Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Released on November 18, 2023
GovCloud Compatibility: This version of the Keeper Gateway ensures full compatibility with GovCloud customers requiring EC encryption.
Custom Fields for advanced Gateway Configurations:shell, Private Key Rotate
, read more here
Expanded Private Key Beyond RSA Format
Additional Key Support: Besides the previously supported RSA private keys, added support for ed25519, ecdsa, and dss private keys, aligning with algorithms backed by ssh-keygen
.
Key Rotation: Private key rotation now uses the algorithm and bit size of the current key for generating a new one. A custom text field "Private Key Type" is introduced to specify a desired algorithm.
Private Key Rotation Control: Added a custom field "Private Key Rotate" that lets users control if the private key should be rotated.
Added Virtual Resource for the NOOP
Operator
There is an issue where If the admin credential is not set & the NOOP flag is set to TRUE
, the resource UID is set to None/blank, breaking the resource hierarchy and potentially leading to provider misidentifications. Instead, to resolve this issue, a virtual resource will be generated.
Minor bug fixes and improvements
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The Keeper Gateway is a lightweight service that is installed on any Windows, Linux or macOS machine in order to execute rotation, discovery and connection tasks. A single Gateway can be used to communicate with any target infrastructure, both on-prem and cloud. For example, to rotate Active Directory accounts, the Gateway can be installed on any machine which can communicate to AD.
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. The Gateway uses Keeper Secrets Manager APIs to communicate with the Keeper cloud. A full description of the security architecture can be found here.
For installation steps and more information on the Keeper Gateway, visit this page.
Refer to the navigation to the left for the release notes
How to install the Preview version of the Keeper Gateway
Keeper maintains a "Preview" channel release of the Keeper Gateway. Customers are welcome to install the Preview version which is published a few days ahead of full public release.
To install the preview version of the Keeper Gateway on MacOS or Linux, invoke the following command:
To install the preview version of the Keeper Gateway on Windows, download the installer from the following page:
https://keepersecurity.com/pam/beta/keeper-gateway_windows_x86.exe
For list of all the URLs to the latest preview release on various operating system, visit the following page.
Released on September 17, 2023
Custom Fields for advanced Gateway Configurations: NOOP
, shell
, Kerberos
Read more here
Custom Field for better record management in post-rotation: Records Control
Added command length verification
Command Length Limitation: Added checks to ensure that commands in post-rotation do not exceed the byte limit specific to the shell (e.g., 8192 bytes for Windows CMD).
Fixed issue where the user
parameter was not being set in the Base64 encoded JSON object for Post Rotation Scripts
Eliminated the redundant user
parameter from _generate_params
function, as it's already available in the object.
Fixed Illegal Characters for Oracle
Added @
to the list of illegal characters to meet Oracle's input requirements. Other characters such as single quotes were also added for SQL safety.
Fixed Gateway Permission Settings for Non-English Windows
Modified permission settings logic to work correctly on Windows systems using languages other than English.
Fixed Windows Shell Detection
Delayed setting the command prompt until after the shell type is definitively determined, therefore resulting in fixing issues when the shell is not PowerShell.
Improved handling of Shell Responses
Stream Handling: Improved the response stream handling for slow systems on Linux and macOS by waiting for a known prompt.
Character Stream Cleanup: Added several clean-up steps to the character stream to remove extraneous characters and control codes.
Updated Gateway Logs to include Post Rotation Script Output when Debug flag is set
Debug Block: A new debug block that logs details of the script, its success status, and STDOUT/STDERR.
Secret Redaction: Ensured that secret or sensitive information is redacted from the logs.
Released on July 17, 2023
Implemented queues and loggers for the CLI thread to streamline operations.
Added an optional output to queue for the CLI thread, increasing flexibility.
Made modifications to stop messages and prompt command updates.
Introduced the CLI thread runner for better management of operations.
Enabled the Windows service to use the CLI thread runner, providing better integration and functionality.
Adjusted the system to use the Windows service thread for PyInstaller, enhancing compatibility.
Integrated the use of a process pool executor for gateway actions to improve performance and responsiveness.
Enabled Keeper Gateway command line and service to use a single binary, simplifying the system and reducing potential issues
Improved Error Messages
Prevented display of raw exception messages by creating a global method to handle exceptions for AWS & Azure
For databases, a global exception handler was created and refined to handle different database engines
Updated the "retype" prompts to be less specific to account for differences based on Linux OS versions or the service the password is being changed within
Exception messages for Linux/macOS password interaction were modified.
Released on September 1, 2023
Gateway Configuration with an AWS EC2 Instance
An IAM Role Policy can be created and assigned to an EC2 Instance in order to provide the Keeper Gateway service with the required permissions to retrieve the necessary configuration from the AWS Key Management Service (KMS). This method eliminates the need for storing a configuration file on the disk, and instead, stores the configuration file in your AWS KMS.
Updates to handle Non-UTF8 Encoding
Added functionality to ignore bad characters during decoding, addressing potential encoding mismatches, especially with Windows.
Removed the AD Organizational Unit (OU) Check
Removed the OU check feature as it was not performing as expected.
Handle Nologin User Shell
Implemented measures to detect and handle instances with a /sbin/nologin
shell or false
, searching for a supported shell instead.
Enforced the overriding of the SHELL
variable in the spawned shell to prevent inconsistencies.
Clean Up Rotation Action Processes, Use Environment Variable Options
Moved log configuration to process initializer for better control.
Excluded process information in job debug messages temporarily.
Added the ability to obtain command-line parameters from environment variables, providing more flexible configuration options.
Created constants to guide the retrieval of parameters from environment variables.
Prioritized command-line parameters over environment variables to ensure consistency in configurations.
Add MAC_CONFIG_PATH
Variable and Permissions Settings
Introduced a MAC_CONFIG_PATH variable pointing to the configuration file for enhanced readability.
Added explicit permission settings for directories and configuration files to bolster security.
Improved Reconnection Strategy
Modified the system to continue reconnection attempts if the WebSocket response code is 500 or greater. Reused reconnection code for HTTP status codes less than 500.
Websocket Client Updates
Modified the 'create_dispatcher' method to choose the correct dispatcher based on SSL configuration, addressing issues when connecting to routers without SSL.
Logging Improvements
Improve Error Messages
Continued refinement of error messages to enhance the user experience and enable more effective troubleshoot
Logging Configuration: Restricted the allowance of multiple configurations for logging to prevent conflicts and potential errors.
Released on July 12, 2023
Improved efficiency by shifting the IP address collection process from the gateway to the connection as part of the existing setup
Implemented lazy loading of the gateway record which requires the IP addresses. If the connection settings are not cached, a local connection will be established and the connection setting cache will be filled.
Overrode the password property to allow for lazy loading if the password has not been loaded yet. If a connection requests the gateway password and the gateway record has not been loaded, it will load it and then return the password from the record.
Local connections will now check if the gateway has cached connection settings. If it does, it will set those values in the connection. If not, the connection will proceed with the standard setup, copying the connection settings into the gateway upon completion.
If the local connection's password is blank, the connection will retrieve the password from the gateway.
Released on July 10, 2023
Local Connections Settings are now cached
Better management of connection details (shell path, shell type, sudo password requirements, etc.) to better associate PAM records and its associated gateways
Optimization & necessary refactoring of code to reduce API calls
General Improvements
Escaped the '{' character for macOS 'su' expect script due to it being a special character in expect.
Added 'echo' before getting the user list in macOS to avoid output pre-pending issues.
Fixed finding Linux shell if the SHELL environment variable is not set.
Changed Azure integration tests to provision Python in the Azure Instance Extension.
Addressed issues in Azure tests related to creating AD users via the provisioning script. AD Admin doesn't have privileges on the local machine to change local user passwords.
Resolved a problem where the Linux subprocess didn't like the 'type' command, now attempts 'which' first and then 'type'.
Released on June 6th, 2023
Updated the Windows installer to incorporate service account support and introduced new options to reset permissions and assign user access IDs.
Enhanced file and config permissions handling: included checks for additional users, verification of added permissions, and automated corrections for mismatching identities.
Improved command-line functionality: added the "create-config-dir" command, adjusted 'fix-config' and log permissions based on users without access.
Improved codebase: refactored the permissions setting code, moved Windows utility functions and constants to 'utils.windows', and created 'utils.posix' for managing posix permissions.
Installer enhancements: included 'waituntilterminated' option for inno-setup commands, added a prompt for service uninstall before new installation on Windows, and handled older Python compatibility by removing type from dataclass.
Debugging and logging: provided a way to show subprocess command and output, improved subprocess command logging, and ensured logging includes any file permission checks.
Account handling: validated service account and created 'service-account.txt' for storing service account details.
Enhanced MariaDB Connector C build process across macOS, Linux, and Windows.macOS: Utilized Homebrew
for installation of mariadb-connector-c
.
Linux: Required the Python module cmake
for cloning and building the mariadb-connector-c repo, specifically version 3.3.
Windows: No changes required, the existing setup works smoothly.
Implemented Kerberos and NTLM support to Windows Remote Management (WinRM), with automatic usage of Kerberos if user format meets certain conditions. Also included a custom field to override automatic usage based on issues.
Included libkrb5-dev and libmariadb-dev as dependencies for Kerberos and MariaDB modules respectively.
Introduced host mapping for providers, enabling the use of aliases for hostnames or IPs, particularly useful for Kerberos in Discovery.
Enhanced the SSH socket connection test to validate system availability on the desired port.
Improved the unit test suite for Kerberos authentication, including the creation of a WinRM instance that joins a domain.
Modified the logging mechanism to include Process ID (PID) in log messages for better process-message association.
Added MariaDB in requirements.txt to resolve utf-8
encoding issue in Windows.
Expanded shell support to include BASH, ZSH, ASH, Dash, CSH, KSH, TCSH, and Fish, improving compatibility across different systems and preventing command history logging.
Implemented a feature that handles password changes requiring repeated new/re-enter password prompts, particularly useful for Linux boxes joined to OpenLDAP servers and using Linux PAM.
Replaced hardcoded text values in the code with Enum constants, improving code readability and maintenance.
Fixed an issue where a PowerShell instance remained open after a local machine password rotation was completed. Adjustments have been made to ensure that connections close appropriately once done.
Enhanced the logging feature by including the Process ID (PID) of each spawned PowerShell. This allows for easier debugging, making it possible to match any lingering PowerShell instances to the PIDs in the log.
Updated the testing suite to include the PID in local connection responses, further improving traceability and troubleshooting capabilities.
Refactored the handling of AWS region names and Azure resource groups, ensuring consistent behavior and improved reliability.
Now, if the region name (or resource groups) is in an unknown state or not of the expected string or list type, it is set to an empty array.
Additionally, unit tests were added to validate these conditions, and existing unit tests were reorganized for better readability.
Released on June 28, 2023
Scripts Field Feature - New Feature
Introduced support for the scripts
field.
MariaDB Connector C Build Improvements
macOS: Utilized Homebrew for installation of mariadb-connector-c.
Linux: Required the Python module cmake for cloning and building the mariadb-connector-c repo, specifically version 3.3.
Updated the version of requests
to >=2.28.2
due to a conflict with keeper-secrets-manager-core
.
Updated the version of msal
in the DR-Controller.
Additional Unix Shell Support
Expanded shell support to include BASH
, ZSH
, ASH
, Dash
, CSH
, and TCSH
.
Implemented command history prevention for these shells. If the system's shell is not supported, it will still function, but the command history will not be prevented.
Added feature to handle repeated new/re-enter password prompts for password changes, particularly for Linux boxes joined to OpenLDAP servers and using Linux PAM.
PowerShell Management
Fixed an issue where a PowerShell instance remained open after password rotation on a local machine.
Made local Windows connection less CPU intensive by reducing constant output polling and improving prompt detection.
Fixed issue with Microsoft's Azure extension requiring a reboot due to a .Net update in chocolately, which was breaking Windows instance provisioning.
Reconnection Management
Limited reconnection attempts to approximately 6 hours for other connection failures.
Sudo Prompt Fix
Included Linux sudo prompt in the list of allowed responses to prevent sudo failures in Linux when a password is required.
Fixed issue where the sudo prompt in STDERR was causing false-positive error detection.
macOS Command Hang
Fixed command freezing issue in the gateway due to the use of ZSH for the local connection on macOS. Switched the shell back to BASH to resolve the issue.
Process Pool for Actions
Made software compatible with new async-repl.
Replaced thread pool with process pool for actions.
Clean Password Constraints
Identified and addressed an issue where a password, specifically for PostgreSQL, would not have illegal characters removed. This occurred when rotating a user, as the object would be a PAM User record which has no constraints for password.
Released on February 6, 2024
DR-542 PowerShell Command Scope Limitation: Limited PowerShell command to local admin groups by default to improve startup reliability.
DR-545 Sensitive Data Logging Removal: Removed logging of sensitive information (username, password, one-time token) during Windows installation, enhancing security.
DR-546 Pin MSGraph to 0.2.2: Fixed issues caused by MSGraph 1.0.0 release by pinning to version 0.2.2.
Keeper Gateway v1.0.0 is the first official release of the Keeper Gateway.
The Keeper Gateway is a lightweight service that is installed on any Windows, Linux or macOS machine in order to execute rotation, discovery and connection tasks.
For installation steps and more information on the Keeper Gateway, visit:
Released on February 2, 2024
DR-537 IAM Rotation in GovCloud: Fixed an issue where IAM client rotation in GovCloud required specifying a region to switch endpoints, differing from commercial AWS behavior.
DR-541 WinRM Executable Fix: Addressed a problem in the 'make executable' code for WinRM by correcting the regular expression match group, preventing 'no such group' exceptions.
DR-539 Improved Sudoer Error Message: Enhanced the error message for users not in the sudoers file, making it more descriptive and actionable.
Released on December 16, 2023
Implemented auto-update capabilities for Windows and Linux installations
Read more here
Minor bug fixes and improvements