Release Notes
Version 3.007.00
New Features
- Support for Azure File Share Cloud Connection which supports SFTP random read/write and file appending.
- Support for SFTP user and/or Admin login via LDAP and Active Directory LDAP Identity Providers.
- Configure users with an access expiration date to schedule denied access.
New application properties:
features.sftp-user.default-expiration-days=1
- Set this property to 1 or higher to automatically fill the New User screen with an expiration date when creating a user. If the property does not exist, there will not be a default expiration date. Default not set.
features.sftp-user.delete-default-home-folder-mapping-on-user-delete=true
- Set this property to true to delete a user’s home folder when the user is deleted. It will only delete the home folder if it is of the form /users/{username} and it inherits its cloud connection from the root. Default false.
features.sftp-user.purge-process.delete-user-after-expiration-days=0
features.sftp-user.purge-process.enabled=true
features.sftp-user.purge-process.cron=0 0 0 * * ?
- These three properties have to do with the purge process. The purge process is a scheduled job that automatically deletes expired users after a configured amount of days (features.sftp-user.purge-process.delete-user-after-expiration-days, defaults to 14). The process is disabled by default and must be enabled by setting features.sftp-user.purge-process.enabled=true (defaults to false). The job is scheduled to run once a day at midnight by default and the schedule can be adjusted by specifying a cron schedule to the property features.sftp-user.purge-process.cron.
Feature updates
Different applications, such as s3fuse, can use the same metadata fields SFTP Gateway uses to store file modified time attributes. The applications could set the time using Epoch Milliseconds instead of the Epoch Seconds that SFTP Gateway uses. In this case, the Millisecond times would appear far in the future when viewing through an SFTP client. SFTP Gateway has been upgraded to support recognizing and reading the date in different time units to show the correct date regardless of the application writing the metadata.
The Highly Available CloudFormation deployment now uses RDS IAM Authentication on AWS to connect to the database. This prevents the storage of the database password on the instance.
The Highly Available CloudFormation deployment no longer assigns a Public IP address to the backend instances. Instead, the backend instances are in a private subnet and are connected through the Load Balancer.
Improved Instance Credential usage to stabilize connections to cloud storage while using Instance Identity/instance profile
Bug fixes
- Fixed a bug where connecting to SFTP Gateway with an SFTP Client (such as Cyberduck) with an AWS S3 cloud connection could cause the system to hang due to starvation of http connections.
Version 3.006.01
Feature updates
- Support for SFTP user and/or Admin login via LDAP and Active Directory LDAP Identity Providers.
- Default S3 Multipart size increased from 4MB to 100MB to support 1 TB file uploads.
- AWS HA deployments now use RDS IAM Authentication instead of storing a password on the instance.
- Create 1000-user enterprise version for Marketplace.
- S3 Mutlipart size and simple upload size are now configurable.
Below are the property names and their default values:
features.file-system.aws-s3.max-multipart-part-size-bytes=123289600
//100 MB
features.file-system.aws-s3.max-simple-upload-size-bytes=123289600
//100 MB
Bug Fixes
- HNS enable/disable validation now works on new Azure Blob Cloud Connections.
- Admins logged in via OIDC can now edit other admin passwords if they logged in less than 10 minutes prior.
- Enforce a configurable timeout on Cloud Connectivity test so it does not hang too long on a bad connection:
defaults to features.file-system.connectivity-test-time-out-seconds=30
Version 3.006.00
Feature Updates
Prevent a user from changing their password to one of their previously used passwords.
Set
password.policy.prevent-previously-used-password-count=5
, with a default value of 5, to increase or decrease the number of saved passwords.Set the property less than or equal to 0 to disable checking previously used passwords.
Configurable max file size for an imported backup file.
Set
features.instance.backup-import-max-file-size-megabytes=100
to increase or decrease the allowed backup import size.Increased default max file size from 10 MB to 100 MB.
Beginning of tiered licenses for SFTP Gateway Standard and Pro versions.
Bug Fixes
- Adds
password.policy.suggested-length
property with a default value of 20 to fix a bug where the “Suggest Password” feature stops working if more than 20 total characters are required through the character classes.
Version 3.005.01
Feature Updates
- Support importing and migrating users with PBKDF2 HMAC SHA256 encoded passwords.
- Updates Strict KEX algorithm so it ends at first SSH_MSG_NEWKEYS received and not wait for ours to be sent to.
- AWS Base image upgraded from Amazon Linux 2 to Amazon Linux 2023.
- Upgrade Google Cloud SQL Proxy to v2 to support PSC to connect to database.
- Remove network calls from instance boot to support starting instances in networks with no egress.
- Improve listing speed for Google Cloud Storage.
- Adds boolean property to disable retrieving folder metadata to improve listing speeds.
defaults to features.file-system.ignore-folder-metadata=false
- Specify the number of minimum required characters in each class in password policy.
defaults to:
password.policy.required-upper-count=1
password.policy.required-digit-count=1
password.policy.required-lower-count=1
password.policy.required-special-count=1
password.policy.require-digit=false
password.policy.require-lower=false
password.policy.require-special=false
password.policy.require-upper=false
- Use imdsv2 on AWS for instance metadata.
- Upgrade postgresql 13 to postgresql 15 on ubuntu-based images.
Bug Fixes
- Immediately disconnecting a SFTP Client without closing the connection after a file upload will no longer cause the uploaded file to be deleted.
- Uploading a file with an extension and then uploading a file with the same name without an extension is now allowed.
- Update installation of certbot for lets encrypt.
- Fix logout when using Cognito OIDC so it requires credentials on next login attempt.
- Adjust application memory settings to give more memory to the OS to prevent swap thrashing on high load.
- Allow configuration of HNS enablement when using first cloud connection properties with azure.
Version 3.005.00
Breaking API Changes
- The
/token/revoke
endpoint is replaced with/logout
, which does not need the token as a parameter. - The
/login
endpoint no longer needs to specify a 'scope' value. - The
/password
endpoint is now at/3.0.0/password
. - The OIDC login process now delivers a Single-use token to the front-end when OIDC login completes. The single use token is posted to the
/login
endpoint as acode
parameter with agrant_type
of'urn:ietf:params:oauth:grant-type:single-use-auth'
which returns a usable hybrid token. This change was made to ensure possibly leaked token values through query string parameters would not give an attacker access to an account.
Feature Updates
- Override which SFTP Encryption algorithms are available from the server in the Admin UI.
- Improve Admin UI by removing gutters and spanning the full-width of the browser.
- Upgrade user SSH key generation to produce ECDSA and ED25519 key pairs.
- Add Alibaba OSS as a Cloud Connection type.
- Pre-calculate user permissions and cloud connections to improve SFTP user connection speed.
- Add last login date to users table.
- Show Alibaba Logs in Diagnostics screen when running on Alibaba Cloud.
- Determine password strength while creating passwords using zxcvbn.
- Show password policy adherence while creating passwords.
- Require current admin’s password when changing the password for other admin users.
- Require current password when an admin is changing their own password.
- Add field to Azure Cloud Connections to configure if HNS is enabled or not.
- Increase max memory size for backend Java jar based on memory size of instance.
- AWS base image updated from Amazon Linux 2 to Amazon Linux 2023.
- AWS IMDSv2 now enabled, supported, and required.
- Improved Load Balancer support to get and act on actual Client IP behind a load balancer.
- Default password policy increased min length from 8 to 12.
- Default password policy no longer requires lower case, upper case, digit, and special characters.
- Default password policy uses a built-in word list of 100K prohibited passwords.
Bug Fixes
- Fix issue with failing to upload files larger than 50GB to AWS.
- Limit OIDC “prompt” query string parameter to Google Identity Providers (fixes OIDC to providers like Ping that do not support that parameter).
- Correct encoding of slashes in the base prefix for the Resolved Cloud Path for Azure Cloud Connections.
- Fix issue when importing a backup file with a conflicting name to an existing Cloud Connection.
- Ensure no connection errors when uploading more than 500 simultaneous files.
- Fix issue where many simultaneous connections from the same user could result in a failure to connect due to an ObjectOptimisticLockingFailureException.
- Pre-calculate user permissions and cloud connections to address bug where having many cloud connections could result in a database timeout.
- Ensure SSH Key Names imported from a backup are retained rather than replaced by SFTP username.
- Disable password expiration after a year on Linux root account.
- Show and allow navigation to folders that have a blank name.
- Removes automatic determination of HNS enablement on Azure Storage Accounts because it failed when using a System Assigned Identity. HNS is now specified when creating/editing Azure Cloud Connection.
- Specifying “None” permission on a folder for a user now prevents that user from listing that directory and instead will receive a permission denied message.
- Importing a backup file now supports files with UTF-8 characters.
- Importing a backup file with unsupported characters will now show errors with the line numbers of the unsupported characters.
Other
- Update Java version from 11 to 17.
- Update Spring Security from 5 to 6.
- Update Spring Boot from 2 to 3.
- Update Python2 to Python3.
Version 3.004.06
Security
- Addresses SSH protocol terrapin-attack vulnerability (Terrapin Attack) by providing strict key exchange countermeasure through maverick synergy 3.0.22.
- Addresses bouncycastle-fips CVE-2022-45146 by upgrading library to 1.0.2.4.
Bug Fixes
- Only send “prompt=select_account” extra parameter during identity provider login when identity provider starts with https://accounts.google.com to address compatibility with parameter on other OIDC providers.
Version 3.004.05
- Updated Maverick to 3.0.21 to address Passive SSH Key Compromise
Version 3.004.04
Security
- Address Deserialization vulnerability in Admin api for OIDC that affects versions 3.004.01-3.004.03.
- Address snakeyaml CVE-2022-1471 by updating snakeyaml to 2.x.
- Address cve-2023-34034 by updating Spring Security.
Features
- Handle disconnect during file upload by deleting the partial file from cloud storage.
- Improve performance when many folders are defined for a user.
- Remove “Flagging IP Address” message when default IP Ban feature is disabled.
- Update azure-storage-blob sdk to 12.23.1.
- Update google-cloud-storage sdk to 2.26.0.
- Update aws sdks to 2.20.127 and 1.12.530.
Bug Fixes
- On Azure, the swap partition did not persist on reboot. It is now persisted across reboot.
Version 3.004.03
- List all files (even if more than 1,000) in Google Cloud Storage Buckets.
- Support file and folder names with backslash characters.
Version 3.004.02
Features
- Include Banner Text in exported backup file.
- Allow lack of “s3:ListAllMyBuckets” permission.
- Update Spring Security to address CVE-2023-20862.
Bug Fixes
- Show admin option to change password in admin ui.
- Show import errors when there are conflicts during import of Identity Providers.
- Resolve issue with newer ssh clients where RSA keys are rejected with message: sign_and_send_pubkey: no mutual signature supported.
Version 3.004.01
Features
- Allow access to logs and other diagnostic information via the new Diagnostics tab.
- Enable all SFTP host keys regardless of security level.
- Admin can configure additional OpenID Connect (oidc) scopes on the Identity Provider forms.
Bug Fixes
- Fixed bug that prevented synchronization between HA servers on AWS in v3.4.0.
- Fixed compatibility issue with Azure Monitor Agent.
- Admins can now change the storage account/container on the Azure Cloud Connection form.
- Refreshes Identity providers list on settings screen after backup import.
- Other UI Improvements.
Version 3.004.00
- Adds OIDC login for Web Admin UI.
- Allows configuration of multiple External Identity Providers to allow OIDC login to Web Admin UI.
Version 3.003.06
- Display cloud connection resolved path for a user’s home directory when creating or editing a user.
- Fixed bug that prevented deletion of user with multiple SSH Keys or IPs Allowed.
- Fixed bug that prevented deletion of a directory on Azure when Hierarchical Namespace is enabled on the Storage Account.
- Updated Spring Framework version to 5.3.20 to avoid CVEs from previous versions.
- Updated Cloud Storage SDKs
- Updated AWS SDK to 2.18.28
- Updated Google cloud storage library to 2.15.1
- Updated Azure storage blob library to 12.20.1
Version 3.003.05
- Fixes issue when uploading files over 250 MB to AWS or Azure that pause at 100% and then report a failure. The problem was a timeout between the SFTP Gateway server and the cloud storage locations.
- Normalizes headers in the Admin UI for consistency.
Version 3.003.04
Features
- Improves performance of listing many files in Google Cloud Storage.
- Improves performance of uploading files in AWS S3.
- Adds a user-friendly Admin Landing Page on the http port.
- Adds warning message when Host Keys are not in imported backup file.
- Adds configuration and overrides of UID and GID for a user.
Bug Fixes
- Fixed a file creation bug that caused problems when using SSHFS.
- Fixed issue where the # symbol in filename cuts off the rest of the filename on Azure.
- Fixed issue where the pound sign # in the IP allow list label breaks the export/import process.
Version 3.003.03
Features
- Adds Integrated help system.
- Adds PROXY protocol support to receive client IP address behind a load-balancer.
- Migrate from Ubuntu 20 to Ubuntu 22 on Azure.
- Add Configuration of SFTP banner text to Admin UI.
- SFTP Users will not see existing files when viewing a folder with write-only permission. In previous versions, the users could list, but not download, files in write-only folders.
- SFTP Support for ed448 public and private keys.
- SFTP Support for PuTTY Version 3 Private Key format.
Bug Fixes
- Fixed disconnect issue when having multiple AWS regions configured for a user’s folders.
- Fix the configuration of password policy so requirements can be disabled The following application properties will disable each requirement:
password.policy.require-upper=false
password.policy.require-lower=false
password.policy.require-digit=false
password.policy.require-special=false
- Fixed VM Password support in Azure.
- Fixed issue with renaming folders on AWS where nested folders were not moved to the new name.
- Fixed SFTP v5 attribute flags being sent when using SFTP v4, which was breaking the listing of files in WinSCP in v3.3.2.
Version 3.003.02
- Solved bug where a user logging in at the same time as another user could result in the first user seeing the second user’s folders and files.
- Solved bug on Google Cloud Connection where empty files failed to write.
- Corrected the test of a Google Cloud Connection so it considers access to a bucket's metadata.
- Fixed issue with passwords imported from SFTPGWv2 not working after initial login.
- Correct bug where disabling automatic IP ban behavior did not work.
- Update local postgres service on Amazon Linux to use postgresql13 from official repository.
- Add support for version 3 of the PuTTY Private Key File Format.
- Add support for ED448 public/private keys.
Version 3.003.01
- Enables SCP support.
- Syncs server SSH host keys across HA instances, similar to the website key and SFTP host keys.
- Updates Spring and other dependencies to resolve possible CVEs.
- Displays the creation date (instead of 0) for folders created by the web admin portal.
- Improves Backup import service when merging Cloud Connection information.
Version 3.003.00
- Fixes WinSCP issue with subdirectories backed by Folder objects (WinSCP: error decoding sftp packet).
- Fixes issues with S3 encryption types.
- Fixes issues with Metadata Content-Type.
- Fixes CloudWatch log streams, which were not showing up.
- Fixes compatibility with SFTP client software Panic Transmit.
- Shows whether an SSH public key was generated or was user-provided.
- Shows that the IP filter is disabled when the IP Allow List is empty.
- Shows Folder search results as paths.
- Configures S3 buckets (created by SFTP Gateway) with S3 Block Public Access.
- Adds a Test Connection button to the Cloud Connection creation process.
- Adds configuration option to disable automatic IP banning
Version 3.002.01
- Updated SFTP Subsystem Maverick Library from 3.0.5 to 3.0.7
- Fixed bug that did not allow updating Azure Connection String to a new storage account
- Updated log4j api dependency to 2.17.1
- Resolved minor UI issues for Cloud Connection settings screens
- Fixed bug preventing write on an unencrypted S3 Cloud Connection to an encrypted s3 bucket
- Includes cis-test.sh tool on the image to support CIS scans
Version 3.002.00
- Adds Google Cloud Connection
Version 3.001.01
- UI improvements to the Cloud Connection settings page
- Refreshes status immediately when clicking the Test Connection button
- Displays loading screen when Java is not ready
- Fixes a bug with migration
- Adds
clear-admin-users.sh
script to reset (remove) web admin users - Removes
log4j
yum package that wasn't in use - Updates
log4j-api
dependency to2.15.0
- Fixes a bug where the web page prompts you with basic authentication
Version 3.001.00
- Fixes a bug where SFTP users cannot log in via WinSCP
- Fixes a bug where logs were not going to CloudWatch
- Fixes a bug where passwords were not working after migrating from version 2
- Fixes a bug where the Cloud Connection region was not getting imported from the backup artifact
- Fixes a bug with the Test Connection feature for Cloud Connections
- Fixes a bug with the password constraint validator
- Various other bug fixes
- Prevents a web admin from disabling all web admins
- Adds Admin UI protection from brute force attacks
- Various UI improvements
Version 3.000.01
- Fixes a bug in the AWS SDK library that caused exceptions with concurrent executions
- Fixes a bug when displaying file last modified date
- Improves performance when setting file attributes on S3 objects by using an in-place copy instead of streaming the bits through the server
- Improves backup and restore support
- Adds SFTP subsystem log messages to the
application.log
- Adds username to Nginx access logs
- Various other bug fixes
Version 3.000.00
SFTP files and folders
- Read and write files directly to S3, using the SFTP protocol
- Configure folder permissions with read-only, read/write, or write-only
- Map an SFTP user's chroot directory to an S3 bucket and path
- Folder mapping lets you configure a common scenario where an internal SFTP user has read/write access to external SFTP users' data, while external users cannot see each other's data
SFTP accounts
- Authenticate SFTP users with passwords or SSH keys
- Supports multiple SSH keys per SFTP user
- Adds password complexity requirements
- Adds disabled flag for SFTP users
- Configures IP whitelisting at the user level
Web administration
- Supports multiple web admin accounts
- Simplifies first-time setup, which can be done entirely from the web admin UI (no command line required)
- Imports users and settings from SFTP Gateway 2.x via a migration process
Security
- Has undergone an independent third-party security audit
- Separates SSH and SFTP onto different ports by default
- Enables audit logging to track SFTP actions
- Mirrors log files into CloudWatch
- CloudFormation template encrypts EBS volumes by default, for encryption at rest
- Use EC2 instance profile IAM permissions to access S3, or configure IAM user credentials for each S3 bucket cloud connection
Performance and maintenance
- Improves performance and scalability through the use of the AWS SDK for Java
- Uses Postgres instead of LDAP, for easier maintenance
Cost
- Same pricing as SFTP Gateway 2.x, which is a software charge of 6 cents USD per EC2 instance hour
- 30-day free trial