Release Notes
Version 3.006.00
Feature Updates
Prevent a user from changing their password to one of their previously used passwords.
Set
password.policy.prevent-previously-used-password-count=5
, with a default value of 5, to increase or decrease the number of saved passwords.Set the property less than or equal to 0 to disable checking previously used passwords.
Configurable max file size for an imported backup file.
Set
features.instance.backup-import-max-file-size-megabytes=100
to increase or decrease the allowed backup import size.Increased default max file size from 10 MB to 100 MB.
Beginning of tiered licenses for SFTP Gateway Standard and Pro versions.
Bug Fixes
- Adds
password.policy.suggested-length
property with a default value of 20 to fix a bug where the “Suggest Password” feature stops working if more than 20 total characters are required through the character classes.
Version 3.005.01
Feature Updates
- Support importing and migrating users with PBKDF2 HMAC SHA256 encoded passwords.
- Updates Strict KEX algorithm so it ends at first SSH_MSG_NEWKEYS received and not wait for ours to be sent to.
- AWS Base image upgraded from Amazon Linux 2 to Amazon Linux 2023.
- Upgrade Google Cloud SQL Proxy to v2 to support PSC to connect to database.
- Remove network calls from instance boot to support starting instances in networks with no egress.
- Improve listing speed for Google Cloud Storage.
- Adds boolean property to disable retrieving folder metadata to improve listing speeds.
defaults to features.file-system.ignore-folder-metadata=false
- Specify the number of minimum required characters in each class in password policy.
defaults to:
password.policy.required-upper-count=1
password.policy.required-digit-count=1
password.policy.required-lower-count=1
password.policy.required-special-count=1
password.policy.require-digit=false
password.policy.require-lower=false
password.policy.require-special=false
password.policy.require-upper=false
- Use imdsv2 on AWS for instance metadata.
- Upgrade postgresql 13 to postgresql 15 on ubuntu-based images.
Bug Fixes
- Immediately disconnecting a SFTP Client without closing the connection after a file upload will no longer cause the uploaded file to be deleted.
- Uploading a file with an extension and then uploading a file with the same name without an extension is now allowed.
- Update installation of certbot for lets encrypt.
- Fix logout when using Cognito OIDC so it requires credentials on next login attempt.
- Adjust application memory settings to give more memory to the OS to prevent swap thrashing on high load.
- Allow configuration of HNS enablement when using first cloud connection properties with azure.
Version 3.005.00
Breaking API Changes
- The
/token/revoke
endpoint is replaced with/logout
, which does not need the token as a parameter. - The
/login
endpoint no longer needs to specify a 'scope' value. - The
/password
endpoint is now at/3.0.0/password
. - The OIDC login process now delivers a Single-use token to the front-end when OIDC login completes. The single use token is posted to the
/login
endpoint as acode
parameter with agrant_type
of'urn:ietf:params:oauth:grant-type:single-use-auth'
which returns a usable hybrid token. This change was made to ensure possibly leaked token values through query string parameters would not give an attacker access to an account.
Feature Updates
- Override which SFTP Encryption algorithms are available from the server in the Admin UI.
- Improve Admin UI by removing gutters and spanning the full-width of the browser.
- Upgrade user SSH key generation to produce ECDSA and ED25519 key pairs.
- Add Alibaba OSS as a Cloud Connection type.
- Pre-calculate user permissions and cloud connections to improve SFTP user connection speed.
- Add last login date to users table.
- Show Alibaba Logs in Diagnostics screen when running on Alibaba Cloud.
- Determine password strength while creating passwords using zxcvbn.
- Show password policy adherence while creating passwords.
- Require current admin’s password when changing the password for other admin users.
- Require current password when an admin is changing their own password.
- Add field to Azure Cloud Connections to configure if HNS is enabled or not.
- Increase max memory size for backend Java jar based on memory size of instance.
- AWS base image updated from Amazon Linux 2 to Amazon Linux 2023.
- AWS IMDSv2 now enabled, supported, and required.
- Improved Load Balancer support to get and act on actual Client IP behind a load balancer.
- Default password policy increased min length from 8 to 12.
- Default password policy no longer requires lower case, upper case, digit, and special characters.
- Default password policy uses a built-in word list of 100K prohibited passwords.
Bug Fixes
- Fix issue with failing to upload files larger than 50GB to AWS.
- Limit OIDC “prompt” query string parameter to Google Identity Providers (fixes OIDC to providers like Ping that do not support that parameter).
- Correct encoding of slashes in the base prefix for the Resolved Cloud Path for Azure Cloud Connections.
- Fix issue when importing a backup file with a conflicting name to an existing Cloud Connection.
- Ensure no connection errors when uploading more than 500 simultaneous files.
- Fix issue where many simultaneous connections from the same user could result in a failure to connect due to an ObjectOptimisticLockingFailureException.
- Pre-calculate user permissions and cloud connections to address bug where having many cloud connections could result in a database timeout.
- Ensure SSH Key Names imported from a backup are retained rather than replaced by SFTP username.
- Disable password expiration after a year on Linux root account.
- Show and allow navigation to folders that have a blank name.
- Removes automatic determination of HNS enablement on Azure Storage Accounts because it failed when using a System Assigned Identity. HNS is now specified when creating/editing Azure Cloud Connection.
- Specifying “None” permission on a folder for a user now prevents that user from listing that directory and instead will receive a permission denied message.
- Importing a backup file now supports files with UTF-8 characters.
- Importing a backup file with unsupported characters will now show errors with the line numbers of the unsupported characters.
Other
- Update Java version from 11 to 17.
- Update Spring Security from 5 to 6.
- Update Spring Boot from 2 to 3.
- Update Python2 to Python3.
Version 3.004.06
Security
- Addresses SSH protocol terrapin-attack vulnerability (Terrapin Attack) by providing strict key exchange countermeasure through maverick synergy 3.0.22.
- Addresses bouncycastle-fips CVE-2022-45146 by upgrading library to 1.0.2.4.
Bug Fixes
- Only send “prompt=select_account” extra parameter during identity provider login when identity provider starts with https://accounts.google.com to address compatibility with parameter on other OIDC providers.
Version 3.004.05
- Updated Maverick to 3.0.21 to address Passive SSH Key Compromise.
Version 3.004.04
Security
- Address Deserialization vulnerability in Admin api for OIDC that affects versions 3.004.01-3.004.03.
- Address snakeyaml CVE-2022-1471 by updating snakeyaml to 2.x.
- Address cve-2023-34034 by updating Spring Security.
Features
- Handle disconnect during file upload by deleting the partial file from cloud storage.
- Improve performance when many folders are defined for a user.
- Remove “Flagging IP Address” message when default IP Ban feature is disabled.
- Update azure-storage-blob sdk to 12.23.1.
- Update google-cloud-storage sdk to 2.26.0.
- Update aws sdks to 2.20.127 and 1.12.530.
Bug Fixes
- On Azure, the swap partition did not persist on reboot. It is now persisted across reboot.
Version 3.004.03
- List all files (even if more than 1,000) in Google Cloud Storage Buckets.
- Support file and folder names with backslash characters.
Version 3.004.02
Features
- Include Banner Text in exported backup file.
- Allow lack of “s3:ListAllMyBuckets” permission.
- Update Spring Security to address CVE-2023-20862.
Bug Fixes
- Show admin option to change password in admin ui.
- Show import errors when there are conflicts during import of Identity Providers.
- Resolve issue with newer ssh clients where RSA keys are rejected with message: sign_and_send_pubkey: no mutual signature supported.
Version 3.004.01
Features
- Allow access to logs and other diagnostic information via the new Diagnostics tab.
- Enable all SFTP host keys regardless of security level.
- Admin can configure additional OpenID Connect (oidc) scopes on the Identity Provider forms.
Bug Fixes
- Fixed bug that prevented synchronization between HA servers on AWS in v3.4.0.
- Fixed compatibility issue with Azure Monitor Agent.
- Admins can now change the storage account/container on the Azure Cloud Connection form.
- Refreshes Identity providers list on settings screen after backup import.
- Other UI Improvements.
Version 3.004.00
- Adds OIDC login for Web Admin UI.
- Allows configuration of multiple External Identity Providers to allow OIDC login to Web Admin UI.
Version 3.003.06
- Display cloud connection resolved path for a user’s home directory when creating or editing a user.
- Fixed bug that prevented deletion of user with multiple SSH Keys or IPs Allowed.
- Fixed bug that prevented deletion of a directory on Azure when Hierarchical Namespace is enabled on the Storage Account.
- Updated Spring Framework version to 5.3.20 to avoid CVEs from previous versions.
- Updated Cloud Storage SDKs
- Updated AWS SDK to 2.18.28
- Updated Google cloud storage library to 2.15.1
- Updated Azure storage blob library to 12.20.1
Version 3.003.05
- Fixes issue when uploading files over 250 MB to AWS or Azure that pause at 100% and then report a failure. The problem was a timeout between the SFTP Gateway server and the cloud storage locations.
- Normalizes headers in the Admin UI for consistency.
Version 3.003.04
Features
- Improves performance of listing many files in Google Cloud Storage.
- Improves performance of uploading files in AWS S3.
- Adds a user-friendly Admin Landing Page on the http port.
- Adds warning message when Host Keys are not in imported backup file.
- Adds configuration and overrides of UID and GID for a user.
Bug Fixes
- Fixed a file creation bug that caused problems when using SSHFS.
- Fixed issue where the # symbol in filename cuts off the rest of the filename on Azure.
- Fixed issue where the pound sign # in the IP allow list label breaks the export/import process.
Version 3.003.03
Features
- Adds Integrated help system.
- Adds PROXY protocol support to receive client IP address behind a load-balancer.
- Migrate from Ubuntu 20 to Ubuntu 22 on Azure.
- Add Configuration of SFTP banner text to Admin UI.
- SFTP Users will not see existing files when viewing a folder with write-only permission. In previous versions, the users could list, but not download, files in write-only folders.
- SFTP Support for ed448 public and private keys.
- SFTP Support for PuTTY Version 3 Private Key format.
Bug Fixes
- Fixed disconnect issue when having multiple AWS regions configured for a user’s folders.
- Fix the configuration of password policy so requirements can be disabled The following application properties will disable each requirement:
password.policy.require-upper=false
password.policy.require-lower=false
password.policy.require-digit=false
password.policy.require-special=false
- Fixed VM Password support in Azure.
- Fixed issue with renaming folders on AWS where nested folders were not moved to the new name.
- Fixed SFTP v5 attribute flags being sent when using SFTP v4, which was breaking the listing of files in WinSCP in v3.3.2.
Version 3.003.02
- Solved bug where a user logging in at the same time as another user could result in the first user seeing the second user’s folders and files.
- Solved bug on Google Cloud Connection where empty files failed to write.
- Corrected the test of a Google Cloud Connection so it considers access to a bucket's metadata.
- Fixed issue with passwords imported from SFTPGWv2 not working after initial login.
- Corrected usage of Azure Instance Identity so it will pick up identities that are assigned after the instance has started.
- Enable Boot Diagnostics in the Azure ARM Templates.
- Correct bug where disabling automatic IP ban behavior did not work.
- Update local postgres service on Amazon Linux to use postgresql13 from official repository.
- Add support for version 3 of the PuTTY Private Key File Format.
- Add support for ED448 public/private keys.
Version 3.003.01
- Enables SCP support.
- Syncs server SSH host keys across HA instances, similar to the website key and SFTP host keys.
- Updates Spring and other dependencies to resolve possible CVEs.
- Displays the creation date (instead of 0) for folders created by the web admin portal.
- Improves Backup import service when merging Cloud Connection information.
- Enables HNS when creating Azure Blob Storage accounts.
- Caches Azure credentials when using Instance Identity to solve rate limits and long loading times that were occurring.
- Enables Serial console on Azure when using the ARM template.
Version 3.003.00
- Fixes WinSCP issue with subdirectories backed by Folder objects (WinSCP: error decoding sftp packet).
- Fixes compatibility with SFTP client software Panic Transmit.
- Shows whether an SSH public key was generated or was user-provided.
- Shows that the IP filter is disabled when the IP Allow List is empty.
- Shows Folder search results as paths.
- Adds a Test Connection button to the Cloud Connection creation process.
- Adds configuration option to disable automatic IP banning
- Adds configuration option to increase the file upload limit on Azure.
Version 3.002.01
- Updated SFTP Subsystem Maverick Library from 3.0.5 to 3.0.7
- Fixed bug that did not allow updating Azure Connection String to a new storage account
- Updated log4j api dependency to 2.17.1
- Resolved minor UI issues for Cloud Connection settings screens
- Fixed bug preventing write on an unencrypted S3 Cloud Connection to an encrypted s3 bucket
Version 3.002.00
- Adds Google Cloud Connection
Version 3.001.01
- UI improvements to the Cloud Connection settings page
- Refreshes status immediately when clicking the Test Connection button
- Displays loading screen when Java is not ready
- Fixes a bug with migration
- Adds
clear-admin-users.sh
script to reset (remove) web admin users - Removes
log4j
yum package that wasn't in use - Updates
log4j-api
dependency to2.15.0
- Fixes a bug where the web page prompts you with basic authentication
Version 3.001.00
- Fixes a bug where SFTP users cannot log in via WinSCP
- Fixes a bug where passwords were not working after migrating from version 2
- Fixes a bug with the Test Connection feature for Cloud Connections
- Fixes a bug with the password constraint validator
- Various other bug fixes
- Prevents a web admin from disabling all web admins
- Adds Admin UI protection from brute force attacks
- Various UI improvements
Version 3.000.01
- Fixes a bug when displaying file last modified date
- Improves backup and restore support
- Adds SFTP subsystem log messages to the
application.log
- Adds username to Nginx access logs
- Various other bug fixes
Version 3.000.00
SFTP files and folders
- Read and write files directly to Blob, using the SFTP protocol
- Configure folder permissions with read-only, read/write, or write-only
- Map an SFTP user's chroot directory to a Blob container and path
- Folder mapping lets you configure a common scenario where an internal SFTP user has read/write access to external SFTP users' data, while external users cannot see each other's data
SFTP accounts
- Authenticate SFTP users with passwords or SSH keys
- Supports multiple SSH keys per SFTP user
- Adds password complexity requirements
- Adds disabled flag for SFTP users
- Configures IP whitelisting at the user level
Web administration
- Supports multiple web admin accounts
- Simplifies first-time setup, which can be done entirely from the web admin UI (no command line required)
- Imports users and settings from SFTP Gateway 2.x via a migration process
Security
- Has undergone an independent third-party security audit
- Separates SSH and SFTP onto different ports by default
- Enables audit logging to track SFTP actions
Performance and maintenance
- Improves performance and scalability through the use of the Azure SDK for Java
- Uses Postgres instead of LDAP, for easier maintenance
Cost
- Same pricing as SFTP Gateway 2.x, which is a software charge of 6 cents USD per VM hour
- 30-day free trial