Emond Papegaaij 10/11/2022 7 min read

Topicus KeyHub 22

We are proud to announce Topicus KeyHub 22. This release brings back the option for a password reset. We've also added some e-mail notifications and added several new commands to the CLI. As usual, a number of assorted smaller changes and bug fixes are included.


Password reset

TKH-2213 TKH-2243 In Topicus KeyHub 18.2 we introduced our social password recovery. This allowed users to recover from a password loss without losing any access with a little help from two other users. In some cases however, this reliance on two other users can become a problem due to time constraints or availability. To prevent users from getting blocked, it is now possible to opt for a password reset. This will allow the user to regain access to Topicus KeyHub without help, but lose access to the vault.


E-mail notifications

TKH-2229 Users will now receive e-mail notifications on changes of group membership(s). This helps the user to detect mistakes and creates awareness of their membership(s).

E-mail notification


Account provisioning via CLI

TKH-1290 A whole new set of commands was added to the provisioning command group of the CLI to activate or deactivate groups directly from the command line. With provisioning status, the status of the groups can be read.

The KeyHub provisioning command

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1378 It is now possible to share the credentials of an OAuth2 client in the vault.
  • TKH-1643 The install link for the browser extension now leads the user directly to the stores of the browsers.
  • TKH-1763 Handling of hidden or read-only fields was improved in the browser extension.
  • TKH-2099 The installation license was renewed for another year.
  • TKH-2143 Python was upgraded to 3.9.
  • TKH-2179 An OAuth2 client can now rotate its own secret directly via the API.
  • TKH-2182 The allocation of reserved space during an upgrade was improved to give more room to the root filesystem.
  • TKH-2185 The OAuth2 Token Exchange endpoint was reimplemented to make it more compliant with RFC-8693.
  • TKH-2187 Old synchronization logs for the provisioning are now removed automatically.
  • TKH-2193 TKH-2303 A dedicated set of pages was added to show the details of a group on a linked system.
  • TKH-2218 The processor of a request can now get details about the subject of the request, such as a service account or an OAuth2 client.
  • TKH-2219 It is now possible to share service account passwords or OAuth2 client secrets with personal vaults in addition to group vaults.
  • TKH-2223 Users are now prompted for their KeyHub password at least once every 30 days to ensure all encrypted data remains up to date.
  • TKH-2226 Salt was upgraded to 3005 and migrated to the new onedir installation.
  • TKH-2227 The REST API now returns a reference to the shared vault records for service accounts and OAuth2 clients.
  • TKH-2230 Error handling was improved for malformed URLs in licenses.
  • TKH-2232 The TOTP field is now correctly displayed as read only for shared records.
  • TKH-2237 The flow for password recovery on LDAP with reauthentication using 2FA and disabled password synchronization was fixed.
  • TKH-2239 Error handling for license checks in the appliance manager was improved.
  • TKH-2242 Some missing checks were added for enabling and disabling technical administration on a group.
  • TKH-2249 All python dependencies are now served from our own repository.
  • TKH-2250 Handling of reauthentication during a password change was improved.
  • TKH-2253 An error was fixed when a non-admin user tried to view an account.
  • TKH-2254 TKH-2263 A regression on the manage layout page was fixed that caused display issues on moved groups.
  • TKH-2255 An error message was missing in the browser extension when the user did not have the keys to read a vault record.
  • TKH-2256 Support was added for the virtio_scsi and virtio_console devices.
  • TKH-2259 Fixed an issue where, after restoring a backup of an older version, the pillar was not migrated to the new version.
  • TKH-2260 The owner of a linked system now has permissions to view that system.
  • TKH-2261 Permission checks for owners of clients were too strict.
  • TKH-2264 A possible error was fixed when removing accounts.
  • TKH-2265 A possible error was fixed when removing nested groups.
  • TKH-2266 The package open-vm-tools is no longer installed on AWS.
  • TKH-2268 The license is no longer cached, which could cause issues in clusters.
  • TKH-2270 Several code improvements were made to the CLI.
  • TKH-2271 Permission to read the dashboard folders was added to the provisioning scope.
  • TKH-2274 The appliance can now be placed in the Azure marketplace again.
  • TKH-2278 The direction of the requests to setup or disconnect extra authorization on groups was reversed.
  • TKH-2280 Comments in the hosts file no longer cause an error in the Salt states.
  • TKH-2282 The label for the service account DN was fixed.
  • TKH-2284 Nesting service accounts inside the DN used for users could result in an error during provisioning.
  • TKH-2291 An obsolete piece of code was removed from the snapshot recovery implementation.
  • TKH-2297 A possible race condition was fixed during the upgrade of Salt.
  • TKH-2298 OAuth2 clients with read or update permissions on service accounts now also have read permissions on linked systems.
  • TKH-2312 The filter for the overview of groups on system for a service account was fixed.