Bug Fixes

• KCM-418: SSH connections to RHEL machines in FIPS mode fail

• KCM-423: Session recording playback throws errors based on specific content

• KCM-420: RBI autofill domain name maching fails for single-word domains (e.g. http://ldapadmin)

• KCM-424: PostgreSQL sessions crash when typing "\c" command

Improvements

• KCM-422: Update to the latest Keeper Secrets Manager SDK for compatibility with new record types.

TOTP autofill support for RBI

In addition to autofill support of usernames and passwords, RBI can now autofill TOTP codes. The field that should receive the TOTP code must be declared in the autofill rules with a totp-code-field property:

For RBI to be able to generate TOTP codes, the TOTP secret must be provided ahead of time, along with any required details like the hash algorithm and the number of digits in each generated code:

Additional ${*_TOTP_SECRET} tokens are provided to allow the TOTP secret to be dynamically retrieved from the Keeper Vault using KSM. For example, to pull the TOTP code for the user account associated with an RBI connection, you would use the ${KEEPER_USER_TOTP_SECRET} parameter token.

The following tokens are technically also defined, but do not currently have any practical use (there is no TOTP code generation needed for RDP):

Migration from Duo v2 to v4

Any customer that has been using v2 and cannot yet change their settings to migrate to v4 will need to continue using KCM 2.19.0 or older until they can migrate.

Duo ceased supporting v2 of their “Web SDK” in favor of v4 (also known as the Duo “Universal Prompt”) some time ago, maintaining availability of v2 only for customers that require and request this. KCM has now been updated to use this new version. Duo’s Web SDK v4 is incompatible with v2 and uses different configuration options:

The duo-application-key, duo-integration-key, and duo-secret-key properties (and the DUO_APPLICATION_KEY, DUO_INTEGRATION_KEY, and DUO_SECRET_KEY variables) are specific to v2 of Duo’s Web SDK and no longer have any effect.

Verbose mode for KCM install script (kcm-setup.run)

This new debug/verbose mode for the KCM install script is mainly of use for obtaining debugging information that the KCM development team can use to troubleshoot customer issues that otherwise have no explanation. It’s unlikely that this variable will be useful to customers outside that context and the sheer verbosity resulting from using it might cause confusion.

The kcm-setup.run script now supports a KCM_SETUP_DEBUG environment variable that causes the script to run in verbose mode, printing out all commands run and all output from those commands. This debug output can be sent directly to the terminal or to a file depending on the value of KCM_SETUP_DEBUG.

export KCM_SETUP_DEBUG=/path/to/file
sudo -E ./kcm-setup.run

New Features

• KCM-164: Remote Browser Isolation Protocol See documentation here

• KCM-345: Enforcement of KCM license keys

Important License Changes

As part of the upgrade to KCM 2.19, customers will now be required to obtain a license key from Keeper in order to continue the use of Keeper Connection Manager (KCM). Without a valid license key, users and admins will be unable to use KCM after the update is applied.

This is a new process and the appropriate steps to maintain access to KCM are outlined below.

To obtain a license key, please contact Keeper Support directly at: https://www.keepersecurity.com/support.html

Upon request, Keeper will generate and send a copy of your license key.

To configure KCM with your license key, follow the steps below:

License Key | English

This latest release updates to Keeper's latest GPG signing key (relevant only to RPM-based installs), updates to the latest compatible versions of all dependencies, and addresses the following issues.

Bug Fixes

• KCM-332: Incorrect timeout behavior while RDP connections are waiting for the user to enter their credentials.

• KCM-309: Confusing prompt wording in kcm-setup.run regarding the customer's KCM server's domain, which is not necessarily a public-facing FQDN under all circumstances.

• KCM-339: Incorrect handling of the (attribute) suffix when importing connections from CSV.

• KCM-341: An "Unable to create injector" error that prevents the "Encrypted JSON Authentication" extension from loading, regardless of how it has been configured.

Bug Fixes

• KCM-328: Eliminated an issue present in release 2.18.0 and 2.18.1 that placed an artificial limit on large-scale, repeated connection creation necessitating guacd service restart

Bug Fixes

• Resolved regression issues in release 2.18.0

  • KCM-295: Keeper Favicon Display causing improper rendering causing white dots to be viewable

  • KCM-298: SSH connections were interrupted when changing font in the menu

  • KCM-316: Eliminated a race condition when configuring RDP with SFTP that cause the connection to fail

  • KCM-294: Incorrectly set Connection user concurrency limit to 1 by default

New Features

• Histograms on session recordings

  • KCM session recordings now display a histogram that shows the relative levels of activity within different parts of the recordings

  • Histogram displays the following levels of activities:

    • Visible events such as when the screen changes

    • keyboard events - user interactions with the keyboard

  • More info here

New Features

• Key Events in KCM Session Records can now be viewed within KCM’s session recording player

  • More info here

• KCM's terminal emulator now supports Mac-style keyboard shortcuts

  • The terminal emulator used by KCM for text-based protocols like SSH has historically used only Ctrl+Shift+V as the shortcut for pasting clipboard contents using the keyboard. The terminal emulator now additionally supports Cmd+V for ease of use on Macs, and will also ignore attempts to copy using Ctrl+Shift+C or Cmd+C (copying within the terminal emulator always happens automatically upon selecting text)

• New Environment Variable: SSL_EXTERNAL_PORT

  • To validate requests received from a SAML IdP, KCM needs to know the user-facing TCP port used to access KCM. If that port differs from the standard HTTPS port, SSL_EXTERNAL_PORT can be specified to inform KCM that the port is different

  • Resolves issue where SAML extension does not work when KCM is configured to use a custom HTTPS port

Improvements & Bug Fixes

• TOTP can now be used with SAML

  • SAML and TOTP historically could not be used together with KCM as both contain anti-replay defenses that would conflict with each other. These conflicts have been resolved such that both can be used at the same time without sacrificing the security provided by those anti-replay defenses.

• KCM's Keeper Secret Manager Integration now supports reading private keys from PAM User Records

  • PAM User Record is a recently introduced PAM Record Type that is used in Keeper Rotation

Bug Fixes

• Resolved an issue where a regression in KCM 2.16.0 caused the MySQL database connection to enforce SSL verifications that cannot succeed when using the Docker images.

Security Updates

• Base version of Apache Guacamole updated to 1.5.2 from 1.3.0

  • KCM has been using Apache Guacamole 1.3.0 as its basis for some time now, backporting changes from upstream over time. With the latest upstream release being 1.5.2, we should bring our packages up-to-date with that release and remove any patches that are no longer necessary.

  • The upstream Apache Guacamole 1.5.2 release contains changes that address issues with security implications. The issues in question:

    • CVE-2023-30575: Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths

    • CVE-2023-30576: Apache Guacamole: Use-after-free in handling of RDP audio input buffer

  • With this base version update, there are no implications for compatibility. Extensions that worked with previous versions of KCM should continue to work identically.

• Dependency updates

  • The various C, Java, and JavaScript dependencies used by KCM are brought up-to-date with their latest available and compatible versions.

New Features

• apply command for kcm-setup.run

  • The kcm-setup.run installation script now provides an apply command to more easily allow administrators to apply changes made to docker-compose.yml: ./kcm-setup.run apply

    • Unlike upgrade, the apply command strictly applies changes made externally to docker-compose.yml and does not pull new images.

    • The installation script has also been updated to use depends_on within declared services to ensure that stop need not be run before upgrade or apply are used. Administrators can simply run the command and rely on the script and Docker Compose to automatically stop/start services as needed.

Bug Fixes

• Resolved Issue where Batch import does not support some unicode characters

Bug Fixes

• Emergency support required for new "Passkey" record field in the Secrets Manager integration. Customers must update their KCM version to ensure compatibility.

New Features

• KCM now enables administrators to batch import connections via API or by uploading a CSV, JSON, or YAML file

  • Visit this doc for more info

New Features

• A visual notification now appears in the upper-right corner of the UI to indicate when a user has joined a shared connection. This notification will remain visible to the original user for as long as there are other users on the connection. Hovering a cursor over the indicator, will reveal a tooltip showing the usernames of all other users and how many concurrent connections they have to the current shared connection.

Bug Fixes

• Various minor bug fixes

All Glyptodon Enterprise 2.x releases are API-compatible with Apache Guacamole 1.1.0. Newer releases of Glyptodon Enterprise 2.x may gain compatibility with additional upstream releases of Apache Guacamole beyond 1.1.0 so long as doing so does not break existing compatibility. The most recent release of Glyptodon Enterprise 2.x is compatible with Apache Guacamole 1.3.0 and incorporates a number of improvements from the Apache Guacamole 1.4.0 release. The log entries here describe which changes have been made from the relevant upstream baseline, as well as any changes to the Glyptodon Enterprise repositories and packages.

Release Schedule / History

Version 2.7

• Allow login with standard username/password when SSO is enabled (GLEN-328, GUACAMOLE-1364).

• Automatically clear URL state upon clicking "Re-login" (GLEN-320, GUACAMOLE-680).

• Update webapp dependencies to latest stable versions (GLEN-329, GUACAMOLE-773).

• Update to latest release (9.0.56) of Apache Tomcat (GLEN-329).

• Update to latest release (9.4.1) of SQL Server JDBC driver (GLEN-329).

Version 2.6

• Migrate to header-based transmission of REST API authentication token (GLEN-324, GUACAMOLE-956).

• Add support for authenticating against multiple LDAP servers (GLEN-323, GUACAMOLE-944, GUACAMOLE-957, GUACAMOLE-1130).

• Update to latest release (9.0.55) of Apache Tomcat (GLEN-327).

• Update to latest release (2.4.1) of FreeRDP (GLEN-327).

• Update to latest release (1.10.0) of libssh2 (GLEN-327).

• Update to latest release (4.3.0) of libwebsockets (GLEN-327).

• Update to latest release (9.4.0) of SQL Server JDBC driver (GLEN-327).

Version 2.5

• Add support for broadcasting input events across multiple tiled connections (GLEN-171, GUACAMOLE-724, GUACAMOLE-1204, GUACAMOLE-1381, GUACAMOLE-1383, GUACAMOLE-1398).

• Add support for single sign-on using OpenID Connect (GLEN-133, GUACAMOLE-210, GUACAMOLE-680, GUACAMOLE-805).

• Add support for single sign-on using SAML (GLEN-257, GUACAMOLE-103, GUACAMOLE-680).

• Update webapp dependencies to latest stable versions (GLEN-301, GUACAMOLE-773, GUACAMOLE-1298, GUACAMOLE-1317).

• Update to latest release (2.3.2) of FreeRDP (GLEN-301).

• Update to latest release (4.2.1) of libwebsockets (GLEN-301).

• Update to latest release (9.2.1) of SQL Server JDBC driver (GLEN-301).

• Correct filtering of disconnected/failed connections displayed within the same view (GLEN-171, GUACAMOLE-1387).

• Correct handling of RDP "AUDIO_INPUT" channel (GLEN-242, GUACAMOLE-1201, GUACAMOLE-1283).

• Correct handling of RDP-specific resources when reconnecting to update display size (GLEN-171, GUACAMOLE-1388).

• Correct sort order of connection history within connection edit screen (GLEN-304, GUACAMOLE-1366).

• Create package for standalone Apache Guacamole deployment (GLEN-280).

• Use MariaDB Connector/J driver where MySQL Connector/J is unavailable (GLEN-317, GUACAMOLE-1407).

• Automatically enforce HTTP request size limits (GLEN-301, GUACAMOLE-1298).

• Defer handling of "Meta" key until its identity is confirmed by the browser in context of the current set of pressed keys (GLEN-306, GUACAMOLE-1386).

• Do not automatically reattempt authentication after logging out (GLEN-133, GLEN-257, GUACAMOLE-680).

• Backport latest updates and improvements to translations (GLEN-303, GUACAMOLE-1160, GUACAMOLE-1207, GUACAMOLE-1265, GUACAMOLE-1291, GUACAMOLE-1337, GUACAMOLE-1339, GUACAMOLE-1355).

• Migrate to now-upstreamed version of guacamole-auth-json (GLEN-301, GUACAMOLE-1218).

Version 2.4

• Ensure unexpected failures during session expiration do not prevent other sessions from expiring (GLEN-278, GUACAMOLE-1299).

• Add support for forcing use of lossless compression (GLEN-277, GUACAMOLE-1302).

• Add support for pass-through of multi-touch events (GLEN-276, GUACAMOLE-1204).

• Add package build for CentOS / RHEL 8 (GLEN-182).

• Package support for integrating UDS Enterprise / OpenUDS (GLEN-279).

Version 2.3

This release of Glyptodon Enterprise is a hotfix for an incorrect build of the glyptodon-guacamole-auth-jdbc-sqlserver package which resulted in the SQL Server JDBC driver not loading during web application startup (see GLEN-275). Users of Glyptodon Enterprise that leverage SQL Server for their database should upgrade if they are having trouble as of the 2.2 release. Users that are not leveraging SQL Server will see no difference between 2.3 and 2.2.

• Correct SQL Server driver symbolic link (GLEN-275).

Version 2.2

• Update to upstream 1.3.0 release (GLEN-259)

• Migrate to "/opt/glyptodon" base for installation (GLEN-261)

• Adopt and rebuild against Glyptodon builds of core protocol support libraries (GLEN-261)

• Update build to leverage libuuid instead of OSSP UUID (GLEN-261, GUACAMOLE-1254)

• Correct memory errors related to FreeRDP upgrade (GLEN-261, GUACAMOLE-1191, GUACAMOLE-1259)

Version 2.1

• Correct regressions due to FreeRDP 2.0.0 migration (GLEN-251, GUACAMOLE-1053, GUACAMOLE-1059, GUACAMOLE-1076)

• Backport improved RDP keymap support (GLEN-252, GUACAMOLE-518, GUACAMOLE-859)

Version 2.0

• Update core packaging to use 1.1.0 base version (GLEN-131)

• Package support for TOTP authentication factor (GLEN-134, GUACAMOLE-96)

• Package support for SQL Server authentication and required JDBC driver (GLEN-132, GUACAMOLE-363, GUACAMOLE-525)

• Package support for attaching to Kubernetes pods (GLEN-181, GUACAMOLE-623)

• Update documentation within guacamole.properties to reflect support for user groups (GLEN-184, GUACAMOLE-220)

• Add interface for monitoring and switching between multiple simultaneous connections within the same tab (GLEN-169, GUACAMOLE-723, GUACAMOLE-822)

• Add support for disabling clipboard copy/paste (GLEN-158, GUACAMOLE-381)

• Correct handling of audio input under Chrome (GLEN-223, GUACAMOLE-732, GUACAMOLE-905)

• Correct RDP support regressions due to migration to FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952, GUACAMOLE-962, GUACAMOLE-978, GUACAMOLE-979)

• Add "Hyper-V / VMConnect" security mode option, allowing connections to Hyper-V to continue to work with FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952)

• Ensure guacd has a writable home directory for the sake of FreeRDP, which requires a writable home directory as of 2.0.0 (GLEN-215)

• Correct syntax of SQL Server history queries (GLEN-206, GUACAMOLE-870)

• Provide feedback while user logins are in progress (GLEN-168, GUACAMOLE-742)

• Automatically re-focus relevant fields after login failure (GLEN-220, GUACAMOLE-302)

• Release pressed keys after login succeeds (GLEN-185, GUACAMOLE-817)

• Add RDP keyboard mapping for German non-dead tilde key (GLEN-226, GUACAMOLE-917)

• Add Belgian French keymap for RDP (GLEN-218, GUACAMOLE-901)

• Add Czech translation (GLEN-222, GLEN-237, GUACAMOLE-781)

• Add Hungarian keymap for RDP (GLEN-218, GUACAMOLE-837)

• Add Japanese translation (GLEN-222, GUACAMOLE-821)

• Add Latin American keymap for RDP (GLEN-218, GUACAMOLE-625)

• Ensure SFTP directory listings cannot omit files (GLEN-230, GUACAMOLE-818)

• Explicitly require Java 8, as Java 7 and older are no longer supported by Apache Guacamole since 1.0.0 (GLEN-131, GUACAMOLE-635)

• Tolerate presence of port number within "X-Forwarded-For" headers (GLEN-231, GUACAMOLE-784)

• Do not allow error strings to contain HTML (GLEN-229, GUACAMOLE-955)

• Use correct interface for translatable errors from extensions (GLEN-241, GUACAMOLE-1007)

• Correct REST API caching behavior for IE 11 (GLEN-167, GUACAMOLE-783)

• Remove hard-coded application name and version from Spanish translation (GLEN-221, GUACAMOLE-740, GUACAMOLE-741)

• Correct potential race condition in connection cleanup (GLEN-228, GUACAMOLE-958)

• Correct attribute names declared within guacConfigGroup.schema (GLEN-232, GUACAMOLE-889)

Features and Improvements

• PAM-16, PAM-5, PAM-18: New user interface with Keeper branding

• PAM-15: Automatically trim trailing whitespace from guacamole.properties

• PAM-6: Add SSH support for ECDSA and ED25519 keys

• PAM-4: Add encrypted vault storage plugin for Keeper Secrets Manager

• PAM-20: Migrate to Gitbook for documentation

Features and Improvements

• PRIV-59 Session recording playback in the UI

• PRIV-60 Allow admins to reset users' TOTP state

• PRIV-73 Updated FreeRDP packages to the latest release (2.6.1)

• PRIV-50, PRIV-51 Hide dependencies version numbers shown in error messages

Highlight: In-Browser Session Playback

It is now possible to view graphic session recording right in the browser. Once a connection is setup for in-browser recording playback, past sessions can be replayed from the History tab.

• Find more information and setup instructions in the docs: https://docs.keeper.io/glyptodon/using-glyptodon/session-recording#in-browser-session-recording-and-playback

Version 2.9.0 introduces the world to Keeper Connection Manager.

Also, we are proud to announce support for MySQL connections. Easily add database connections to the Keeper Connection Manager platform to secure and protect MySQL databases. Session recording, privileged access management and secrets management capabilities apply to the MySQL connection type.

Features & Improvements

• PRIV-80: Remove file upload limit from SSL termination image

• PRIV-72: Allow installer to be run as an https stream

• PRIV-79: Rebranding of Glyptodon installer to KCM

• PRIV-67: Rebranding of Glyptodon UI to KCM

• PRIV-81: Auto-generate secure credentials for "guacadmin" user

• PRIV-63: Add support for MySQL connection types

• PRIV-55: Disable legacy TLS protocols/ciphers by default

• PRIV-56: Allow custom CSP and HSTS headers to be configured

Features

• PRIV-121: Amazon AWS EC2 discovery and auto-connect [Documentation]

• PRIV-69: Support for Wayland server

• PRIV-128: Support for ED25519 SSH Keys in Docker Version

• PRIV-82: Ability to reconfigure the installation (for example MySQL to PostgreSQL) using the kcm-setup.run script.

• PRIV-129: Enforce the parameter GUACAMOLE_ADMIN_PASSWORD to prevent "Default" password.

Bug Fixes

• PRIV-137: Sharing Profiles not visible in the Admin UI

Features

• PRIV-149: Support for Domain parameter in Vault integration for Windows logins See: https://docs.keeper.io/keeper-connection-manager/vault-integration/dynamic-tokens#windows-username-domain-parsing

• PRIV-74: Added small margin to SSH connection windows

• PRIV-165: Accept a one-time token for UI-based KSM configuration

• PRIV-108: Added support for multiple KSM applications (at the Connection Group Level)

• PRIV-157: Added support for custom LDAP Root Certificate

• PRIV-160: Added support for signed SAML requests

Bug Fixes

• PRIV-161: Kubernetes support missing from guacd Docker image

• PRIV-168: Add "X-Content-Type-Options" header to SSL termination Docker image

• PRIV-173: Update kcm-setup.run to support Amazon Linux 2

• PRIV-174: Private key authentication fails for VNC with SFTP file transfer option

• PRIV-175: Default CSP ruleset for NGINX image is broken on Safari browsers

Features

• PRIV-184: Updated login screen to say "username" instead of "Email"

• PRIV-40: Added brute-force login protection when multiple incorrect login attempts are attempted based on IP address. See: https://docs.keeper.io/keeper-connection-manager/using-keeper-connection-manager/login-screen#login-attempt-limits

• PRIV-172: Improved FIPS mode support. see https://docs.keeper.io/keeper-connection-manager/security#fips-140-2-validated

• PRIV-109: Added support for Active Directory domain with KSM records that control RDP connections

Features

• Support for Running KCM on ARM

• Per-user KSM Vaults

• KSM Support for Cloud Connector (EC2)

Support for Running KCM on ARM

PRIV-130: The RPMs and Docker images (including kcm-setup.run) now support ARM in addition to x86_64. This doesn't change how anything behaves except that we now support installation on ARM.

Per-user KSM Vaults

PRIV-170: If enabled, users are able to register their own KSM vault within KCM using the “Preferences” tab in the “Settings” screen. That vault will then be used for any connections that the administrator configures to accept user-provided secrets.

This capability is disabled by default. Enabling this capability requires both of the following:

• Setting the ksm-allow-user-config property in guacamole.properties (or the KSM_ALLOW_USER_CONFIG environment variable for the keeper/guacamole Docker image).

• Enabling use of user vaults on any connections that shouldn’t use only the administrator-configured vaults (check the “Allow user-provided KSM configuration“ box for the connections in question).

NOTE: By “administrator-configured vaults”, we mean only those vaults that are purely controlled by administrators: the system-wide vault configured in guacamole.properties and any vaults configured via connection groups.

This was implemented this way because doing otherwise would have security implications. Unless the administrator can also dictate which exact connections should receive credentials from user vaults, allowing users to provide their own vaults would allow those same users to control any connection parameters that use values from KSM. Depending on which connection parameters use KSM tokens, inadvertently allowing a user to control the values of parameters could have profound security implications. For example:

• If the user can control part of the path used for the RDP drive, they will be able to read arbitrary files on the server.

• If the user can control authentication parameters, they can control which credentials are used to connect, perhaps bypassing the intent of the admin.

• If the user can control the hostname or port, they can connect wherever they like with the credentials associated with the connection, again bypassing the intent of the admin.

KSM Support for Cloud Connector (EC2)

PRIV-163: SSH keys and Windows passwords from KSM for machines can now be retrieved for AWS EC2 by the KCM Cloud Connector. This is in addition to the existing support for retrieving SSH keys from the filesystem (beneath /etc/guacamole/cloud-connector-secrets).

Similar to the overall KSM integration, the KSM configuration relevant to AWS must be configured with the aws-discovery-ksm-config property (or the AWS_DISCOVERY_KSM_CONFIG environment variable for Docker).

Relevant records are identified by:

• An "Instance" field that exactly matches the instance ID (if there is only one such record).

  • Some variation in the field naming is tolerated: the field may optionally start with “AWS”, “EC2”, or “Amazon”, may optionally end with “ID”, and is case-insensitive.

• An attachment that exactly matches the key name of the instance plus ".pem" (if there is only one such record).

• A hostname/address field (such as that provided by the “SSH Key” record type) that exactly matches the private IP address of the EC2 instance.

If the SSH key exists on the filesystem, it will always be used in favor of querying KSM.

Features

• KCM-155: Add support for interacting directly with SQL Server databases [Details]

• KCM-152: Add support for interacting directly with PostgresSQL databases [Details]

Improvements

• KCM-201: Optimizations to access time limits on active windows sessions

• KCM-198: Added "version" command to verify currently installed versions of KCM

• KCM-195: Optimized the frequency of KSM API calls used when integrated with KCM

• KCM-205: Increased security of locally cached auth token

Bug Fixes

• Various minor bug fixes

Features & Improvements

KCM-83: The kcm-setup.run script now allows administrators to directly configure their deployment to use KSM for retrieval of secrets, rather than requiring manual editing of docker-compose.yml after installation. Additional prompts are presented that allow the administrator to provide a KSM one-time token or a base64-encoded KSM configuration during setup.

KCM-226: The keeper/guacamole-ssl-nginx image can be configured to require SSL/TLS client authentication by specifying the CLIENT_CERTIFICATE_FILE environment variable. A user will only be able to connect to NGINX using their browser if their browser has access to a private key that is signed by this certificate.

This variable is similar to the CERTIFICATE_FILE environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.

Additional environment variables are also available to tweak SSL/TLS auth behavior further:

KCM-227: Multiple Hostnames/Configurations for SSL Termination

The keeper/guacamole-ssl-nginx image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:

ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            SSL_HOSTNAME: "example.net"

As KCM 2.12.0, the keeper/guacamole-ssl-nginx image can be used with multiple hostnames and configurations via a special SERVERS environment variable that accepts YAML (or JSON).

The SERVERS variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. Any variable that is not specified is inherited from the top-level environment. For example:

    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
               - SSL_HOSTNAME: "*.example.net"

The above configuration would result in an NGINX instance that handles both example.net and *.example.net hostnames equivalently. Both will get their own self-signed certificates because SELF_SIGNED is set to Y.

A more complex example:

    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
                 LETSENCRYPT_ACCEPT_TOS: "Y"
                 LETSENCRYPT_EMAIL=your.email@example.net

               - SSL_HOSTNAME: "*.example.net"
                 SELF_SIGNED: "Y"

The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for *.example.net, but obtains a certificate for example.net from Let’s Encrypt.

Bug Fixes

• KCM-223: When joining a shared connection, the joining client appears to hang (does not receive a copy of the current display) until something changes graphically within the session.

• KCM-213: When changing the User Time Zone setting to a specific time zone and then going back to clear that time zone, it doesn’t clear the time zone but instead changes it back to the time zone that was set previously.

New Features

• KSM now supports CAC/PIV authentication

  • For more information, visit: https://docs.keeper.io/keeper-connection-manager/authentication/piv-cac

• KSM now enables administrators to approve/deny user's ability to authenticate with KSM using SSO

  • For more information, visit: https://docs.keeper.io/keeper-connection-manager/authentication/account-approve-deny-workflow

Improvements

• SAML can now be configured automatically with kcm-setup.run

  • Rather than manually editing the docker-compose.yml file post installation, administrators can now directly configure their deployment to use SAML for SSO with the kcm-setup.run script

• The extension-priority property may now be configured with the EXTENSION_PRIORITY environment variable.

  • Users no longer need use the catch-all ADDITIONAL_GUACAMOLE_PROPERTIES environment variable to set this.