June 2022 Release Notes

Last modified on September 1, 2022

New

  • Remote Identities Generally Available. Released Remote Identities, a new feature that enables your organization’s users to authenticate to SSH or Kubernetes resources using their own individual identifier rather than a leased credential. See section Remote Identities to learn more.

Updated

  • Terraform Version Number. Noted Terraform version 0.13 as the minimum supported version on the Admin UI Downloads page.
  • User Management Metadata URL Field Name. Changed the IDP Metadata URL field name to Metadata URL on the User Management page of the Admin UI.
  • SCIM Update Activities. Changed the wording of SCIM Update activities in Admin UI activity logs.
  • sdm ssh grep. Removed the sdm ssh grep subcommand from the CLI.
  • sdm doctor Displays Max FD. Updated the sdm doctor CLI command to display Max FD count.
  • Admin Token Auth Expiration. Updated admin token authentications so they expire 24 hours after creating a new admin token.
  • Error Message for Invalid API Keys. Improved the error message reported when the key pair being used was invalid when API login failed for a known reason.
  • Azure CLI Support. Added support for some previously unsupported calls from Azure CLI version 2.29.0.
  • SSH Cert Server Key Type Parameter. Added the Key Type parameter to SSH certificate-based servers for generating SSH keys of type RSA with 2048/4096 bits, ECDSA with 256/384/521 elliptic curve sizes, or ED25519. The Key Type parameter is supported in the SDKs.

Fixed

  • Delete Action for Selected Users in Admin UI. Fixed a bug in the Admin UI Users page where deleting a selected account via the Action menu button no longer considered the deleted row selected, and the “1 selected” pop-up remained after the user was deleted in the Admin UI.
  • SSO Setting Updates. Fixed a bug in which updating the client secret SSO setting in the Admin UI did not take effect on the server.
  • Cached Data Not Cleared Upon Logout. Fixed a bug where cached data on the API & Admin Tokens page of the Admin UI was not cleared after user logout.
  • Admin UI URL Upon Logout. Fixed a bug where upon user logout, the Admin UI URL redirected to /login instead of /app/login.
  • Port Overrides Link. Fixed a bug where the Port Overrides hyperlink for cluster resources in the Admin UI was broken.
  • Tags Not Displaying on Gateway Details. Fixed an issue where tags on the Gateway and Relay details tab in the Admin UI were no longer displayed.
  • Add Cloud Form Submission. Fixed the Add Cloud form in the Admin UI to prevent submission of the form when required fields were not filled.
  • Static Access Rule Counts. Fixed a bug where static access rule counts in the Admin UI were no longer cached.
  • Website Certificate Generation Button. Fixed a bug where the website certificate generation button in the Admin UI did not show if certificates did not exist.
  • Team Leaders Unable to Add Roles to Users. Fixed a bug where users with the Team Leader permission level could not add a role to users if they had the same role.
  • Timeout Issue for Tags Assigned to Dynamic Access Rules. Changed dynamic rule tag queries to match resource drop-down tag queries to avoid timeout issues. Assigning a tag to a dynamic access rule previously failed if queries took longer than 200 ms.
  • CLI Commands Failing Without SDM_HOME. Fixed an issue where all CLI commands failed if the SDM_HOME directory did not already exist.
  • MFA Unlock. Fixed an issue that caused MFA unlock to fail.
  • Docker Containers Not Accepting Traffic. Fixed a bug where Docker containers with the strongDM client did not accept traffic on exposed ports.
  • RDP File Transfers Crashing Gateways. Fixed a bug where certain file transfers via RDP crashed gateways or relays.
  • Hostname Not Updated in Ruby SDK. Fixed a port override-related issue when updating SSH via the Ruby SDK, which caused the hostname not to be updated.
  • Port Override Error. Fixed an SDK error that caused attempts to update SSH resources to result in a port override error.
  • Missing Delete User Functionality on Parent Org. Fixed an issue where the delete user functionality on a parent organization’s Administrators page was missing.
  • Parent Admin Accounts Showing in Child Org. Fixed a CLI bug where Parent Admin accounts were displayed in a child organization.
  • Admins of Parent Orgs Unable to Edit User Details. Fixed a bug where root admins could not edit name and email address on a parent organization’s Administrators page.

Remote Identities

Remote Identities enable your organization’s users to authenticate to SSH or Kubernetes resources using their own individual identifier rather than a leased credential.

A Remote Identity is like a username, profile, or alias that is unique to an individual user or service account. When logging in to a server via an SSH client, for example, you typically log in with credentials that are not shared with anyone else. Moreover, your individual activities are written to the resource’s native logs under your username.

A leased credential is shared across multiple users and service accounts. In a strongDM organization that uses the leased credential method of authentication, all users authenticate with the same leased credential in order to access the resources that have been granted to their assigned role(s). Individual activities are written to the organization’s logs.

Leased credentials are still the default way to access SSH or Kubernetes resources, but they are no longer the only way. Now you have the flexibility to authenticate to SSH or Kubernetes resources with either leased credentials or Remote Identities.

The option to authenticate with Remote Identities is available for the following resource types only:

  • SSH (Certificate Based) server
  • AKS cluster
  • AKS (Service Account) cluster
  • Elastic Kubernetes Service cluster
  • Elastic Kubernetes Service (Service Account) cluster
  • Google Kubernetes Engine cluster
  • Kubernetes cluster
  • Kubernetes (Service Account) cluster

Admin UI

The Remote Identities release includes the following changes to the Admin UI:

  • The Settings tab of users and service accounts now includes the optional Remote Identity field. You can enter any string that is not already in use. One Remote Identity is allowed per user.
  • Server and cluster tables have a new Authentication column displaying either Leased Credentials (default) or Remote Identities. These are now filterable values for servers and clusters.
  • When adding an SSH (Certificate Based) server or a Kubernetes cluster, the configuration dialog has a new Authentication property to set either Leased Credential or Remote Identities.
    • When Authentication is set to Remote Identities, the Healthcheck Username field displays. The Healthcheck Username is used to verify strongDM’s connection to the target resource.
  • Activity logs now show the following Remote Identity activities:
    • Remote identity created
    • Remote identity deleted
    • Remote identity updated

CLI

The Remote Identities release adds the following CLI commands:

  • sdm admin remote-identities create
  • sdm admin remote-identities delete
  • sdm admin remote-identities groups
  • sdm admin remote-identities list
  • sdm admin remote-identities update

To the sdm admin servers add ssh-cert and sdm admin clusters Add, Clone, and Update commands, we added the following options:

  • --remote-identity-group-id
  • --remote-identity-group-name
  • --remote-identity-healthcheck-username

In addition, this release adds the ability to see Remote Identity audit data via the following commands:

  • sdm audit ssh
  • sdm audit k8s
  • sdm audit users

The -j flag (for JSON) is supported in all cases.

SDKs and Terraform

This release adds Remote Identity support in the SDKs and Terraform.

Top