LogonBox SSPR 2.3.19 – Security Boulevard

Introduction

LogonBox is pleased to announce the immediate availability of LogonBox SSPR 2.3.19.
This release includes support for Twilio SMS and improvements to SSH user directory, credential provider, and validated email for OTP authentication.

Twilio

LogonBox now supports Twilio directly for sending SMS messages. Previously this was configurable using a custom SMS task with a trigger.
With this release, you can now select Twilio as your SMS provider in Authentication Flow->Authentication Options->SMS, then enter your Twilio SID and Token in the Twilio tab that appears.

This feature is preconfigured and free to use on our cloud services during the trial period. There will be options to purchase credits to continue using our Twilio service in production without having to create a Twilio account yourself.

SSH user directory improvements

The SSH user directory now supports password locks (using the default lock) on RedHat systems.
Previously this account only supported locks (using passwd -l), which is still supported.

When reading the /etc/passwd file while synchronizing users, the previous limitation of a 32 KB file size no longer applies, which means that it is now possible to synchronize a larger number of users.

Credential provider improvements

We improved the way the desktop credential provider registers with the server.
We have separately released a new version of the credential provider (version 4.11) which contains further improvements and fixes regarding password reset and integration with our VPN.

Changes to one-time password validated emails

Due to the way OTP previously worked with validating a user’s email address, if that user’s directory email address changed at any time, all OTPs would still be sent to the old address.
We’ve made a few changes to address this issue:

If you’re using directory emails, users won’t need to verify their email the first time they log in.
If a user’s email address changes in the directory, all new OTPs will be sent to the new email as expected.
If you add an additional email to the user’s account in LogonBox, the user will also have the option to send an OTP to that address.

When Use Directory Email is enabled, users will no longer see the list of validated emails in My Credentials->OTP.

If you have disabled Use Directory Mail, OTP validated emails will work as before, using only emails stored in LogonBox.

Admin User Login Changes

A new Show Admin Link option is now available in Authentication Flow->Authentication Options->Admin. This option will add an Administration link below the user login page, which you can use to switch to the administrator login page instead of manually visiting /app/admin.

Upgrade Instructions

You can upgrade directly from the web UI or from the operating system.

To upgrade from the web UI, log in with your administrator account, navigate to Server Status from the main dashboard, and click Update. You may also be automatically prompted on login if you have enabled Updates, Features and Licenses->Update Prompt.

To upgrade from the operating system:

On Windows – download the new installer, run it and follow the prompts.

On a LogonBox VM – from a shell, type:

apt update
apt upgrade

If you are still using a version earlier than 2.3, you will need to perform a few additional steps from within the operating system, as detailed here:

https://docs.logonbox.com/app/manpage/en/article/6172513

Our support team will be upgrading Cloud customers over the next week.

Changes

Here is a summary of the changes made in this release.

Features

  • Twilio SMS support has been added and defaulted to a cloud assessment.
  • The SSH directory now supports password and account lockouts on Redhat systems (faillock and passwd -l).
  • The SSH directory can now read /etc/passwd files larger than 32KB.
  • We improved the way the desktop credential provider registers with the server.
  • Changes added to emails validated with OTP (AD email change, use additional emails).
  • New option to display the Administration link.

Insects

  • AD User’s Fullname attribute incorrectly uses AD’s Description attribute.
  • End users receive suspended account emails again.
  • The number of completed profiles is now consistent (graphs against the number of profiles in the Users menu).
  • Added some missing database cascades which prevented some resources from being removed.
  • You can now delete domains on the Windows version.
  • Let’s Encrypt adds the intermediate certificate.
  • The profile status is updated when the PIN and questions are used.
  • Fixes to Windows H2 database to add cascades when deleting.
  • Added some missing i18 strings for Lock Threshold, Window and Time.
  • On windows install you can now delete realms again.
  • Added permissions to fix 403 error on My Resources->Passwords.
  • Added missing i18n strings on some AD attributes (givenName, sn, displayName) visible in User Directory->User Attributes and on My Profile end user.

Credential Provider 4.11

  • The LogonBox Directory version now prevents login from email addresses and displays an appropriate warning.
  • Password check now encodes the password in base64 instead of using plain text when passed as part of the passwordCheck API.
  • The LogonBox VPN start link is working as expected again.

Comments are closed.