Topicus KeyHub 26

We are proud to announce Topicus KeyHub 26. This release focuses on organisation units and our browser extension. As usual, a number of assorted smaller changes and bug fixes are also included.

Organisational units

We've continued our development on organisational units. With this release it is possible to put accounts in organisational units and restrict the groups they can see and be member of. The area of focus for organisational units for the upcoming releases will be linked systems and provisioning.

In Topicus KeyHub 26, the following tickets related to organisational units were resolved:

• TKH-2431 Organisational units can now be removed.

• TKH-2433 An account directory now defines the base organisational unit that defines the scope of its accounts.

• TKH-2435 Accounts are now automatically made member of the base organisational unit of the directory.

• TKH-2436 Accounts can now be made member of additional organisational units under the base organisational unit of their directory.

• TKH-2437 Users can only see data from the organisational units they are member of.

• TKH-2438 Groups can now be linked to an organisational unit. A group can only contain accounts that are member of the organisational unit the group is part of.

• TKH-2439 Requests made cross-organisational unit are now correctly filtered on the memberships of the users. A user can only process requests when it can see all objects that are part of the request.

Browser extension, also for Safari

A lot of work went into a major upgrade of our browser extension. This new version of the extension supports new APIs introduced in browsers. This should reduce resource consumption by extensions. This rework also made it possible to support the browser extension on Safari. You can find us in the Mac App Store!

The following tickets for the browser extension were resolved:

• TKH-1885 The browser extension was upgraded to manifest v3 for Google Chrome and other Chromium based browsers.

• TKH-2120 An option was added to hide the 'Fill with Topicus KeyHub' icon in input fields.

• TKH-2167 The extension was made compatible with Safari.

• TKH-2252 Support was added for TOTP fields with autocomplete=one-time-code.

• TKH-2337 Filling username, password or TOTP code was made more predictable and reliable.

• TKH-2446 A search term is now remembered per tab, making it much easier to fill username, password and TOTP in multiple steps.

SSH password authentication

TKH-2452 SSH password authentication is now disabled by default on new installs of the Topicus KeyHub appliance. On existing installs, it can be disabled via the configuration. Do make sure you setup a key before you disable password authentication though.

Pages for administration made read only

TKH-1868 A common source of confusion was the ability for KeyHub Administrators to edit certain objects via the pages under administration. These pages are accessible for KeyHub Administrators, but the permissions required to edit many of the objects is derived from memberships of other groups. This caused pages to read only in some cases, but editable in others. In Topicus KeyHub 26, these pages are all made read only, with the exception of directories and accounts, which are always managed by KeyHub Administrators. Groups, linked systems and applications should be edited via My groups or Manage access.

Small improvements

The following smaller improvements and bug fixes were made:

• TKH-1334 Current or upcoming issues with your license are now displayed as notifications on the dashboard.

• TKH-1347 When the external certificate used by Topicus KeyHub is about to expire, a notification will be displayed on the dashboard.

• TKH-1356 The confirmation e-mails for new group members now mention their role and a possible end date.

• TKH-1473 When using 'fetch from server' to select a certificate, it is now possible to select a certificate from the chain, if the server returns the entire chain.

• TKH-1500 It is now possible to expand folders on your dashboard to be able to enable a single group from a folder.

• TKH-1801 Reading a shared vault record no longer incorrectly counts as using the group it was shared from.

• TKH-1940 Generated passwords for new vault records now contain a few additional characters to make them conform to most complexity demands.

• TKH-2022 It is now possible to move or rename multiple users at once via the bulk edit page.

• TKH-2204 Custom attributes read from an account directory are now returned via the internal LDAP.

• TKH-2370 The QR code for setting up 2FA now indicates if 2FA is restricted for the user. This will allow future updates of the app to prevent creating backups for that code.

• TKH-2408 A message is displayed when a user is not allowed to process a request because it would be a violation of the four-eyes principle.

• TKH-2443 'Offline mode' has been renamed to 'Isolation mode'.

• TKH-2445 Some code cleanup was performed to make better use of a new API.

• TKH-2447 It is no longer possible to link internal Topicus KeyHub application to groups.

• TKH-2450 Support for versions 22 to 49 for the REST API was removed.

• TKH-2451 Loading of the wireguard kernel modules on AWS was fixed.

• TKH-2453 The native Linux build of the CLI now correctly displays its version.

• TKH-2454 An error was fixed when using a command on the native Linux CLI that used a UUID.

• TKH-2455 An error was fixed in some German e-mails.

• TKH-2456 When removing a linked system with service accounts, the shared vault records are now also removed.

• TKH-2457 A possible error was fixed when removing nesting from groups.

• TKH-2458 The ECIES encryption scheme was improved to protect against the malleability of the nonce, which fell outside the IES integrity check.

• TKH-2461 TKH-2486 A new scheduled task was added that cleans up old, processed requests from the database.

• TKH-2464 An error was fixed when trying to restore a database from a backup in a clustered setup.

• TKH-2465 Improvements were made in the scheduled task for sending e-mails about new notification to prevent it from sending two e-mails on a single day.

• TKH-2466 Copying passwords from the vault directly to the clipboard now also works in Safari.

• TKH-2468 A small improvement was made to the text explaining a password reset in the manual.

• TKH-2473 An error was fixed that caused to incorrectly report a duplicate name when trying to create a new folder for on the dashboard.

• TKH-2474 An error in the transaction handling was fixed that could cause incorrect recovery keys from getting shared when a password change was rejected by the directory.

• TKH-2475 SaltStack was upgraded to version 3006. Python was upgraded to 3.10.

• TKH-2478 A problem was fixed in the versioning of the REST API, that could cause an error when creating a new ProvisioningGroup.

• TKH-2483 A misconfiguration of logrotate was fixed that caused a large number of dnf log files to be created.