We are proud to announce Topicus KeyHub 26. This release focuses on organisation units and our browser extension. As usual, a number of assorted smaller changes and bug fixes are also included.
Organisational units
We've continued our development on organisational units. With this release it is possible to put accounts in organisational units and restrict the groups they can see and be member of. The area of focus for organisational units for the upcoming releases will be linked systems and provisioning.
In Topicus KeyHub 26, the following tickets related to organisational units were resolved:
-
TKH-2431
Organisational units can now be removed. -
TKH-2433
An account directory now defines the base organisational unit that defines the scope of its accounts. -
TKH-2435
Accounts are now automatically made member of the base organisational unit of the directory. -
TKH-2436
Accounts can now be made member of additional organisational units under the base organisational unit of their directory. -
TKH-2437
Users can only see data from the organisational units they are member of. -
TKH-2438
Groups can now be linked to an organisational unit. A group can only contain accounts that are member of the organisational unit the group is part of. -
TKH-2439
Requests made cross-organisational unit are now correctly filtered on the memberships of the users. A user can only process requests when it can see all objects that are part of the request.
Browser extension, also for Safari
A lot of work went into a major upgrade of our browser extension. This new version of the extension supports new APIs introduced in browsers. This should reduce resource consumption by extensions. This rework also made it possible to support the browser extension on Safari. You can find us in the Mac App Store!
The following tickets for the browser extension were resolved:
-
TKH-1885
The browser extension was upgraded to manifest v3 for Google Chrome and other Chromium based browsers. -
TKH-2120
An option was added to hide the 'Fill with Topicus KeyHub' icon in input fields. -
TKH-2167
The extension was made compatible with Safari. -
TKH-2252
Support was added for TOTP fields withautocomplete=one-time-code
. -
TKH-2337
Filling username, password or TOTP code was made more predictable and reliable. -
TKH-2446
A search term is now remembered per tab, making it much easier to fill username, password and TOTP in multiple steps.
SSH password authentication
TKH-2452
SSH password authentication is now disabled by default on new installs of the Topicus KeyHub appliance. On existing installs, it can be disabled via the configuration. Do make sure you setup a key before you disable password authentication though.
Pages for administration made read only
TKH-1868
A common source of confusion was the ability for KeyHub Administrators to edit certain objects via the pages under administration. These pages are accessible for KeyHub Administrators, but the permissions required to edit many of the objects is derived from memberships of other groups. This caused pages to read only in some cases, but editable in others. In Topicus KeyHub 26, these pages are all made read only, with the exception of directories and accounts, which are always managed by KeyHub Administrators. Groups, linked systems and applications should be edited via My groups or Manage access.
Small improvements
The following smaller improvements and bug fixes were made:
-
TKH-1334
Current or upcoming issues with your license are now displayed as notifications on the dashboard. -
TKH-1347
When the external certificate used by Topicus KeyHub is about to expire, a notification will be displayed on the dashboard. -
TKH-1356
The confirmation e-mails for new group members now mention their role and a possible end date. -
TKH-1473
When using 'fetch from server' to select a certificate, it is now possible to select a certificate from the chain, if the server returns the entire chain. -
TKH-1500
It is now possible to expand folders on your dashboard to be able to enable a single group from a folder. -
TKH-1801
Reading a shared vault record no longer incorrectly counts as using the group it was shared from. -
TKH-1940
Generated passwords for new vault records now contain a few additional characters to make them conform to most complexity demands. -
TKH-2022
It is now possible to move or rename multiple users at once via the bulk edit page. -
TKH-2204
Custom attributes read from an account directory are now returned via the internal LDAP. -
TKH-2370
The QR code for setting up 2FA now indicates if 2FA is restricted for the user. This will allow future updates of the app to prevent creating backups for that code. -
TKH-2408
A message is displayed when a user is not allowed to process a request because it would be a violation of the four-eyes principle. -
TKH-2443
'Offline mode' has been renamed to 'Isolation mode'. -
TKH-2445
Some code cleanup was performed to make better use of a new API. -
TKH-2447
It is no longer possible to link internal Topicus KeyHub application to groups. -
TKH-2450
Support for versions 22 to 49 for the REST API was removed. -
TKH-2451
Loading of the wireguard kernel modules on AWS was fixed. -
TKH-2453
The native Linux build of the CLI now correctly displays its version. -
TKH-2454
An error was fixed when using a command on the native Linux CLI that used a UUID. -
TKH-2455
An error was fixed in some German e-mails. -
TKH-2456
When removing a linked system with service accounts, the shared vault records are now also removed. -
TKH-2457
A possible error was fixed when removing nesting from groups. -
TKH-2458
The ECIES encryption scheme was improved to protect against the malleability of the nonce, which fell outside the IES integrity check. -
TKH-2461
TKH-2486
A new scheduled task was added that cleans up old, processed requests from the database. -
TKH-2464
An error was fixed when trying to restore a database from a backup in a clustered setup. -
TKH-2465
Improvements were made in the scheduled task for sending e-mails about new notification to prevent it from sending two e-mails on a single day. -
TKH-2466
Copying passwords from the vault directly to the clipboard now also works in Safari. -
TKH-2468
A small improvement was made to the text explaining a password reset in the manual. -
TKH-2473
An error was fixed that caused to incorrectly report a duplicate name when trying to create a new folder for on the dashboard. -
TKH-2474
An error in the transaction handling was fixed that could cause incorrect recovery keys from getting shared when a password change was rejected by the directory. -
TKH-2475
SaltStack was upgraded to version 3006. Python was upgraded to 3.10. -
TKH-2478
A problem was fixed in the versioning of the REST API, that could cause an error when creating a newProvisioningGroup
. -
TKH-2483
A misconfiguration of logrotate was fixed that caused a large number of dnf log files to be created.