We are proud to announce the 16.1 release of Topicus KeyHub. This release brings major improvements to the virtual appliance when running without an internet connection. The Topicus KeyHub application itself sees some nice features for managing larger installations. As usual, a number of smaller improvements have been made and several issues have been fixed.

Important notice: Possible privilege escalation

TKH-1413 An error in the LDAP query for the external UUID of a provisioned system, could cause an attacker to craft a malicious duplicate linked system to try to gain access to groups on a system. For this, the attacker would need access to the credentials of the linked system, know the configuration of the system and be member of a group with technical administration in Topicus KeyHub. This makes this attack difficult to perform and easy to detect, but it poses a risk nonetheless. We therefore recommend all installations to be upgraded to version 16.1.

Cleaning up orphaned accounts

TKH-784 When using Topicus KeyHub in a dynamic organization, people come and people go. This can leave you with a buildup of orphaned accounts in Topicus KeyHub: accounts that no longer exist in your directory, but still exist in KeyHub. Users can no longer login with these accounts, but they create clutter and can cost you license entries. These accounts can now easily be removed in bulk with just a few clicks.


Help desk

TKH-1392 It has always been the task of KeyHub administrators to perform account recovery when a user lost his or her two-factor authentication codes. It is now possible to delegate this responsibility to a separate group of users: the help desk group.


Browser Extension

TKH-1304 TKH-1373 Several small improvements were made to the browser extension. It is now able to detect login forms on pages that do not adhere to the HTML standards and do not put the login fields inside a form tag. Also, when the login form is placed inside an iframe, the extension now shows records for both the iframe url and those of the browser tab. Finally, the extension now remembers search queries per tab. This greatly enhances the user experience when you have to enter multiple values manually in several steps.

Virtual Appliance offline mode

TKH-1403 Starting with Topicus KeyHub 15.1 we publish both a network and an offline installation package for the appliance. Upgrading an offline installation used to be a lot of work requiring a backup and restore, but not anymore: you can now update your installation via a special update package. In addition, several other improvements were made to the appliance to run it in an offline environment:

  • TKH-1391 The NTP servers can now be configured.
  • TKH-1394 It is no longer possible to combine Let's Encrypt and offline mode in the configuration.
  • TKH-1395 When running offline, the configuration management will no longer try to access online software repositories.
  • TKH-1398 Support for an additional RPM repository was added to allow the installation of updates in an offline environment.
  • TKH-1406 An offline installation will no longer show incorrect system updates on the dashboard.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-888 Topicus KeyHub now keeps track of when a user uses a group.
  • TKH-991 Tests were added to several webhook scenario's.
  • TKH-1350 Some textual changes were made to the audit pages.
  • TKH-1365 It is now possible to filter on a type under manage access.
  • TKH-1383 A maximum file size is set for logo's on the launchpad.
  • TKH-1384 The disabled checkbox for a launchpad tile is made more distinguishable from a non-disabled checkbox.
  • TKH-1388 The back-end now also returns vault secrets when the query targets a single record.
  • TKH-1389 In addition to basic authentication and a bearer token, it is now possible to set custom authentication headers on webhooks.
  • TKH-1390 The loading of launchpad icons has been improved.
  • TKH-1396 The type LICENSE_KEY_UPLOADED was missing for webhooks.
  • TKH-1397 A missing security check allowed detection of existence of vaults when the user did not have permission to read the vaults in question.
  • TKH-1399 An off-by-one in the check on user limit for a license made it impossible to claim the last user of the license.
  • TKH-1400 The session count on the about page also showed sessions for automated clients.
  • TKH-1401 During the installation it was impossible to add trusted certificates.
  • TKH-1402 Creating a vault record without any secrets caused an error.
  • TKH-1407 Combining static provisioning with source directory provisioning not always enabled the group on the directory for accounts already member of the group in Topicus KeyHub.
  • TKH-1409 Some of the docker volumes in the appliance were unnamed, causing the state to be lost on an upgrade.
  • TKH-1411 Some of the indexes on the audit record table in the database were not used but took a lot of space on the disk.
  • TKH-1412 The audit log entry when a group membership expired was made more clear.
  • TKH-1414 During an update an erroneous e-mail was sometimes sent indicating a snapshot was not cleaned up.
  • TKH-1415 A performance regression on the about page was fixed.