Bug Fixes

• DR-1004, DR-947: Discovery related issues resolved with data storage

• DR-940: Fixed bug with rotation schedules not being followed properly

Improvements

• DR-953: Updated to Python 3.12

• DR-915: Add additional command-line tools in the production Docker image

Bug Fixes

• DR-953: Better handling of a large volume of simutaneous scheduled rotations to reduce throttling errors

Improvements

• Incorporated the latest Keeper Connection Manager 2.20.0 libraries which resolve remote browser isolation "ignore certificate" setting.

Improvements & Bug Fixes

• Resolved issue where RBI Connections would sometimes fail to load

• Added support for additional username format for windows services

• Resolved issue where LDAP connections through tunnels terminate abruptly when SSL port (636) is used

• Resolved issue where configured password complexity rules are being ignored

• Resolved issue where OS field was not Case-Sensitive

• Resolved issue where incorrect CPU architecture was being used during Windows installation

• Resolved issues with Session recordings on the Windows Gateway

• Localization improvements

• Improved Error Handling

• Other minor improvements and bug fixes

Updating the Gateway

Docker

Executing the following command will update the Keeper Gateway container to the latest version and restart the service:

docker compose pull
docker compose down
docker compose up -d

Linux

Executing the following command will upgrade the Keeper Gateway to the latest version:

curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --

Windows

To upgrade, stop the service, install the latest version and then start the service.

• Back up your gateway-config.json configuration file

• Run the latest Keeper Gateway installer

• During installation DO NOT select "Enter a Keeper One-Time Access Token".

Resources

For more information on KeeperPAM, visit the following:

• Gateway Documentation

• KeeperPAM Website

• KeeperPAM Documentation

KeeperPAM is now available for all customers.

For more information on KeeperPAM, visit the following:

• Website

• KeeperPAM Documentation

Features

• Optimized Password Rotation - manage all rotations directly from the Vault UI

• Connections - instantly and securely access assets within their target infrastructure

• Tunnels - use native apps for establishing remote access

• Remote Browser Isolation - protect web-based apps

• Session Recordings and Playback - monitor usage for all privileged sessions

• Discovery - discover and onboard resources and accounts into Keeper

• Endpoint Privilege Manager - controlling privilege across your fleet of devices

• PAM Enforcement Policies (RBAC) - PAM enforcement policies to enable and configure PAM feature permissions

Improvements

• Improved windows gateway installer user experience

Bug Fixes

• Resolved issue where windows gateway doesn't start due to service account login issue

• DR-542 PowerShell Command Scope Limitation: Limited PowerShell command to local admin groups by default to improve startup reliability.

• DR-545 Sensitive Data Logging Removal: Removed logging of sensitive information (username, password, one-time token) during Windows installation, enhancing security.

• DR-546 Pin MSGraph to 0.2.2: Fixed issues caused by MSGraph 1.0.0 release by pinning to version 0.2.2.

• DR-537 IAM Rotation in GovCloud: Fixed an issue where IAM client rotation in GovCloud required specifying a region to switch endpoints, differing from commercial AWS behavior.

• DR-541 WinRM Executable Fix: Addressed a problem in the 'make executable' code for WinRM by correcting the regular expression match group, preventing 'no such group' exceptions.

• DR-539 Improved Sudoer Error Message: Enhanced the error message for users not in the sudoers file, making it more descriptive and actionable.

Improvements & Bug Fixes

• Added support for new GovCloud Router endpoint

• Upgrading dependencies:

  • paramiko from ==3.0.0 to >=3.4.0

  • oracledb from ==1.2.2 to >=1.4.0

• Minor bug fixes and improvements

New Features

• Implemented auto-update capabilities for Windows and Linux installations

  • Read more here

Improvements & Bug Fixes

• Minor bug fixes and improvements

New Features

• GovCloud Compatibility: This version of the Keeper Gateway ensures full compatibility with GovCloud customers requiring EC encryption.

• Custom Fields for advanced Gateway Configurations:shell, Private Key Rotate, read more here

  • Expanded Private Key Beyond RSA Format

    • Additional Key Support: Besides the previously supported RSA private keys, added support for ed25519, ecdsa, and dss private keys, aligning with algorithms backed by ssh-keygen.

    • Key Rotation: Private key rotation now uses the algorithm and bit size of the current key for generating a new one. A custom text field "Private Key Type" is introduced to specify a desired algorithm.

    • Private Key Rotation Control: Added a custom field "Private Key Rotate" that lets users control if the private key should be rotated.

Improvements & Bug Fixes

• Added Virtual Resource for the NOOP Operator

  • There is an issue where If the admin credential is not set & the NOOP flag is set to TRUE, the resource UID is set to None/blank, breaking the resource hierarchy and potentially leading to provider misidentifications. Instead, to resolve this issue, a virtual resource will be generated.

• Minor bug fixes and improvements

Improvements & Bug Fixes

• Configuration Attribute Handling for kdnrm process

  • Omitted configuration attributes that aren't serializable (can't be pickled) when transferring to the kdnrm process.

Improvements & Bug Fixes

• Debug Logging Enhancement for kdnrm

  • Addressed issues with debug logging for the kdnrm module when using the -d or --debug options.

New Features

• Custom Fields for advanced Gateway Configurations: NOOP, shell, Kerberos

  • Read more here

• Custom Field for better record management in post-rotation: Records Control

Improvements & Bug Fixes

• Added command length verification

  • Command Length Limitation: Added checks to ensure that commands in post-rotation do not exceed the byte limit specific to the shell (e.g., 8192 bytes for Windows CMD).

• Fixed issue where the user parameter was not being set in the Base64 encoded JSON object for Post Rotation Scripts

  • Eliminated the redundant user parameter from _generate_params function, as it's already available in the object.

• Fixed Illegal Characters for Oracle

  • Added @ to the list of illegal characters to meet Oracle's input requirements. Other characters such as single quotes were also added for SQL safety.

• Fixed Gateway Permission Settings for Non-English Windows

  • Modified permission settings logic to work correctly on Windows systems using languages other than English.

• Fixed Windows Shell Detection

  • Delayed setting the command prompt until after the shell type is definitively determined, therefore resulting in fixing issues when the shell is not PowerShell.

• Improved handling of Shell Responses

  • Stream Handling: Improved the response stream handling for slow systems on Linux and macOS by waiting for a known prompt.

  • Character Stream Cleanup: Added several clean-up steps to the character stream to remove extraneous characters and control codes.

• Updated Gateway Logs to include Post Rotation Script Output when Debug flag is set

  • Debug Block: A new debug block that logs details of the script, its success status, and STDOUT/STDERR.

  • Secret Redaction: Ensured that secret or sensitive information is redacted from the logs.

New Features

• Gateway Configuration with an AWS EC2 Instance

  • An IAM Role Policy can be created and assigned to an EC2 Instance in order to provide the Keeper Gateway service with the required permissions to retrieve the necessary configuration from the AWS Key Management Service (KMS). This method eliminates the need for storing a configuration file on the disk, and instead, stores the configuration file in your AWS KMS.

Improvements & Bug Fixes

• Updates to handle Non-UTF8 Encoding

  • Added functionality to ignore bad characters during decoding, addressing potential encoding mismatches, especially with Windows.

• Removed the AD Organizational Unit (OU) Check

  • Removed the OU check feature as it was not performing as expected.

• Handle Nologin User Shell

  • Implemented measures to detect and handle instances with a /sbin/nologin shell or false, searching for a supported shell instead.

  • Enforced the overriding of the SHELL variable in the spawned shell to prevent inconsistencies.

• Clean Up Rotation Action Processes, Use Environment Variable Options

  • Moved log configuration to process initializer for better control.

  • Excluded process information in job debug messages temporarily.

  • Added the ability to obtain command-line parameters from environment variables, providing more flexible configuration options.

  • Created constants to guide the retrieval of parameters from environment variables.

  • Prioritized command-line parameters over environment variables to ensure consistency in configurations.

• Add MAC_CONFIG_PATH Variable and Permissions Settings

  • Introduced a MAC_CONFIG_PATH variable pointing to the configuration file for enhanced readability.

  • Added explicit permission settings for directories and configuration files to bolster security.

• Improved Reconnection Strategy

  • Modified the system to continue reconnection attempts if the WebSocket response code is 500 or greater. Reused reconnection code for HTTP status codes less than 500.

• Websocket Client Updates

  • Modified the 'create_dispatcher' method to choose the correct dispatcher based on SSL configuration, addressing issues when connecting to routers without SSL.

• Logging Improvements

  • Improve Error Messages

    • Continued refinement of error messages to enhance the user experience and enable more effective troubleshoot

  • Logging Configuration: Restricted the allowance of multiple configurations for logging to prevent conflicts and potential errors.

Improvements & Bug Fixes

• Update Windows Service to Run Keeper Gateway CLI in Background Thread and Actions in a Process Pool

  • Implemented queues and loggers for the CLI thread to streamline operations.

  • Added an optional output to queue for the CLI thread, increasing flexibility.

  • Made modifications to stop messages and prompt command updates.

  • Introduced the CLI thread runner for better management of operations.

  • Enabled the Windows service to use the CLI thread runner, providing better integration and functionality.

  • Adjusted the system to use the Windows service thread for PyInstaller, enhancing compatibility.

  • Integrated the use of a process pool executor for gateway actions to improve performance and responsiveness.

  • Enabled Keeper Gateway command line and service to use a single binary, simplifying the system and reducing potential issues

• Improved Error Messages

  • Prevented display of raw exception messages by creating a global method to handle exceptions for AWS & Azure

  • For databases, a global exception handler was created and refined to handle different database engines

  • Updated the "retype" prompts to be less specific to account for differences based on Linux OS versions or the service the password is being changed within

  • Exception messages for Linux/macOS password interaction were modified.

Improvements & Bug Fixes

• Reduced Password Rotation time by preventing Database & Directory Rotations from gathering information on local connection

  • Improved efficiency by shifting the IP address collection process from the gateway to the connection as part of the existing setup

  • Implemented lazy loading of the gateway record which requires the IP addresses. If the connection settings are not cached, a local connection will be established and the connection setting cache will be filled.

  • Overrode the password property to allow for lazy loading if the password has not been loaded yet. If a connection requests the gateway password and the gateway record has not been loaded, it will load it and then return the password from the record.

  • Local connections will now check if the gateway has cached connection settings. If it does, it will set those values in the connection. If not, the connection will proceed with the standard setup, copying the connection settings into the gateway upon completion.

  • If the local connection's password is blank, the connection will retrieve the password from the gateway.

Improvements & Bug Fixes

• Local Connections Settings are now cached

  • Better management of connection details (shell path, shell type, sudo password requirements, etc.) to better associate PAM records and its associated gateways

• Optimization & necessary refactoring of code to reduce API calls

• General Improvements

  • Escaped the '{' character for macOS 'su' expect script due to it being a special character in expect.

  • Added 'echo' before getting the user list in macOS to avoid output pre-pending issues.

  • Fixed finding Linux shell if the SHELL environment variable is not set.

  • Changed Azure integration tests to provision Python in the Azure Instance Extension.

  • Addressed issues in Azure tests related to creating AD users via the provisioning script. AD Admin doesn't have privileges on the local machine to change local user passwords.

  • Resolved a problem where the Linux subprocess didn't like the 'type' command, now attempts 'which' first and then 'type'.

Update Windows Installer

• Updated the Windows installer to incorporate service account support and introduced new options to reset permissions and assign user access IDs.

• Enhanced file and config permissions handling: included checks for additional users, verification of added permissions, and automated corrections for mismatching identities.

• Improved command-line functionality: added the "create-config-dir" command, adjusted 'fix-config' and log permissions based on users without access.

• Improved codebase: refactored the permissions setting code, moved Windows utility functions and constants to 'utils.windows', and created 'utils.posix' for managing posix permissions.

• Installer enhancements: included 'waituntilterminated' option for inno-setup commands, added a prompt for service uninstall before new installation on Windows, and handled older Python compatibility by removing type from dataclass.

• Debugging and logging: provided a way to show subprocess command and output, improved subprocess command logging, and ensured logging includes any file permission checks.

• Account handling: validated service account and created 'service-account.txt' for storing service account details.

MariaDB Connector C Build

• Enhanced MariaDB Connector C build process across macOS, Linux, and Windows.macOS: Utilized Homebrew for installation of mariadb-connector-c.

• Linux: Required the Python module cmake for cloning and building the mariadb-connector-c repo, specifically version 3.3.

• Windows: No changes required, the existing setup works smoothly.

NTLM and Kerberos Support for WinRM & DR-379 - MariaDB Modules

• Implemented Kerberos and NTLM support to Windows Remote Management (WinRM), with automatic usage of Kerberos if user format meets certain conditions. Also included a custom field to override automatic usage based on issues.

• Included libkrb5-dev and libmariadb-dev as dependencies for Kerberos and MariaDB modules respectively.

• Introduced host mapping for providers, enabling the use of aliases for hostnames or IPs, particularly useful for Kerberos in Discovery.

• Enhanced the SSH socket connection test to validate system availability on the desired port.

• Improved the unit test suite for Kerberos authentication, including the creation of a WinRM instance that joins a domain.

• Modified the logging mechanism to include Process ID (PID) in log messages for better process-message association.

• Added MariaDB in requirements.txt to resolve utf-8 encoding issue in Windows.

Additional Shell Support

• Expanded shell support to include BASH, ZSH, ASH, Dash, CSH, KSH, TCSH, and Fish, improving compatibility across different systems and preventing command history logging.

• Implemented a feature that handles password changes requiring repeated new/re-enter password prompts, particularly useful for Linux boxes joined to OpenLDAP servers and using Linux PAM.

• Replaced hardcoded text values in the code with Enum constants, improving code readability and maintenance.

Improvements to Local Machine Password Rotation

• Fixed an issue where a PowerShell instance remained open after a local machine password rotation was completed. Adjustments have been made to ensure that connections close appropriately once done.

• Enhanced the logging feature by including the Process ID (PID) of each spawned PowerShell. This allows for easier debugging, making it possible to match any lingering PowerShell instances to the PIDs in the log.

• Updated the testing suite to include the PID in local connection responses, further improving traceability and troubleshooting capabilities.

Region and Resource Group Handling Refactoring

• Refactored the handling of AWS region names and Azure resource groups, ensuring consistent behavior and improved reliability.

• Now, if the region name (or resource groups) is in an unknown state or not of the expected string or list type, it is set to an empty array.

• Additionally, unit tests were added to validate these conditions, and existing unit tests were reorganized for better readability.

Keeper Gateway v1.0.0 is the first official release of the Keeper Gateway.

The Keeper Gateway is a lightweight service that is installed on any Windows, Linux or macOS machine in order to execute rotation, discovery and connection tasks.

For installation steps and more information on the Keeper Gateway, visit: