Keeper Connection Manager
Self-hosted remote access gateway.
KCM Version 2.19.3
Released on Feb 28, 2025
Bug Fixes
KCM-418: SSH connections to RHEL machines in FIPS mode fail
KCM-423: Session recording playback throws errors based on specific content
KCM-420: RBI autofill domain name maching fails for single-word domains (e.g. http://ldapadmin)
KCM-424: PostgreSQL sessions crash when typing "\c" command
Improvements
KCM-422: Update to the latest Keeper Secrets Manager SDK for compatibility with new record types.
KCM Version 2.19.2
Released on December 7, 2024
TOTP autofill support for RBI
In addition to autofill support of usernames and passwords, RBI can now autofill TOTP codes. The field that should receive the TOTP code must be declared in the autofill rules with a totp-code-field property:
Property Name
Description
totp-code-field
A CSS selector or XPath expression that matches the unique DOM element of the input field that should receive the current TOTP code.
If using XPath, the expression must start with a leading slash to clearly differentiate XPath from CSS.
For RBI to be able to generate TOTP codes, the TOTP secret must be provided ahead of time, along with any required details like the hash algorithm and the number of digits in each generated code:
Two-Factor Code Algorithm
totp-algorithm
SHA1
The hash algorithm that should be used to generate TOTP codes. Possible values are SHA1, SHA256, and SHA512.
Digits in Two-Factor Code
totp-digits
6
The number of digits which should be included in each generated TOTP code. Legal values are 6, 7, or 8.
Two-Factor Code Period (Seconds)
totp-period
30
The duration that each generated code should remain valid, in seconds.
Two-Factor Code Secret
totp-secret
N/A
The secret key that should be used to generate TOTP codes. This key will be unique to each user of the destination website and can be pulled dynamically from KSM using parameter tokens (see below).
Additional ${*_TOTP_SECRET} tokens are provided to allow the TOTP secret to be dynamically retrieved from the Keeper Vault using KSM. For example, to pull the TOTP code for the user account associated with an RBI connection, you would use the ${KEEPER_USER_TOTP_SECRET} parameter token.
Parameter Token
Description
${KEEPER_SERVER_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with hostname / IP address matching the value of the hostname / IP address in the “url” connection parameter.
${KEEPER_USER_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with login matching the “username” connection parameter
The following tokens are technically also defined, but do not currently have any practical use (there is no TOTP code generation needed for RDP):
Parameter Token
Description
${KEEPER_GATEWAY_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.
${KEEPER_GATEWAY_USER_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with login matching the “gateway-username” connection parameter.
Migration from Duo v2 to v4
The migration to Duo Web SDK v4 is incompatible with v2. If a customer has been using KCM with v2 despite Duo ending support for that version (through asking Duo to allow them to do so), they will need to:
Update their settings within Duo to use v4 (“Universal Prompt”) instead of v2 (“Legacy”).
Edit their KCM configuration to use the new properties/variables and their corresponding values from their Duo account (see below).
Any customer that has been using v2 and cannot yet change their settings to migrate to v4 will need to continue using KCM 2.19.0 or older until they can migrate.
Duo ceased supporting v2 of their “Web SDK” in favor of v4 (also known as the Duo “Universal Prompt”) some time ago, maintaining availability of v2 only for customers that require and request this. KCM has now been updated to use this new version. Duo’s Web SDK v4 is incompatible with v2 and uses different configuration options:
Property Name
Environment Variable
Description
duo-api-hostname
DUO_API_HOSTNAME
REQUIRED. The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
duo-auth-timeout
DUO_AUTH_TIMEOUT
The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.
duo-client-id
DUO_CLIENT_ID
REQUIRED. The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
duo-client-secret
DUO_CLIENT_SECRET
REQUIRED. The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
duo-redirect-uri
DUO_REDIRECT_URI
REQUIRED. The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM.
The duo-application-key, duo-integration-key, and duo-secret-key properties (and the DUO_APPLICATION_KEY, DUO_INTEGRATION_KEY, and DUO_SECRET_KEY variables) are specific to v2 of Duo’s Web SDK and no longer have any effect.
Verbose mode for KCM install script (kcm-setup.run)
kcm-setup.run)This new debug/verbose mode for the KCM install script is mainly of use for obtaining debugging information that the KCM development team can use to troubleshoot customer issues that otherwise have no explanation. It’s unlikely that this variable will be useful to customers outside that context and the sheer verbosity resulting from using it might cause confusion.
The kcm-setup.run script now supports a KCM_SETUP_DEBUG environment variable that causes the script to run in verbose mode, printing out all commands run and all output from those commands. This debug output can be sent directly to the terminal or to a file depending on the value of KCM_SETUP_DEBUG.
export KCM_SETUP_DEBUG=/path/to/file
sudo -E ./kcm-setup.runKCM Version 2.19.0
Released June 27th, 2024
New Features
KCM-164: Remote Browser Isolation Protocol See documentation here
KCM-345: Enforcement of KCM license keys
Important License Changes
As part of the upgrade to KCM 2.19, customers will now be required to obtain a license key from Keeper in order to continue the use of Keeper Connection Manager (KCM). Without a valid license key, users and admins will be unable to use KCM after the update is applied.
This is a new process and the appropriate steps to maintain access to KCM are outlined below.
To obtain a license key, please contact Keeper Support directly at: https://www.keepersecurity.com/support.html
Upon request, Keeper will generate and send a copy of your license key.
To configure KCM with your license key, follow the steps below:
As with all Keeper Connection Manager upgrades, ensure that you back up your database and docker-compose.yml file prior to the update.
https://docs.keeper.io/en/v/keeper-connection-manager/installation/backup-and-recovery
KCM Version 2.18.3
Released April 13th, 2024
This latest release updates to Keeper's latest GPG signing key (relevant only to RPM-based installs), updates to the latest compatible versions of all dependencies, and addresses the following issues.
Bug Fixes
KCM-332: Incorrect timeout behavior while RDP connections are waiting for the user to enter their credentials.
KCM-309: Confusing prompt wording in
kcm-setup.runregarding the customer's KCM server's domain, which is not necessarily a public-facing FQDN under all circumstances.KCM-339: Incorrect handling of the
(attribute)suffix when importing connections from CSV.KCM-341: An "Unable to create injector" error that prevents the "Encrypted JSON Authentication" extension from loading, regardless of how it has been configured.
KCM Version 2.18.2
Released February 9th, 2024
KCM Version 2.18.1
Released February 2nd, 2024
Bug Fixes
Resolved regression issues in release 2.18.0
KCM-295: Keeper Favicon Display causing improper rendering causing white dots to be viewable
KCM-298: SSH connections were interrupted when changing font in the menu
KCM-316: Eliminated a race condition when configuring RDP with SFTP that cause the connection to fail
KCM-294: Incorrectly set Connection user concurrency limit to 1 by default
KCM Version 2.18.0
Released on November 21, 2023
New Features
Histograms on session recordings
KCM session recordings now display a histogram that shows the relative levels of activity within different parts of the recordings
Histogram displays the following levels of activities:
Visible events such as when the screen changes
keyboard events - user interactions with the keyboard
More info here
KCM Version 2.17.0
Released on August 1st, 2023
New Features
Key Events in KCM Session Records can now be viewed within KCM’s session recording player
More info here
KCM's terminal emulator now supports Mac-style keyboard shortcuts
The terminal emulator used by KCM for text-based protocols like SSH has historically used only Ctrl+Shift+V as the shortcut for pasting clipboard contents using the keyboard. The terminal emulator now additionally supports Cmd+V for ease of use on Macs, and will also ignore attempts to copy using Ctrl+Shift+C or Cmd+C (copying within the terminal emulator always happens automatically upon selecting text)
New Environment Variable:
SSL_EXTERNAL_PORTTo validate requests received from a SAML IdP, KCM needs to know the user-facing TCP port used to access KCM. If that port differs from the standard HTTPS port,
SSL_EXTERNAL_PORTcan be specified to inform KCM that the port is differentResolves issue where SAML extension does not work when KCM is configured to use a custom HTTPS port
Improvements & Bug Fixes
TOTP can now be used with SAML
SAML and TOTP historically could not be used together with KCM as both contain anti-replay defenses that would conflict with each other. These conflicts have been resolved such that both can be used at the same time without sacrificing the security provided by those anti-replay defenses.
KCM's Keeper Secret Manager Integration now supports reading private keys from PAM User Records
PAM User Record is a recently introduced PAM Record Type that is used in Keeper Rotation
KCM Version 2.16.1
Released on June 6th, 2023
Bug Fixes
Resolved an issue where a regression in KCM 2.16.0 caused the MySQL database connection to enforce SSL verifications that cannot succeed when using the Docker images.
KCM Version 2.16.0
Released on June 6th, 2023
Security Updates
Base version of Apache Guacamole updated to 1.5.2 from 1.3.0
KCM has been using Apache Guacamole 1.3.0 as its basis for some time now, backporting changes from upstream over time. With the latest upstream release being 1.5.2, we should bring our packages up-to-date with that release and remove any patches that are no longer necessary.
The upstream Apache Guacamole 1.5.2 release contains changes that address issues with security implications. The issues in question:
With this base version update, there are no implications for compatibility. Extensions that worked with previous versions of KCM should continue to work identically.
Dependency updates
The various C, Java, and JavaScript dependencies used by KCM are brought up-to-date with their latest available and compatible versions.
New Features
applycommand forkcm-setup.runThe
kcm-setup.runinstallation script now provides anapplycommand to more easily allow administrators to apply changes made todocker-compose.yml:./kcm-setup.run applyUnlike
upgrade, theapplycommand strictly applies changes made externally todocker-compose.ymland does not pull new images.The installation script has also been updated to use
depends_onwithin declared services to ensure thatstopneed not be run beforeupgradeorapplyare used. Administrators can simply run the command and rely on the script and Docker Compose to automatically stop/start services as needed.
Bug Fixes
Resolved Issue where Batch import does not support some unicode characters
KCM Version 2.15.1
Released on May 25, 2023
KCM Version 2.15.0
Released May 12, 2023
New Features
KCM now enables administrators to batch import connections via API or by uploading a CSV, JSON, or YAML file
Visit this doc for more info
KCM Version 2.14.0
Released April 14, 2023
New Features
A visual notification now appears in the upper-right corner of the UI to indicate when a user has joined a shared connection. This notification will remain visible to the original user for as long as there are other users on the connection. Hovering a cursor over the indicator, will reveal a tooltip showing the usernames of all other users and how many concurrent connections they have to the current shared connection.
Bug Fixes
Various minor bug fixes
Older Versions
Version history for Glyptodon before 2.8.0
All Glyptodon Enterprise 2.x releases are API-compatible with Apache Guacamole 1.1.0. Newer releases of Glyptodon Enterprise 2.x may gain compatibility with additional upstream releases of Apache Guacamole beyond 1.1.0 so long as doing so does not break existing compatibility. The most recent release of Glyptodon Enterprise 2.x is compatible with Apache Guacamole 1.3.0 and incorporates a number of improvements from the Apache Guacamole 1.4.0 release. The log entries here describe which changes have been made from the relevant upstream baseline, as well as any changes to the Glyptodon Enterprise repositories and packages.
Release Schedule / History
Version 2.7
Allow login with standard username/password when SSO is enabled (GLEN-328, GUACAMOLE-1364).
Automatically clear URL state upon clicking "Re-login" (GLEN-320, GUACAMOLE-680).
Update webapp dependencies to latest stable versions (GLEN-329, GUACAMOLE-773).
Update to latest release (9.0.56) of Apache Tomcat (GLEN-329).
Update to latest release (9.4.1) of SQL Server JDBC driver (GLEN-329).
Version 2.6
Migrate to header-based transmission of REST API authentication token (GLEN-324, GUACAMOLE-956).
Add support for authenticating against multiple LDAP servers (GLEN-323, GUACAMOLE-944, GUACAMOLE-957, GUACAMOLE-1130).
Update to latest release (9.0.55) of Apache Tomcat (GLEN-327).
Update to latest release (2.4.1) of FreeRDP (GLEN-327).
Update to latest release (1.10.0) of libssh2 (GLEN-327).
Update to latest release (4.3.0) of libwebsockets (GLEN-327).
Update to latest release (9.4.0) of SQL Server JDBC driver (GLEN-327).
Version 2.5
Add support for broadcasting input events across multiple tiled connections (GLEN-171, GUACAMOLE-724, GUACAMOLE-1204, GUACAMOLE-1381, GUACAMOLE-1383, GUACAMOLE-1398).
Add support for single sign-on using OpenID Connect (GLEN-133, GUACAMOLE-210, GUACAMOLE-680, GUACAMOLE-805).
Add support for single sign-on using SAML (GLEN-257, GUACAMOLE-103, GUACAMOLE-680).
Update webapp dependencies to latest stable versions (GLEN-301, GUACAMOLE-773, GUACAMOLE-1298, GUACAMOLE-1317).
Update to latest release (2.3.2) of FreeRDP (GLEN-301).
Update to latest release (4.2.1) of libwebsockets (GLEN-301).
Update to latest release (9.2.1) of SQL Server JDBC driver (GLEN-301).
Correct filtering of disconnected/failed connections displayed within the same view (GLEN-171, GUACAMOLE-1387).
Correct handling of RDP "AUDIO_INPUT" channel (GLEN-242, GUACAMOLE-1201, GUACAMOLE-1283).
Correct handling of RDP-specific resources when reconnecting to update display size (GLEN-171, GUACAMOLE-1388).
Correct sort order of connection history within connection edit screen (GLEN-304, GUACAMOLE-1366).
Create package for standalone Apache Guacamole deployment (GLEN-280).
Use MariaDB Connector/J driver where MySQL Connector/J is unavailable (GLEN-317, GUACAMOLE-1407).
Automatically enforce HTTP request size limits (GLEN-301, GUACAMOLE-1298).
Defer handling of "Meta" key until its identity is confirmed by the browser in context of the current set of pressed keys (GLEN-306, GUACAMOLE-1386).
Do not automatically reattempt authentication after logging out (GLEN-133, GLEN-257, GUACAMOLE-680).
Backport latest updates and improvements to translations (GLEN-303, GUACAMOLE-1160, GUACAMOLE-1207, GUACAMOLE-1265, GUACAMOLE-1291, GUACAMOLE-1337, GUACAMOLE-1339, GUACAMOLE-1355).
Migrate to now-upstreamed version of guacamole-auth-json (GLEN-301, GUACAMOLE-1218).
Version 2.4
Ensure unexpected failures during session expiration do not prevent other sessions from expiring (GLEN-278, GUACAMOLE-1299).
Add support for forcing use of lossless compression (GLEN-277, GUACAMOLE-1302).
Add support for pass-through of multi-touch events (GLEN-276, GUACAMOLE-1204).
Add package build for CentOS / RHEL 8 (GLEN-182).
Package support for integrating UDS Enterprise / OpenUDS (GLEN-279).
Version 2.3
This release of Glyptodon Enterprise is a hotfix for an incorrect build of the glyptodon-guacamole-auth-jdbc-sqlserver package which resulted in the SQL Server JDBC driver not loading during web application startup (see GLEN-275). Users of Glyptodon Enterprise that leverage SQL Server for their database should upgrade if they are having trouble as of the 2.2 release. Users that are not leveraging SQL Server will see no difference between 2.3 and 2.2.
Correct SQL Server driver symbolic link (GLEN-275).
Version 2.2
Update to upstream 1.3.0 release (GLEN-259)
Migrate to "/opt/glyptodon" base for installation (GLEN-261)
Adopt and rebuild against Glyptodon builds of core protocol support libraries (GLEN-261)
Update build to leverage libuuid instead of OSSP UUID (GLEN-261, GUACAMOLE-1254)
Correct memory errors related to FreeRDP upgrade (GLEN-261, GUACAMOLE-1191, GUACAMOLE-1259)
Version 2.1
Correct regressions due to FreeRDP 2.0.0 migration (GLEN-251, GUACAMOLE-1053, GUACAMOLE-1059, GUACAMOLE-1076)
Backport improved RDP keymap support (GLEN-252, GUACAMOLE-518, GUACAMOLE-859)
Version 2.0
Update core packaging to use 1.1.0 base version (GLEN-131)
Package support for TOTP authentication factor (GLEN-134, GUACAMOLE-96)
Package support for SQL Server authentication and required JDBC driver (GLEN-132, GUACAMOLE-363, GUACAMOLE-525)
Package support for attaching to Kubernetes pods (GLEN-181, GUACAMOLE-623)
Update documentation within guacamole.properties to reflect support for user groups (GLEN-184, GUACAMOLE-220)
Add interface for monitoring and switching between multiple simultaneous connections within the same tab (GLEN-169, GUACAMOLE-723, GUACAMOLE-822)
Add support for disabling clipboard copy/paste (GLEN-158, GUACAMOLE-381)
Correct handling of audio input under Chrome (GLEN-223, GUACAMOLE-732, GUACAMOLE-905)
Correct RDP support regressions due to migration to FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952, GUACAMOLE-962, GUACAMOLE-978, GUACAMOLE-979)
Add "Hyper-V / VMConnect" security mode option, allowing connections to Hyper-V to continue to work with FreeRDP 2.0.0 (GLEN-235, GUACAMOLE-952)
Ensure guacd has a writable home directory for the sake of FreeRDP, which requires a writable home directory as of 2.0.0 (GLEN-215)
Correct syntax of SQL Server history queries (GLEN-206, GUACAMOLE-870)
Provide feedback while user logins are in progress (GLEN-168, GUACAMOLE-742)
Automatically re-focus relevant fields after login failure (GLEN-220, GUACAMOLE-302)
Release pressed keys after login succeeds (GLEN-185, GUACAMOLE-817)
Add RDP keyboard mapping for German non-dead tilde key (GLEN-226, GUACAMOLE-917)
Add Belgian French keymap for RDP (GLEN-218, GUACAMOLE-901)
Add Czech translation (GLEN-222, GLEN-237, GUACAMOLE-781)
Add Hungarian keymap for RDP (GLEN-218, GUACAMOLE-837)
Add Japanese translation (GLEN-222, GUACAMOLE-821)
Add Latin American keymap for RDP (GLEN-218, GUACAMOLE-625)
Ensure SFTP directory listings cannot omit files (GLEN-230, GUACAMOLE-818)
Explicitly require Java 8, as Java 7 and older are no longer supported by Apache Guacamole since 1.0.0 (GLEN-131, GUACAMOLE-635)
Tolerate presence of port number within "X-Forwarded-For" headers (GLEN-231, GUACAMOLE-784)
Do not allow error strings to contain HTML (GLEN-229, GUACAMOLE-955)
Use correct interface for translatable errors from extensions (GLEN-241, GUACAMOLE-1007)
Correct REST API caching behavior for IE 11 (GLEN-167, GUACAMOLE-783)
Remove hard-coded application name and version from Spanish translation (GLEN-221, GUACAMOLE-740, GUACAMOLE-741)
Correct potential race condition in connection cleanup (GLEN-228, GUACAMOLE-958)
Correct attribute names declared within guacConfigGroup.schema (GLEN-232, GUACAMOLE-889)
Glyptodon Version 2.8.0
Released on Jan 31, 2022
Features and Improvements
PAM-16, PAM-5, PAM-18: New user interface with Keeper branding
PAM-15: Automatically trim trailing whitespace from guacamole.properties
PAM-6: Add SSH support for ECDSA and ED25519 keys
PAM-4: Add encrypted vault storage plugin for Keeper Secrets Manager
PAM-20: Migrate to Gitbook for documentation
Glyptodon Version 2.8.1
Released April 12, 2022
Features and Improvements
PRIV-59 Session recording playback in the UI
PRIV-60 Allow admins to reset users' TOTP state
PRIV-73 Updated FreeRDP packages to the latest release (2.6.1)
PRIV-50, PRIV-51 Hide dependencies version numbers shown in error messages
Highlight: In-Browser Session Playback
It is now possible to view graphic session recording right in the browser. Once a connection is setup for in-browser recording playback, past sessions can be replayed from the History tab.
Find more information and setup instructions in the docs: https://docs.keeper.io/glyptodon/using-glyptodon/session-recording#in-browser-session-recording-and-playback
KCM Version 2.9.0
Released on April 28, 2022
Version 2.9.0 introduces the world to Keeper Connection Manager.
Also, we are proud to announce support for MySQL connections. Easily add database connections to the Keeper Connection Manager platform to secure and protect MySQL databases. Session recording, privileged access management and secrets management capabilities apply to the MySQL connection type.
Features & Improvements
PRIV-80: Remove file upload limit from SSL termination image
PRIV-72: Allow installer to be run as an https stream
PRIV-79: Rebranding of Glyptodon installer to KCM
PRIV-67: Rebranding of Glyptodon UI to KCM
PRIV-81: Auto-generate secure credentials for "guacadmin" user
PRIV-63: Add support for MySQL connection types
PRIV-55: Disable legacy TLS protocols/ciphers by default
PRIV-56: Allow custom CSP and HSTS headers to be configured
KCM Version 2.9.3
Released on June 16, 2022
Features
PRIV-121: Amazon AWS EC2 discovery and auto-connect [Documentation]
PRIV-69: Support for Wayland server
PRIV-128: Support for ED25519 SSH Keys in Docker Version
PRIV-82: Ability to reconfigure the installation (for example MySQL to PostgreSQL) using the kcm-setup.run script.
PRIV-129: Enforce the parameter GUACAMOLE_ADMIN_PASSWORD to prevent "Default" password.
Bug Fixes
PRIV-137: Sharing Profiles not visible in the Admin UI
KCM Version 2.9.4
Released on August 6, 2022
Features
PRIV-149: Support for Domain parameter in Vault integration for Windows logins See: https://docs.keeper.io/keeper-connection-manager/vault-integration/dynamic-tokens#windows-username-domain-parsing
PRIV-74: Added small margin to SSH connection windows
PRIV-165: Accept a one-time token for UI-based KSM configuration
PRIV-108: Added support for multiple KSM applications (at the Connection Group Level)
PRIV-157: Added support for custom LDAP Root Certificate
PRIV-160: Added support for signed SAML requests
Bug Fixes
PRIV-161: Kubernetes support missing from guacd Docker image
PRIV-168: Add "X-Content-Type-Options" header to SSL termination Docker image
PRIV-173: Update kcm-setup.run to support Amazon Linux 2
PRIV-174: Private key authentication fails for VNC with SFTP file transfer option
PRIV-175: Default CSP ruleset for NGINX image is broken on Safari browsers
KCM Version 2.9.6
Released September 19, 2022
Features
PRIV-184: Updated login screen to say "username" instead of "Email"
PRIV-40: Added brute-force login protection when multiple incorrect login attempts are attempted based on IP address. See: https://docs.keeper.io/keeper-connection-manager/using-keeper-connection-manager/login-screen#login-attempt-limits
PRIV-172: Improved FIPS mode support. see https://docs.keeper.io/keeper-connection-manager/security#fips-140-2-validated
PRIV-109: Added support for Active Directory domain with KSM records that control RDP connections
KCM Version 2.10.0
Released on Nov 25, 2022
Features
Support for Running KCM on ARM
Per-user KSM Vaults
KSM Support for Cloud Connector (EC2)
Support for Running KCM on ARM
PRIV-130: The RPMs and Docker images (including kcm-setup.run) now support ARM in addition to x86_64. This doesn't change how anything behaves except that we now support installation on ARM.
Per-user KSM Vaults
PRIV-170: If enabled, users are able to register their own KSM vault within KCM using the “Preferences” tab in the “Settings” screen. That vault will then be used for any connections that the administrator configures to accept user-provided secrets.
This capability is disabled by default. Enabling this capability requires both of the following:
Setting the
ksm-allow-user-configproperty inguacamole.properties(or theKSM_ALLOW_USER_CONFIGenvironment variable for thekeeper/guacamoleDocker image).Enabling use of user vaults on any connections that shouldn’t use only the administrator-configured vaults (check the “Allow user-provided KSM configuration“ box for the connections in question).
NOTE: By “administrator-configured vaults”, we mean only those vaults that are purely controlled by administrators: the system-wide vault configured in guacamole.properties and any vaults configured via connection groups.
This was implemented this way because doing otherwise would have security implications. Unless the administrator can also dictate which exact connections should receive credentials from user vaults, allowing users to provide their own vaults would allow those same users to control any connection parameters that use values from KSM. Depending on which connection parameters use KSM tokens, inadvertently allowing a user to control the values of parameters could have profound security implications. For example:
If the user can control part of the path used for the RDP drive, they will be able to read arbitrary files on the server.
If the user can control authentication parameters, they can control which credentials are used to connect, perhaps bypassing the intent of the admin.
If the user can control the hostname or port, they can connect wherever they like with the credentials associated with the connection, again bypassing the intent of the admin.
KSM Support for Cloud Connector (EC2)
PRIV-163: SSH keys and Windows passwords from KSM for machines can now be retrieved for AWS EC2 by the KCM Cloud Connector. This is in addition to the existing support for retrieving SSH keys from the filesystem (beneath /etc/guacamole/cloud-connector-secrets).
Similar to the overall KSM integration, the KSM configuration relevant to AWS must be configured with the aws-discovery-ksm-config property (or the AWS_DISCOVERY_KSM_CONFIG environment variable for Docker).
Relevant records are identified by:
An "Instance" field that exactly matches the instance ID (if there is only one such record).
Some variation in the field naming is tolerated: the field may optionally start with “AWS”, “EC2”, or “Amazon”, may optionally end with “ID”, and is case-insensitive.
An attachment that exactly matches the key name of the instance plus ".pem" (if there is only one such record).
A hostname/address field (such as that provided by the “SSH Key” record type) that exactly matches the private IP address of the EC2 instance.
If the SSH key exists on the filesystem, it will always be used in favor of querying KSM.
KCM Version 2.11.0
Released January 12, 2023
Features
KCM-155: Add support for interacting directly with SQL Server databases [Details]
KCM-152: Add support for interacting directly with PostgresSQL databases [Details]
Improvements
KCM-201: Optimizations to access time limits on active windows sessions
KCM-198: Added "version" command to verify currently installed versions of KCM
KCM-195: Optimized the frequency of KSM API calls used when integrated with KCM
KCM-205: Increased security of locally cached auth token
Bug Fixes
Various minor bug fixes
KCM Version 2.12.0
Released January 27, 2023
Features & Improvements
KCM-83: The kcm-setup.run script now allows administrators to directly configure their deployment to use KSM for retrieval of secrets, rather than requiring manual editing of docker-compose.yml after installation. Additional prompts are presented that allow the administrator to provide a KSM one-time token or a base64-encoded KSM configuration during setup.
KCM-226: The keeper/guacamole-ssl-nginx image can be configured to require SSL/TLS client authentication by specifying the CLIENT_CERTIFICATE_FILE environment variable. A user will only be able to connect to NGINX using their browser if their browser has access to a private key that is signed by this certificate.
This variable is similar to the CERTIFICATE_FILE environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.
Additional environment variables are also available to tweak SSL/TLS auth behavior further:
Variable
Description
Default Value
ADDITIONAL_PROXY_CONFIG
Arbitrary, additional NGINX configuration statements that should be included within the location block that configures NGINX to proxy Guacamole.
SSL_VERIFY_CLIENT
Controls how and whether NGINX requires and verifies the certificate presented by the client (browser), as provided by NGINX ssl_verify_client directive.
on
SSL_VERIFY_DEPTH
Controls how deep NGINX will follow through the client’s certificate chain when attempting to validate their certificate, as provided by NGINX ssl_verify_depth directive.
1
KCM-227: Multiple Hostnames/Configurations for SSL Termination
The keeper/guacamole-ssl-nginx image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:
ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
SELF_SIGNED: "Y"
ACCEPT_EULA: "Y"
CONTENT_TYPE_OPTIONS: "Y"
CONTENT_SECURITY_POLICY: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SSL_HOSTNAME: "example.net"As KCM 2.12.0, the keeper/guacamole-ssl-nginx image can be used with multiple hostnames and configurations via a special SERVERS environment variable that accepts YAML (or JSON).
The SERVERS variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. Any variable that is not specified is inherited from the top-level environment. For example:
ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
SELF_SIGNED: "Y"
ACCEPT_EULA: "Y"
CONTENT_TYPE_OPTIONS: "Y"
CONTENT_SECURITY_POLICY: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SERVERS: |
- SSL_HOSTNAME: "example.net"
- SSL_HOSTNAME: "*.example.net"The above configuration would result in an NGINX instance that handles both example.net and *.example.net hostnames equivalently. Both will get their own self-signed certificates because SELF_SIGNED is set to Y.
A more complex example:
ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
ACCEPT_EULA: "Y"
CONTENT_TYPE_OPTIONS: "Y"
CONTENT_SECURITY_POLICY: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SERVERS: |
- SSL_HOSTNAME: "example.net"
LETSENCRYPT_ACCEPT_TOS: "Y"
LETSENCRYPT_EMAIL=your.email@example.net
- SSL_HOSTNAME: "*.example.net"
SELF_SIGNED: "Y"The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for *.example.net, but obtains a certificate for example.net from Let’s Encrypt.
IMPORTANT: The value of SERVERS must be a string, hence the | symbol within the above examples. If this symbol is omitted, then the YAML that follows is parsed as an object, and validation of the docker-compose.yml will fail, as all Docker environment variables must be strings.
Bug Fixes
KCM-223: When joining a shared connection, the joining client appears to hang (does not receive a copy of the current display) until something changes graphically within the session.
KCM-213: When changing the User Time Zone setting to a specific time zone and then going back to clear that time zone, it doesn’t clear the time zone but instead changes it back to the time zone that was set previously.
KCM Version 2.13.0
Released March 24, 2023
New Features
KSM now supports CAC/PIV authentication
For more information, visit: https://docs.keeper.io/keeper-connection-manager/authentication/piv-cac
KSM now enables administrators to approve/deny user's ability to authenticate with KSM using SSO
For more information, visit: https://docs.keeper.io/keeper-connection-manager/authentication/account-approve-deny-workflow
Improvements
SAML can now be configured automatically with
kcm-setup.runRather than manually editing the
docker-compose.ymlfile post installation, administrators can now directly configure their deployment to use SAML for SSO with thekcm-setup.runscript
The
extension-priorityproperty may now be configured with theEXTENSION_PRIORITYenvironment variable.Users no longer need use the catch-all
ADDITIONAL_GUACAMOLE_PROPERTIESenvironment variable to set this.