SFTP Gateway Support

3.0

Release Notes

Version 3.005.00

Breaking API Changes

  • The /token/revoke endpoint is replaced with /logout, which does not need the token as a parameter.
  • The /login endpoint no longer needs to specify a 'scope' value.
  • The /password endpoint is now at /3.0.0/password.
  • The OIDC login process now delivers a Single-use token to the front-end when OIDC login completes. The single use token is posted to the /login endpoint as a code parameter with a grant_type of 'urn:ietf:params:oauth:grant-type:single-use-auth' which returns a usable hybrid token. This change was made to ensure possibly leaked token values through query string parameters would not give an attacker access to an account.

Feature Updates

  • Override which SFTP Encryption algorithms are available from the server in the Admin UI.
  • Improve Admin UI by removing gutters and spanning the full-width of the browser.
  • Upgrade user SSH key generation to produce ECDSA and ED25519 key pairs.
  • Add Alibaba OSS as a Cloud Connection type.
  • Pre-calculate user permissions and cloud connections to improve SFTP user connection speed.
  • Add last login date to users table.
  • Show Alibaba Logs in Diagnostics screen when running on Alibaba Cloud.
  • Determine password strength while creating passwords using zxcvbn.
  • Show password policy adherence while creating passwords.
  • Require current admin’s password when changing the password for other admin users.
  • Require current password when an admin is changing their own password.
  • Add field to Azure Cloud Connections to configure if HNS is enabled or not.
  • Increase max memory size for backend Java jar based on memory size of instance.
  • AWS base image updated from Amazon Linux 2 to Amazon Linux 2023.
  • AWS IMDSv2 now enabled, supported, and required.
  • Improved Load Balancer support to get and act on actual Client IP behind a load balancer.
  • Default password policy increased min length from 8 to 12.
  • Default password policy no longer requires lower case, upper case, digit, and special characters.
  • Default password policy uses a built-in word list of 100K prohibited passwords.

Bug Fixes

  • Fix issue with failing to upload files larger than 50GB to AWS.
  • Limit OIDC “prompt” query string parameter to Google Identity Providers (fixes OIDC to providers like Ping that do not support that parameter).
  • Correct encoding of slashes in the base prefix for the Resolved Cloud Path for Azure Cloud Connections.
  • Fix issue when importing a backup file with a conflicting name to an existing Cloud Connection.
  • Ensure no connection errors when uploading more than 500 simultaneous files.
  • Fix issue where many simultaneous connections from the same user could result in a failure to connect due to an ObjectOptimisticLockingFailureException.
  • Pre-calculate user permissions and cloud connections to address bug where having many cloud connections could result in a database timeout.
  • Ensure SSH Key Names imported from a backup are retained rather than replaced by SFTP username.
  • Disable password expiration after a year on Linux root account.
  • Show and allow navigation to folders that have a blank name.
  • Removes automatic determination of HNS enablement on Azure Storage Accounts because it failed when using a System Assigned Identity. HNS is now specified when creating/editing Azure Cloud Connection.
  • Specifying “None” permission on a folder for a user now prevents that user from listing that directory and instead will receive a permission denied message.
  • Importing a backup file now supports files with UTF-8 characters.
  • Importing a backup file with unsupported characters will now show errors with the line numbers of the unsupported characters.

Other

  • Update Java version from 11 to 17.
  • Update Spring Security from 5 to 6.
  • Update Spring Boot from 2 to 3.
  • Update Python2 to Python3.

Version 3.004.06

Security

  • Addresses SSH protocol terrapin-attack vulnerability (Terrapin Attack) by providing strict key exchange countermeasure through maverick synergy 3.0.22.
  • Addresses bouncycastle-fips CVE-2022-45146 by upgrading library to 1.0.2.4.

Bug Fixes

  • Only send “prompt=select_account” extra parameter during identity provider login when identity provider starts with https://accounts.google.com to address compatibility with parameter on other OIDC providers.

Version 3.004.05

  • Updated Maverick to 3.0.21 to address Passive SSH Key Compromise.

Version 3.004.04

Security

  • Address Deserialization vulnerability in Admin api for OIDC that affects versions 3.004.01-3.004.03.
  • Address snakeyaml CVE-2022-1471 by updating snakeyaml to 2.x.
  • Address cve-2023-34034 by updating Spring Security.

Features

  • Handle disconnect during file upload by deleting the partial file from cloud storage.
  • Improve performance when many folders are defined for a user.
  • Remove “Flagging IP Address” message when default IP Ban feature is disabled.
  • Update azure-storage-blob sdk to 12.23.1.
  • Update google-cloud-storage sdk to 2.26.0.
  • Update aws sdks to 2.20.127 and 1.12.530.

Bug Fixes

  • On Azure, the swap partition did not persist on reboot. It is now persisted across reboot.

Version 3.004.03

  • List all files (even if more than 1,000) in Google Cloud Storage Buckets.
  • Support file and folder names with backslash characters.

Version 3.004.02

Features

  • Include Banner Text in exported backup file.
  • Allow lack of “s3:ListAllMyBuckets” permission.
  • Update Spring Security to address CVE-2023-20862.

Bug Fixes

  • Show admin option to change password in admin ui.
  • Show import errors when there are conflicts during import of Identity Providers.
  • Resolve issue with newer ssh clients where RSA keys are rejected with message: sign_and_send_pubkey: no mutual signature supported.

Version 3.004.01

Features

  • Allow access to logs and other diagnostic information via the new Diagnostics tab.
  • Enable all SFTP host keys regardless of security level.
  • Admin can configure additional OpenID Connect (oidc) scopes on the Identity Provider forms.

Bug Fixes

  • Fixed bug that prevented synchronization between HA servers on AWS in v3.4.0.
  • Fixed compatibility issue with Azure Monitor Agent.
  • Admins can now change the storage account/container on the Azure Cloud Connection form.
  • Refreshes Identity providers list on settings screen after backup import.
  • Other UI Improvements.

Version 3.004.00

  • Adds OIDC login for Web Admin UI.
  • Allows configuration of multiple External Identity Providers to allow OIDC login to Web Admin UI.

Version 3.003.06

  • Display cloud connection resolved path for a user’s home directory when creating or editing a user.
  • Fixed bug that prevented deletion of user with multiple SSH Keys or IPs Allowed.
  • Fixed bug that prevented deletion of a directory on Azure when Hierarchical Namespace is enabled on the Storage Account.
  • Updated Spring Framework version to 5.3.20 to avoid CVEs from previous versions.
  • Updated Cloud Storage SDKs
    • Updated AWS SDK to 2.18.28
    • Updated Google cloud storage library to 2.15.1
    • Updated Azure storage blob library to 12.20.1

Version 3.003.05

  • Fixes issue when uploading files over 250 MB to AWS or Azure that pause at 100% and then report a failure. The problem was a timeout between the SFTP Gateway server and the cloud storage locations.
  • Normalizes headers in the Admin UI for consistency.

Version 3.003.04

Features

  • Improves performance of listing many files in Google Cloud Storage.
  • Improves performance of uploading files in AWS S3.
  • Adds a user-friendly Admin Landing Page on the http port.
  • Adds warning message when Host Keys are not in imported backup file.
  • Adds configuration and overrides of UID and GID for a user.

Bug Fixes

  • Fixed a file creation bug that caused problems when using SSHFS.
  • Fixed issue where the # symbol in filename cuts off the rest of the filename on Azure.
  • Fixed issue where the pound sign # in the IP allow list label breaks the export/import process.

Version 3.003.03

Features

  • Adds Integrated help system.
  • Adds PROXY protocol support to receive client IP address behind a load-balancer.
  • Migrate from Ubuntu 20 to Ubuntu 22 on Azure.
  • Add Configuration of SFTP banner text to Admin UI.
  • SFTP Users will not see existing files when viewing a folder with write-only permission. In previous versions, the users could list, but not download, files in write-only folders.
  • SFTP Support for ed448 public and private keys.
  • SFTP Support for PuTTY Version 3 Private Key format.

Bug Fixes

  • Fixed disconnect issue when having multiple AWS regions configured for a user’s folders.
  • Fix the configuration of password policy so requirements can be disabled The following application properties will disable each requirement:
password.policy.require-upper=false
password.policy.require-lower=false
password.policy.require-digit=false
password.policy.require-special=false
  • Fixed VM Password support in Azure.
  • Fixed issue with renaming folders on AWS where nested folders were not moved to the new name.
  • Fixed SFTP v5 attribute flags being sent when using SFTP v4, which was breaking the listing of files in WinSCP in v3.3.2.

Version 3.003.02

  • Solved bug where a user logging in at the same time as another user could result in the first user seeing the second user’s folders and files.
  • Solved bug on Google Cloud Connection where empty files failed to write.
  • Corrected the test of a Google Cloud Connection so it considers access to a bucket's metadata.
  • Fixed issue with passwords imported from SFTPGWv2 not working after initial login.
  • Corrected usage of Azure Instance Identity so it will pick up identities that are assigned after the instance has started.
  • Enable Boot Diagnostics in the Azure ARM Templates.
  • Correct bug where disabling automatic IP ban behavior did not work.
  • Update local postgres service on Amazon Linux to use postgresql13 from official repository.
  • Add support for version 3 of the PuTTY Private Key File Format.
  • Add support for ED448 public/private keys.

Version 3.003.01

  • Enables SCP support.
  • Syncs server SSH host keys across HA instances, similar to the website key and SFTP host keys.
  • Updates Spring and other dependencies to resolve possible CVEs.
  • Displays the creation date (instead of 0) for folders created by the web admin portal.
  • Improves Backup import service when merging Cloud Connection information.
  • Enables HNS when creating Azure Blob Storage accounts.
  • Caches Azure credentials when using Instance Identity to solve rate limits and long loading times that were occurring.
  • Enables Serial console on Azure when using the ARM template.

Version 3.003.00

  • Fixes WinSCP issue with subdirectories backed by Folder objects (WinSCP: error decoding sftp packet).
  • Fixes compatibility with SFTP client software Panic Transmit.
  • Shows whether an SSH public key was generated or was user-provided.
  • Shows that the IP filter is disabled when the IP Allow List is empty.
  • Shows Folder search results as paths.
  • Adds a Test Connection button to the Cloud Connection creation process.
  • Adds configuration option to disable automatic IP banning
  • Adds configuration option to increase the file upload limit on Azure.

Version 3.002.01

  • Updated SFTP Subsystem Maverick Library from 3.0.5 to 3.0.7
  • Fixed bug that did not allow updating Azure Connection String to a new storage account
  • Updated log4j api dependency to 2.17.1
  • Resolved minor UI issues for Cloud Connection settings screens
  • Fixed bug preventing write on an unencrypted S3 Cloud Connection to an encrypted s3 bucket

Version 3.002.00

  • Adds Google Cloud Connection

Version 3.001.01

  • UI improvements to the Cloud Connection settings page
  • Refreshes status immediately when clicking the Test Connection button
  • Displays loading screen when Java is not ready
  • Fixes a bug with migration
  • Adds clear-admin-users.sh script to reset (remove) web admin users
  • Removes log4j yum package that wasn't in use
  • Updates log4j-api dependency to 2.15.0
  • Fixes a bug where the web page prompts you with basic authentication

Version 3.001.00

  • Fixes a bug where SFTP users cannot log in via WinSCP
  • Fixes a bug where passwords were not working after migrating from version 2
  • Fixes a bug with the Test Connection feature for Cloud Connections
  • Fixes a bug with the password constraint validator
  • Various other bug fixes
  • Prevents a web admin from disabling all web admins
  • Adds Admin UI protection from brute force attacks
  • Various UI improvements

Version 3.000.01

  • Fixes a bug when displaying file last modified date
  • Improves backup and restore support
  • Adds SFTP subsystem log messages to the application.log
  • Adds username to Nginx access logs
  • Various other bug fixes

Version 3.000.00

SFTP files and folders

  • Read and write files directly to Blob, using the SFTP protocol
  • Configure folder permissions with read-only, read/write, or write-only
  • Map an SFTP user's chroot directory to a Blob container and path
  • Folder mapping lets you configure a common scenario where an internal SFTP user has read/write access to external SFTP users' data, while external users cannot see each other's data

SFTP accounts

  • Authenticate SFTP users with passwords or SSH keys
  • Supports multiple SSH keys per SFTP user
  • Adds password complexity requirements
  • Adds disabled flag for SFTP users
  • Configures IP whitelisting at the user level

Web administration

  • Supports multiple web admin accounts
  • Simplifies first-time setup, which can be done entirely from the web admin UI (no command line required)
  • Imports users and settings from SFTP Gateway 2.x via a migration process

Security

  • Has undergone an independent third-party security audit
  • Separates SSH and SFTP onto different ports by default
  • Enables audit logging to track SFTP actions

Performance and maintenance

  • Improves performance and scalability through the use of the Azure SDK for Java
  • Uses Postgres instead of LDAP, for easier maintenance

Cost

  • Same pricing as SFTP Gateway 2.x, which is a software charge of 6 cents USD per VM hour
  • 30-day free trial
PreviousAzure Connection String