via a special SERVERS environment variable that accepts YAML (or JSON).

The SERVERS variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. Any variable that is not specified is inherited from the top-level environment. For example:

    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
               - SSL_HOSTNAME: "*.example.net"

The above configuration would result in an NGINX instance that handles both example.net and *.example.net hostnames equivalently. Both will get their own self-signed certificates because SELF_SIGNED is set to Y.

A more complex example:

    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
                 LETSENCRYPT_ACCEPT_TOS: "Y"
                 [email protected]

               - SSL_HOSTNAME: "*.example.net"
                 SELF_SIGNED: "Y"

The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for *.example.net, but obtains a certificate for example.net from Let’s Encrypt.

Bug Fixes

• KCM-223: When joining a shared connection, the joining client appears to hang (does not receive a copy of the current display) until something changes graphically within the session.

• KCM-213: When changing the User Time Zone setting to a specific time zone and then going back to clear that time zone, it doesn’t clear the time zone but instead changes it back to the time zone that was set previously.

New Features

• Key Events in KCM Session Records can now be viewed within KCM’s session recording player

  • More info

• KCM's terminal emulator now supports Mac-style keyboard shortcuts

  • The terminal emulator used by KCM for text-based protocols like SSH has historically used only Ctrl+Shift+V as the shortcut for pasting clipboard contents using the keyboard. The terminal emulator now additionally supports Cmd+V for ease of use on Macs, and will also ignore attempts to copy using Ctrl+Shift+C or Cmd+C (copying within the terminal emulator always happens automatically upon selecting text)

• New Environment Variable:

  • To validate requests received from a SAML IdP, KCM needs to know the user-facing TCP port used to access KCM. If that port differs from the standard HTTPS port, SSL_EXTERNAL_PORT can be specified to inform KCM that the port is different

  • Resolves issue where SAML extension does not work when KCM is configured to use a custom HTTPS port

Improvements & Bug Fixes

• TOTP can now be used with SAML

  • SAML and TOTP historically could not be used together with KCM as both contain anti-replay defenses that would conflict with each other. These conflicts have been resolved such that both can be used at the same time without sacrificing the security provided by those anti-replay defenses.

• KCM's Keeper Secret Manager Integration now supports reading private keys from PAM User Records

  • PAM User Record is a recently introduced PAM Record Type that is used in

Overview

Keeper Connection Manager 2.20.0 includes several important updates. Please read through the full release notes prior to upgrading. The updates include:

1. Mandatory changes to support Remote Browser Isolation (RBI)

2. End of support for EL7

3. Support for ignoring HTTPS certificate errors in RBI

4. Configurable clipboard size limits

5. Certificate authentication support for SSH

6. Bug fixes

Mandatory changes to support Remote Browser Isolation (RBI)

Required Action: Download the latest version of the kcm-setup.run script:

curl -O https://keepersecurity.com/kcm/kcm-setup.run

Option 1: Add the AppArmor profile automatically using kcm-setup.run

If you have not modified your own docker-compose.yml since installing KCM, you can apply these changes automatically by:

1. Downloading the latest copy of kcm-setup.run from Keeper Security.

2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

3. Running sudo ./kcm-setup.run reconfigure to regenerate docker-compose.yml.

Option 2: Adding the AppArmor profile to a modified docker-compose.yml

If you have modified your own docker-compose.yml, these changes require some manual editing of docker-compose.yml to point the “guacd” container at the new profile:

1. Downloading the latest copy of kcm-setup.run from Keeper Security.

2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

3. Editing /etc/kcm-setup/docker-compose.yml, adding an additional "apparmor:..." option to the security_opt section of the “guacd” container such that the section now matches the following:

security_opt:
    - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
    - "apparmor:guacd-apparmor-profile"

1. Running sudo ./kcm-setup.run apply to apply these latest changes from docker-compose.yml.

Manually extracting the AppArmor profile

Only if necessary, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:

sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profile

The profile should then be copied beneath /etc/apparmor.d so that it is automatically loaded on boot:

sudo cp guacd-apparmor-profile /etc/apparmor.d/

The new profile can then be loaded either by rebooting or by manually running apparmor_parser:

sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile

Do not use the docker.io package provided by Ubuntu. Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.

Instead, use the official Docker packages provided by Docker themselves: https://docs.docker.com/engine/install/ubuntu/

As long as Docker isn’t already installed, kcm-setup.run will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.

End of support for EL7

With CentOS 7 having reached end-of-life in June 2024, and with RHEL 7 having reached end-of-maintenance at the same time, KCM will no longer provide EL7 builds. This means that the previous release (KCM 2.19.3) will be the last release with an EL7 build and KCM 2.20.0 will be the first release without EL7 support.

Users that are maintaining RPM-based installations of KCM but are still using RHEL 7, CentOS 7, or another EL7-derivative should upgrade to EL8 when possible so that they can upgrade to KCM 2.20.0. Support for EL9 and EL10 will be coming in future releases.

Support for ignoring HTTPS certificate errors in RBI

KCM-404: Add support for ignoring self-signed HTTPS certificates

Remote Browser Isolation (RBI) is strict in its enforcement of SSL/TLS certificate validation. If it is known that the domain of the initial URL of a connection has a self-signed or otherwise invalid certificate, and administrators wish to allow access to that server through RBI despite the invalid certificate, certificate validation can now be bypassed for the initial URL.

NOTE: This validation bypass affects only the domain of the initial URL. This means that bypassing SSL/TLS validation will not have any effect if:

• There is no initial URL (the administrator leaves this connection parameter blank).

• The domain with an invalid certificate does not identically match the domain of the initial URL (as may be the case if redirects are involved).

Configurable clipboard size limits

KCM-405: Allow connection clipboard limits to be configured

The clipboard within KCM has historically been limited to a maximum of 256 KB. If users will possibly need to copy larger amounts of data through a connection, this limit can now be overridden by the administrator on a per-connection basis.

Certificate authentication support for SSH

KCM-433: Support certificate authentication for SSH

For SSH servers that require certificate authentication, KCM now accepts a public key parameter in addition to the private key parameter that would otherwise be sufficient. The public key that was signed by your CA should be provided with this new parameter.

Bug Fixes

RBI

KCM-390: RBI connections may fail when loading YouTube Shorts KCM-396: Allowed URL Patterns list truncated without warning KCM-410: Autofill for KCM fails with a sufficiently large "autofill-rules.yml" KCM-413: RBI freezes when attempting to input Japanese KCM-417: RBI autofill of TOTP may cause memory error KCM-419: RBI autofill cannot be used with Cloudflare login + reCAPTCHA KCM-425: Touch interaction does not work in RBI on iPad KCM-431: RBI autofill interferes with manual interaction KCM-435: RBI cannot be used to log into Google services

Terminal-related Issues

KCM-399: Binary column data may disrupt terminal output of MySQL connection KCM-437: KCM terminal emulator can become garbled when "vim" is used

Miscellaneous bug fixes

KCM-380: KSM integration cannot be used on a RHEL system with FIPS mode enabled KCM-386: guacamole-db-mysql image appears to be broken on aarch64 KCM-392: Guacamole webapp warns "expected language resource does not exist" for Polish KCM-400: Mysterious "0:00" timestamps appear in the middle of keystroke logs KCM-403: Session recording playback heatmap broken for short videos KCM-411: File upload progress bar completes before file is fully uploaded KCM-426: KSM static token mapping does not work with a per user config KCM-427: Recording playback sometimes freezes KCM-439: __guac_wol_send_packet() uses incorrect structure for IPv6 address

Dependency updates

KCM-453: Update third-party dependencies of KCM

Bug Fixes

• Emergency support required for new "Passkey" record field in the Secrets Manager integration. Customers must update their KCM version to ensure compatibility.

New Features

• Histograms on session recordings

  • KCM session recordings now display a histogram that shows the relative levels of activity within different parts of the recordings

  • Histogram displays the following levels of activities:

    • Visible events such as when the screen changes

    • keyboard events - user interactions with the keyboard

  • More info here

Overview

Keeper Connection Manager 2.21.0 introduces support for linked records in PAM, allowing dynamic tokens to pull admin and launch credentials from linked Keeper records, with new ${KEEPER_SERVER_ADMIN_*} and ${KEEPER_GATEWAY_LAUNCH_*} tokens alongside updates to existing ones.

This release also adds a healthcheck API endpoint to monitor service connectivity, authentication responsiveness, and license status. The release also incorporates Apache Guacamole 1.6.0 improvements including enhanced text selection, VNC auto-resize, expanded parameter tokens, and Wake-on-LAN checks. Additional updates include configurable username case sensitivity, group-based MFA enforcement, LDAP and OpenID Connect enhancements, and broader internationalization and keyboard layout support.

Support for KeeperPAM Linked Records

KCM-421: Support for Linked Records

The Keeper Secrets Manager integration is now capable of reading secrets that involve linked records, specifically the “admin” and “launch” credentials that may be associated with a PAM record in the Vault. Similar to the established ${KEEPER_SERVER_*} and ${KEEPER_GATEWAY_*} tokens, the additional dynamic tokens are now available that pull secrets from linked records.

${KEEPER_SERVER_ADMIN_*}

The requested admin credentials (ie: ${KEEPER_SERVER_ADMIN_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s hostname (exactly as ${KEEPER_SERVER_*} would match).

${KEEPER_SERVER_LAUNCH_*}

The requested launch credentials (ie: ${KEEPER_SERVER_LAUNCH_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s hostname (exactly as ${KEEPER_SERVER_*} would match).

${KEEPER_GATEWAY_ADMIN_*}

The requested admin credentials (ie: ${KEEPER_GATEWAY_ADMIN_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s “gateway-hostname” parameter (exactly as ${KEEPER_GATEWAY_*} would match). This is specific to use of the Microsoft RD Gateway and applies only to RDP connections.

${KEEPER_GATEWAY_LAUNCH_*}

The requested admin credentials (ie: ${KEEPER_GATEWAY_LAUNCH_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s “gateway-hostname” parameter (exactly as ${KEEPER_GATEWAY_*} would match). This is specific to use of the Microsoft RD Gateway and applies only to RDP connections.

Changes to established dynamic token behavior

Additionally, the ${KEEPER_SERVER_*} and ${KEEPER_GATEWAY_*} tokens will now use the linked “admin” credentials for any record that includes linked admin credentials. Secrets stored directly in a matching record will now only be used for dynamic tokens if the record does not use record links.

Endpoint for checking health and license status

KCM-469: Healthcheck API

KCM now includes an automatic healthcheck that runs regularly, checking that the guacd service is reachable, that the authentication subsystem is responsive, and that the KCM license is not expiring soon. The healthcheck includes a REST API endpoint that can be automatically queried to check the status of the system.

The healthcheck endpoint can be reached by issuing a GET request to .../api/ext/healthcheck/full and does not require authentication. For example, if KCM is hosted at kcm.example.net, the following curl command would retrieve the status of the healthcheck:

curl https://kcm.example.net/api/ext/healthcheck/full

If the KCM server is healthy and the license is valid, this will produce JSON that looks like the following:

{ "licensed": true, "licenseExpiresSoon": false, "healthy" : true }

If unhealthy, or if the license is not valid, the flags shown in the above JSON will have different values. The flags in the healthcheck response JSON are as follows:

The behavior of the healthcheck can be modified using the following configuration properties (RPM installation) or environment variables (Docker installation):

Improvements/fixes from upstream Apache Guacamole 1.6.0

KCM-446: Keeper Connection Manager has been brought up-to-date with the latest upstream release of Apache Guacamole. Many of the other improvements that are part of this upstream release were already backported in previous KCM releases, however there are several noteworthy updates that are new:

• Text may now be selected by double-clicking in the terminal emulator.

• Various issues with copying text in the terminal emulator containing newlines or indentation have been fixed.

• Automatic resize of the VNC display is supported where also supported by the VNC server.

• Additional parameter tokens for the domain of an LDAP user, JWT claims from OpenID Connect, and for the current connection name.

• Better handling of Wake-on-LAN via automatic checks for machine availability.

Configuration options not yet mapped to Docker environment variables

The following noteworthy updates are also new, but are only currently configurable with the Docker images through the ADDITIONAL_GUACAMOLE_PROPERTIES catch-all environment variable (their new properties are not yet explicitly mapped to environment variables):

• TOTP enforcement can be disabled based on group membership and IP address.

• Username case sensitivity is now configurable.

User interface / platform Updates

• Add parameter token for connection name (GUACAMOLE-1177)

• Configurable username case sensitivity (GUACAMOLE-1239)

• Display whether user groups are disabled in group list (GUACAMOLE-1479)

• Support for true fullscreen mode and keyboard lock (GUACAMOLE-1525)

• Allow branding/customization of the section headers on the user home page (GUACAMOLE-1584)

• Add support for specifying VNC “encodings” parameter in webapp UI (GUACAMOLE-1642)

• Base64 encoding of image/binary data results in excessive syscalls that can degrade performance (GUACAMOLE-1776)

• Improvements to the “Recent connections” section (GUACAMOLE-1866)

• Provide notification, jump-to-top of page for a clone operation (GUACAMOLE-1916)

Authentication, integration, and storage

• Ensure GUAC_DATE/GUAC_TIME tokens match connection startDate (GUACAMOLE-61)

• Add Proxy Hostname and Port to LDAP Extension (GUACAMOLE-577)

• Randomize generation of TOTP key until enrollment is confirmed (GUACAMOLE-1068)

• Allow TOTP to be disabled by group membership (GUACAMOLE-1219)

• Allow LDAP extension to configure TLS level (GUACAMOLE-1488)

• Allow user to configure Keeper Secrets Manager call frequency (GUACAMOLE-1722)

• Map JWT claims from OpenID Connect as parameter tokens (GUACAMOLE-1844)

• Allow MFA to be bypassed or enforced based on client IP (GUACAMOLE-1855)

• Add parameter token for domain of LDAP user (GUACAMOLE-1881)

Protocol support

• Allow selection of whole words by double-clicking (GUACAMOLE-192)

• Allow specifying connection timeout (GUACAMOLE-600)

• Connecting to unpublished RemoteApp results in black screen (GUACAMOLE-1084)

• Add auto resize to VNC sessions (GUACAMOLE-1196)

• RemoteApp windows become inaccessible after being minimized (GUACAMOLE-1231)

• Add option to the vnc protocol to disable remote input (GUACAMOLE-1267)

• Terminal emulator adds newlines when copying a wrapped line of text (GUACAMOLE-1586)

• Text copied from terminal emulator may incorrectly omit indentation (GUACAMOLE-1632)

• Add terminal support for alternate screen buffer (GUACAMOLE-1633)

• Test machine availability when sending Wake-on-LAN packet (GUACAMOLE-1686)

• Add parameters for VNC compression and quality levels (GUACAMOLE-1760)

• Selected text in SSH is offset from cursor position (GUACAMOLE-1944)

• Multiple wheel events per mouse wheel tick (GUACAMOLE-1967)

Internationalization

• Japanese keyboard layout for RDP incorrect (GUACAMOLE-520)

• Add support for Canadian french keyboard layout (GUACAMOLE-1312)

• Update French translations (GUACAMOLE-1611)

• Fix some typos in italian translation and improve it (GUACAMOLE-1612)

• Updated czech translation (GUACAMOLE-1664)

• Updated german translation (GUACAMOLE-1692)

• Add Czech keyboard layout (GUACAMOLE-1708)

• Polish translation (GUACAMOLE-1730)

• Updated czech translation (GUACAMOLE-1758)

• Add Romanian keymap to RDP protocol (GUACAMOLE-1770)

• Add Portuguese keymap to RDP protocol (GUACAMOLE-1771)

• Update the Simplified Chinese translation (GUACAMOLE-1778)

• Update the Simplified Chinese translation for totp auth extension (GUACAMOLE-1781)

• Updated czech translation (GUACAMOLE-1792)

All Glyptodon Enterprise 2.x releases are API-compatible with Apache Guacamole 1.1.0. Newer releases of Glyptodon Enterprise 2.x may gain compatibility with additional upstream releases of Apache Guacamole beyond 1.1.0 so long as doing so does not break existing compatibility. The most recent release of Glyptodon Enterprise 2.x is compatible with Apache Guacamole 1.3.0 and incorporates a number of improvements from the Apache Guacamole 1.4.0 release. The log entries here describe which changes have been made from the relevant upstream baseline, as well as any changes to the Glyptodon Enterprise repositories and packages.

Release Schedule / History

Version 2.7

• Allow login with standard username/password when SSO is enabled (GLEN-328, GUACAMOLE-1364).

• Automatically clear URL state upon clicking "Re-login" (GLEN-320, GUACAMOLE-680).

• Update webapp dependencies to latest stable versions (GLEN-329, GUACAMOLE-773).

• Update to latest release (9.0.56) of Apache Tomcat (GLEN-329).

• Update to latest release (9.4.1) of SQL Server JDBC driver (GLEN-329).

Version 2.6

• Migrate to header-based transmission of REST API authentication token (GLEN-324, GUACAMOLE-956).

• Add support for authenticating against multiple LDAP servers (GLEN-323, GUACAMOLE-944, GUACAMOLE-957, GUACAMOLE-1130).

• Update to latest release (9.0.55) of Apache Tomcat (GLEN-327).

• Update to latest release (2.4.1) of FreeRDP (GLEN-327).

• Update to latest release (1.10.0) of libssh2 (GLEN-327).

• Update to latest release (4.3.0) of libwebsockets (GLEN-327).

• Update to latest release (9.4.0) of SQL Server JDBC driver (GLEN-327).

Version 2.5

• Add support for broadcasting input events across multiple tiled connections (GLEN-171, GUACAMOLE-724, GUACAMOLE-1204, GUACAMOLE-1381, GUACAMOLE-1383, GUACAMOLE-1398).

• Add support for single sign-on using OpenID Connect (GLEN-133, GUACAMOLE-210, GUACAMOLE-680, GUACAMOLE-805).

• Add support for single sign-on using SAML (GLEN-257, GUACAMOLE-103, GUACAMOLE-680).

• Update webapp dependencies to latest stable versions (GLEN-301, GUACAMOLE-773, GUACAMOLE-1298, GUACAMOLE-1317).

• Update to latest release (2.3.2) of FreeRDP (GLEN-301).

• Update to latest release (4.2.1) of libwebsockets (GLEN-301).

• Update to latest release (9.2.1) of SQL Server JDBC driver (GLEN-301).

• Correct filtering of disconnected/failed connections displayed within the same view (GLEN-171, GUACAMOLE-1387).

• Correct handling of RDP "AUDIO_INPUT" channel (GLEN-242, GUACAMOLE-1201, GUACAMOLE-1283).

• Correct handling of RDP-specific resources when reconnecting to update display size (GLEN-171, GUACAMOLE-1388).

• Correct sort order of connection history within connection edit screen (GLEN-304, GUACAMOLE-1366).

• Create package for standalone Apache Guacamole deployment (GLEN-280).

• Use MariaDB Connector/J driver where MySQL Connector/J is unavailable (GLEN-317, GUACAMOLE-1407).

• Automatically enforce HTTP request size limits (GLEN-301, GUACAMOLE-1298).

• Defer handling of "Meta" key until its identity is confirmed by the browser in context of the current set of pressed keys (GLEN-306, GUACAMOLE-1386).

• Do not automatically reattempt authentication after logging out (GLEN-133, GLEN-257, GUACAMOLE-680).

• Backport latest updates and improvements to translations (GLEN-303, GUACAMOLE-1160, GUACAMOLE-1207, GUACAMOLE-1265, GUACAMOLE-1291, GUACAMOLE-1337, GUACAMOLE-1339, GUACAMOLE-1355).

• Migrate to now-upstreamed version of guacamole-auth-json (GLEN-301, GUACAMOLE-1218).

Version 2.4

• Ensure unexpected failures during session expiration do not prevent other sessions from expiring (GLEN-278, GUACAMOLE-1299).

• Add support for forcing use of lossless compression (GLEN-277, GUACAMOLE-1302).

• Add support for pass-through of multi-touch events (GLEN-276, GUACAMOLE-1204).

• Add package build for CentOS / RHEL 8 (GLEN-182).

• Package support for integrating UDS Enterprise / OpenUDS (GLEN-279).

Version 2.3

This release of Glyptodon Enterprise is a hotfix for an incorrect build of the glyptodon-guacamole-auth-jdbc-sqlserver package which resulted in the SQL Server JDBC driver not loading during web application startup (see GLEN-275). Users of Glyptodon Enterprise that leverage SQL Server for their database should upgrade if they are having trouble as of the 2.2 release. Users that are not leveraging SQL Server will see no difference between 2.3 and 2.2.

• Correct SQL Server driver symbolic link (GLEN-275).

Version 2.2

• Update to upstream 1.3.0 release (GLEN-259)

• Migrate to "/opt/glyptodon" base for installation (GLEN-261)

• Adopt and rebuild against Glyptodon builds of core protocol support libraries (GLEN-261)

• Update build to leverage libuuid instead of OSSP UUID (GLEN-261, GUACAMOLE-1254)

• Correct memory errors related to FreeRDP upgrade (GLEN-261, GUACAMOLE-1191, GUACAMOLE-1259)

Version 2.1

• Correct regressions due to FreeRDP 2.0.0 migration (GLEN-251, GUACAMOLE-1053, GUACAMOLE-1059, GUACAMOLE-1076)

• Backport improved RDP keymap support (GLEN-252, GUACAMOLE-518, GUACAMOLE-859)

Version 2.0

• Update core packaging to use 1.1.0 base version (GLEN-131)

• Package support for TOTP authentication factor (GLEN-134, GUACAMOLE-96)

• Package support for SQL Server authentication and required JDBC driver (GLEN-132, GUACAMOLE-363, GUACAMOLE-525)

• Package support for attaching to Kubernetes pods (GLEN-181, GUACAMOLE-623)

• Update documentation within guacamole.properties to reflect support for user groups (GLEN-184, GUACAMOLE-220)

• Add interface for monitoring and switching between multiple simultaneous connections within the same tab (GLEN-169, GUACAMOLE-723, GUACAMOLE-822)

• Add support for disabling clipboard copy/paste (GLEN-158, GUACAMOLE-381)

• Correct handling of audio input under Chrome (GLEN-223, GUACAMOLE-732, GUACAMOLE-905)

• Correct RDP support regressions due to migration to FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952, GUACAMOLE-962, GUACAMOLE-978, GUACAMOLE-979)

• Add "Hyper-V / VMConnect" security mode option, allowing connections to Hyper-V to continue to work with FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952)

• Ensure guacd has a writable home directory for the sake of FreeRDP, which requires a writable home directory as of 2.0.0 (GLEN-215)

• Correct syntax of SQL Server history queries (GLEN-206, GUACAMOLE-870)

• Provide feedback while user logins are in progress (GLEN-168, GUACAMOLE-742)

• Automatically re-focus relevant fields after login failure (GLEN-220, GUACAMOLE-302)

• Release pressed keys after login succeeds (GLEN-185, GUACAMOLE-817)

• Add RDP keyboard mapping for German non-dead tilde key (GLEN-226, GUACAMOLE-917)

• Add Belgian French keymap for RDP (GLEN-218, GUACAMOLE-901)

• Add Czech translation (GLEN-222, GLEN-237, GUACAMOLE-781)

• Add Hungarian keymap for RDP (GLEN-218, GUACAMOLE-837)

• Add Japanese translation (GLEN-222, GUACAMOLE-821)

• Add Latin American keymap for RDP (GLEN-218, GUACAMOLE-625)

• Ensure SFTP directory listings cannot omit files (GLEN-230, GUACAMOLE-818)

• Explicitly require Java 8, as Java 7 and older are no longer supported by Apache Guacamole since 1.0.0 (GLEN-131, GUACAMOLE-635)

• Tolerate presence of port number within "X-Forwarded-For" headers (GLEN-231, GUACAMOLE-784)

• Do not allow error strings to contain HTML (GLEN-229, GUACAMOLE-955)

• Use correct interface for translatable errors from extensions (GLEN-241, GUACAMOLE-1007)

• Correct REST API caching behavior for IE 11 (GLEN-167, GUACAMOLE-783)

• Remove hard-coded application name and version from Spanish translation (GLEN-221, GUACAMOLE-740, GUACAMOLE-741)

• Correct potential race condition in connection cleanup (GLEN-228, GUACAMOLE-958)

• Correct attribute names declared within guacConfigGroup.schema (GLEN-232, GUACAMOLE-889)