BoKS Manager

March 2024

Client c-8.1.0.12

March 13, 2024

New Features

• New option '-f filename' has been added in showmaster to specify a bcastaddr file.
• Added Sudo v1.8 or higher as dependency to native packages.
• The new '-f' option added to showmaster to specify the bcastaddr file to use instead of the default one.

Enhancements

• RHEL 9 x390x Systemd config boksm.service updated

• Security:

  OS command injection might occur if a user name or host name has shell metacharacters.
  Destination constraints only apply to the first key in PKCS#11-hosted private keys.
  SSH Terrapin-attack.

Fixes

• Old sudo version gave error for normal users unless sudo'/allow-pass-env-vars was set to true.
• Sudo symlinks execution.
• Import of legacy ENV variable REPORT_BOKS_SSH_VERSION failed.
• On AIX, after upgrading native package from 8.0, BoKS would not start at boot.
• Look for the command to execute in the target user's environment with "sudo -i".
• boks_sshd does not handle optional kerberos with ticket_only modifier correctly.

January 2024

Client c-8.1.0.11-2

January 29, 2023

Enhancements

• The Curl library is upgraded to 8.4.0 and the Curl binary is removed from BoKS releases.

• Security:

  Remote code execution in ssh-agent via PKCS#11 provider.

• Added support for Red Hat EL 8 s390x and Red Hat EL 9 s390x for Server Agent.

• Added support for SuSE EL12 x64.

Fixes

• Corrected a Symlink loop in two PAM files upgrading to BoKS 8.1 when sysreplace.conf file is modified.
• Fixed an issue where boksdiag did not update the authorized_keys file.
• sudoedit no longer core dumps if yubikey is not setup correctly.
• Fixed crashing of PAM programs if offline mode was not correctly setup.
• tty50 is now considered to be a console device in Linux.
• Fixed the bokssetup fail if communication / host-identifier is already set to IP-addr.

December 2023

Version 7.2 .0.17

December 12, 2023

Enhancements

• C-ares library upgrade to 1.19.1

• Curl library upgrade to 8.4.0 and Curl binary removal

Fixes

• boksdiag does not update the authorized_keys file

• SHowmaster too long default timeout prevents retry

• Remote code execution in ssh-agent via PKCS#11 provider

Client c-8.0.0.14

December 19, 2023

Enhancements

• The Curl library is upgraded to 8.4.0 and the Curl binary is removed from BoKS releases.

• Security:

  Remote code execution in ssh-agent via PKCS#11 provider.

Fixes

• Showmaster too long default timeout prevents retry
• Uninstalling RMP on AIX prints warnings about failing to remove /optboksm/sbin/setup file
• ttyS0 is now considered to be a console device on Linux
• Remote code execution in ssh-agent via PKCS#11 provider

November 2023

Server s-8.1.0.7

November 7, 2023

Enhancements

• The Curl library is upgraded to 8.4.0 and the Curl binary is removed from BoKS releases.

• BoKS 8.1 has been qualified to run on Oracle Enterprise Linux 9.

Fixes

• Fixed a communication error from the Master to Server Agent when an ip-address changed.

• The db-check tool no longer complains about illegal controls chars in the table SPARE_30.

Client c-8.1.0.11

Enhancements

• The Curl library is upgraded to 8.4.0 and the Curl binary is removed from BoKS releases.

• Security:

  Remote code execution in ssh-agent via PKCS#11 provider.

• Added support for Red Hat EL 8 s390 and Red Hat EL 9 s390 for Server Agent.

Fixes

• Corrected a Symlink loop in two PAM files upgrading to BoKS 8.1 when sysreplace.conf file is modified.
• Fixed an issue where boksdiag did not update the authorized_keys file.
• sudoedit no longer core dumps if yubikey is not setup correctly.
• Fixed crashing of PAM programs if offline mode was not correctly setup.
• tty50 is now considered to be a console device in Linux.
• Fixed the bokssetup fail if communication / host-identifier is already set to IP-addr.

September 2023

Version 8.1 (version update)

September 11, 2023

Server s-8.1.0.6

New Features

• New options have been made available in cadm to fetch version numbers for BoKS packages.

• A new ‘update-hash’ flag has been added within ‘boksrule –modify’ to re-calculate the hash value.

Fixes

• The adsync.pl script no longer fails if any variable contains a space.

• The adsync.pl script no longer fails with an “Unknown argument ‘S’ for ‘-D’ option” error.

• Using the wildcard search function in the database index no longer generates erroneous results.

• A race condition in the brproxymd process modifying the list of Replicas resulting in high CPU usage on the master has been fixed.

• An incorrect Access Rule hash when restoring boks_bru backups from pre-8.0 versions has been fixed.

• Password Manager no longer generates passwords of incorrect length.

Client c-8.1.0.10

New Features

• Sudo -E and --preserve-env=list support has been added.

• New options have been made available in cadm to fetch version numbers for BoKS packages.

Fixes

• Uninstalling rpm on AIX now prints warnings about failing to remove system directories.

• Installing rpm on AIX now prints warnings about failing "ln" commands.

• BoKS boot speed when working with SELinux and multiple log files has been improved.

August 2023

Client

Version 8.0 (version update)

August 21, 2023

Enhancements

• Customized sysreplace.conf file overwritten by native package update

• Security:

  C-ares library upgrade to 1.19.1
  Curl library upgrade to 8.1.2

Fixes

• Uninstalling rpm on AIX prints warnings about failing to remove system directories
• Installing rpm on AIX prints warnings about failing "In" commands
• Improve BoKS boot speed with SELinux and a large number of log files

July 2023

Server

Version 8.1 (version update)

July 5, 2023

New Features

• Sudo -l and -ll support

  Support for "sudo -ll" has been added to BoKS Sudo. New boksconfig setting "sudo/sudo-l-extended-output" has been added to switch to a more verbose mode and show BoKS values that are not supported by native Sudo.

• Added function for listing all the SSH Public Key owned by a user

  The root user on Master can list all the SSH Public Keys owned by a user using sshpkadm -L -o <owner>.

• Allow root on Master to change the owner of an SSH Public Key

  The root user on Master can change the owner of an SSH Public key using sshpkadm -M -o <new_owner>.

• Sudo targetpsw support

  New modifier use_targetpsw has been added to SUDO, SUDOEDIT and SUDOLISTOTHERS to require the target user password instead of the calling user one.

Enhancements

• Security:

  Ldap SASL / GSSAPI support
  C-ares library upgrade to 1.19.1
  Curl library upgrade to 8.1.2

Fixes

• Prevent deletion of a user who is owner of some SSH keys assigned to another user

  By default, it's not possible to delete a user who owns some SSH keys assigned to other users. In such cases, an error message is displayed. A new --force-key-removal flag has been added in rmbks to allow the forced deletion of the user, including all SSH keys owned by them.

Client

Version 8.1 (version update)

July 5, 2023

New Features

• Restricting host-identifier use can break communication in NAT environments
  

  BoKS 8.1 introduced a restriction on the BoKS config parameter 'communication/host-identifier' that if it is set to an IP-address the address must exist on a local network interface. The purpose of this restriction is to detect misconfiguration which could lead to Server Agent hosts being incorrectly identified by the BoKS authentication functions.
  

• Sudo -l -ll support

  "sudo -l" output has been adjusted to mimic native Sudo. Support for "sudo -ll" has been added to BoKS Sudo. New boksconfig setting "sudo/sudo-l-extended-output" has been added to switch to a more verbose mode and show BoKS values that are not supported by native Sudo.

• Added function for listing all the SSH Public Key owned by a user

  The root user on Master can list all the SSH Public Keys owned by a user using sshpkadm -L -o <owner>.

• Allow root on Master to change the owner of a SSH Public Key

  The root user on Master can change the owner of an SSH Public key using sshpkadm -M -o <new_owner>.

• Sudo targetpsw support

  New modifier use_targetpsw has been added to SUDO, SUDOEDIT and SUDOLISTOTHERS to require the target user password instead of the calling user one.

Enhancements

• Customized sysreplace.conf file overwritten by native package update

• Security:

  Ldap SASL / GSSAPI support
  C-ares library upgrade to 1.19.1
  Curl library upgrade to 8.1.2

Fixes

• Upgrading from pre-7.1 BoKS can add malformed messages to local batch queue
• Fixed an issue that the $BOKS_etc/ssh/sshd_config was not linked correctly

May 2023

Version 8.1 (version update)

May 3, 2023

New Features

• Sudo secure-path support. A new configuration setting sudo/secure-path to set the value of the PATH environment variable when using sudo to run a program as another user. This PATH (or if using suexec, the one configured in suexec/path or suexec/user/path) is also used in addition to the caller user PATH to search the command if a relative or absolute path was not provided.

Enhancements

• Curl library upgrade to 8.0.1.

• CVE list: CVE-2023-27538, CVE-2023-27536, CVE-2023-27535, CVE-2023-27534, CVE-2023-27533, CVE-2023-23916, CVE-2023-23915, CVE-2023-23914

Fixes

• Fixed a bug that made the configuration of boks_upgradsshd failed causing the boks_upgradesshd to not work as expected.

• Updated freeradius-client library to version 1.1.8. to reduce number of pings to Radius servers.

• Fixed support for symlinks as programs in SUDO rules. Sudo now supports symlinks and real binaries as programs.
• Added support for sudo -i without command. If "sudo -i" is used and no command is specified, an interactive shell is executed.

April 2023

Version 8.1 (version update)

April 20, 2023

New Features

• The adgroup prefixes are configurable. New configuration settings ad/adgroup/hostgroup_prefix and ad/adgroup/userclass_prefix to set the prefixes used by adgroup when creating groups in AD.

Enhancements

• Curl library upgrade to 8.0.1.

• CVE list: CVE-2023-27538, CVE-2023-27536, CVE-2023-27535, CVE-2023-27534, CVE-2023-27533, CVE-2023-23916, CVE-2023-23915, CVE-2023-23914

Fixes

• Fixed the adsync was not removing BoKS users from userclasses to mirror changes made in AD.
• Fixed support for symlinks as programs in SUDO rules. Sudo now supports symlinks and real binaries as programs.

March 2023

Version 8.1 (version update)

March 20, 2023

New Features

• Added a new access method, SUDOLISTOTHERS and provided support for listing other users' sudo permissions on a host.

Enhancements

• OpenSSL library upgraded to 1.1.1t.

Fixes

• A fix has been applied to allow groupadm to modify the modification comment.

  Fixed an issue where the chroot setting didn't work in access rules for SSH subsystems (for example, SFTP) when using privilege separation in boks_sshd.

• Fixed a security issue when kslog is enabled for BoKS SSH.

Version 8.1 (version update)

March 17, 2023

New Features

• boksinfo now includes both boks-server and boks-client native package version when both native packages are installed.

Enhancements

• Now sudo will resolve any symbolic links given as an argument to execute and verify the user is allowed to execute the resolved program.

Fixes

• Fixed the installation of RHEL9.0 native packages in RHEL9.1.

• Fixed chroot on Access Rules for SSH subsystems on Linux.

• Added supoort for Red Hat 9 from Server Agent package c-8.1.14.

February 2023

Version 7.2 (version update)

February 27, 2023

Enhancements

• OpenSSL library upgraded to 1.1.1t.

• Curl library upgrade to 7.87.0.

Fixes

• Fixed a security issue when kslog is enabled for BoKS SSH.

Version 8.1 (version update)

February 23, 2023

New Features

• The groupadm is now allowed to modify the modification comment without changing any other value of the group information.

Fixes

• Fixed chroot on Access Rules for SSH subsystems on Linux.

• Fixed broken bokshostcertreq command with update to handle change to the host certificate request file.

January 2023

Version 8.1 (version update)

January 25, 2023

New Features

• New configuration parameter authentication/always-allow-root-sudo has been added with a default value of true.

  Normally when a user does sudo to another user, a request is sent to servc on a Replica to check if it is allowed. If this parameter is set to true, no request is sent to servc when root does sudo to another user. In cases where local applications frequently do sudo from root to an application account to perform some action, performance can be improved. If root does sudo -i to another user and does not specify full path to the program to run and the program is not in root's PATH, sudo will fail unless this parameter is set to true, as the full program path is needed when checking with servc if the access is allowed. Note: If this parameter is set to true, there is no way to get keystroke log for root doing sudo.

• Support is added for SuSE 12 s390x (Server Agent only).

• Support is added for SuSE 15 s390x (Server Agent only).

Fixes

• Installation of RHEL9.0 native packages in RHEL9.1.

Version 8.1 (version update)

January 12, 2023

New Features

• Support is added for RedHat 9 on PowerPC LE (Server Agent only).

• Boksinfo now includes both boks-server and boks-client native package versions when both native packages are installed.

Enhancements

• Sudo now resolves any symbolic links before authorization.

Fixes

• Curl library has been upgraded to 7.86.0.

October 2022

Version 8.1 (version update)

October 05, 2022

New Features

• Support is added for BoKS Manager and BoKS Server Agent 8.1 on Red Hat Enterprise Linux 9 on x64.

June 2022

Version: 8.1 (version update)

June 3, 2022

New Features

• Support is added for AIX 7.3 (Server Agent only).

May 2022

Version: 8.1 (version update)

May 20, 2022

New Features

• Support is added for Ubuntu 22.04 (Server Agent only).

March 2022

Version: 8.1.1

March 4, 2022

Note that BoKS Server Agent 8.1.1 requires Master / Replicas to run BoKS Manager 7.2 or later.

New Features

• Certificate authentication is extended from SSH to other access methods in BoKS. The access methods that now support certificate authentication are: BCCAS, PWMGR, SU, SUEXEC, EDIT, SSH, SUDO, SUDOEDIT and SUDOLIST access methods. The ssh_cert, hard_ssh_cert and optional_ssh_cert authenticators and Access Rule modifiers are renamed to cert, hardcert and optional_cert.

• Certificates from local smart cards can be used via PKCS#11 plugin modules.

Enhancements

• A new boksconfig parameter 'authentication/cert/pkcs11-provider' is added that can be used to configure the PKCS provider for certificate authentication. This parameter overrides the PKCS11Provider parameter in $BOKS_etc/ssh/ssh_config or $HOME/.ssh/config.

• New boksconfig parameter 'authentication/cert/pkcs11-provider-allowed' is added.

  The PKCS#11 provider library used in certificate authentication for access methods SU, SUEXEC, EDIT, SUDO, SUDOEDIT and SUDOLIST can be configured in either boksconfig 'authentication/cert/pkcs11-provider', $HOME/.ssh/config or $BOKS_etc/ssh/ssh_config. The authentication process for the above methods runs with elevated privileges and if the PKCS#11 provider library configuration is taken from $HOME/.ssh/config the path specified must match a path in the 'authentication/cert/pkcs11-provider-allowed' settings.

• A new CLI program named boksmkcrl is added that can read revoked certificates and generate a CRL file.

• Log messages have changed. By using the new log API Server Agents can now take full advantage of the syslog format. Optional parameters like Rule ID and keystroke log ID are now moved from the "message" part of the log to the "structured data" part, making it easier to machine parse the log.

Fixes

• In some cases after upgrading from 7.x to 8.x, batch messages from the old version are put into the batch queue of the new version. Since the format of the messages has changed, these messages are rejected by the remote server. To avoid having these messages blocking the batch queue processing, they are dropped and a warning to this effect is written to boks_errlog.

• If a user failed to change password, a field in the BoKS database was updated with the time, and a password update request was sent to all hosts the user existed on. If this was an account used by an automated process, this could cause a lot of updates to be queued. As this information was only used by HP-UX platforms running Trusted Computing Base (TCB), it has been decided to disable this functionality.

• The BoKS configuration parameter sshd/log-certificate is no longer available, as certificate information is now always logged.

• The boks-selinux policy is updated and you must ensure you are using the latest version of the policy when installing BoKS Manager 8.1.1.

• Certificate authentication now supports certificates with SHA512 signatures. Earlier certificate authentication in SSH supported SHA1 and SHA256 only. Authentication with SHA1 signed certificates is deprecated and support for SHA1 signed certificates may be removed in future BoKS versions.

• The certadm -s listing can now use option -n issuer to only list revoked certificates for a specific issuer CA.

• External authentication programs moved from $BOKS_lib/ directory to $BOKS_lib/extauth/.

• The default value for the BoKS SSHD configuration parameter MaxAuthTries is increased from 6 to 12 when BoKS protection is activated.

December 2021

Version: 8.1 (version update)

December 2, 2021

New Features

• Support is added for Debian 11 (Server Agent only).

• BoKS 8.1 has been qualified to run as a Master, Replica or Server Agent on Amazon Linux 2 (RPM package only: the RPM for Red Hat 7 must be used).

Fixes

• The legacy authentication protocol for RSA SecurID is deprecated and may not be included in future versions.

October 2021

Version: 8.1

October 21, 2021

New Features

• Added automatic renewal of node keys. For details of this feature please see the BoKS Manager 8.1 documentation set.
• Support is added for BoKS control of sudo and sudoedit.
• The BoKS configuration is redesigned to use the CLI program boksconfig which replaces the BoKS ENV file.
• BoKS Master / Replica packages are now delivered as native packages for easier installation and deployment.
• The BoKS Data Collection Module (BDCM) for BoKS Reporting Services is now a part of the BoKS install package.

Enhancements

• The boks_bru program is replaced with a new backup and restore program named boksbackup. For details see the BoKS man page boksbackup and the product manuals.

• The default lower limit for UIDs in BoKS is changed to 2000 and the default upper limit is changed to 59999.
• Support is added for authentication of SecurID to RSA Authentication Manager using the REST API protocol. For more details see the BoKS Manager 8.1 Administration Guide.

• BoKS Web Services Interface 8.1 features a REST API version. See the BoKS WSI documentation set for more information.

• A new option -b <bcastaddr-file> has been added to the BoKS setup program to make it easier to specify the bcastaddr file when deploying BoKS, especially for native packages which only run setup not install.
• BoKS is now started at OS boot by systemd on Linux platforms and SMF on Oracle Solaris. The BoKS Boot program also uses the systemd/SMF frameworks for temporary start/stop of the BoKS daemons. On IBM AIX, BoKS continues to be started by /etc/inittab.
• Intelligent downloading of tables to Replicas in the event of a failover Replica being promoted to Master has been added to improve failover performance.

• BoKS audit logging is added for the following boksdiag commands:

  • delpswentry boksuser

  • delpasswdentry user ...

  • boksdiag updpsw -h host

  • boksdiag updpasswdentry user

  • boksdiag updauthkeysuser user

  • boksdiag updauthkeyshost -h host

• Added revocation checking for BoKS host certificates used for internal verification of BoKS hosts.
• A new config variable, user/allowed-homedirs, is added that can be used to restrict where clntd can create homedirs and write profile files.
• Audit logs are now produced if the BoKS name of an account or a UNIX group is changed as part of a rename host or rename Host Group operation.
• Previously "hostadm -l <-h host>" only listed parameters' values set for a host, but did not deal with parameters set domain-wide from bksdef. In version 8.1, "hostadm -l <-h host>" shows parameters' value, and also shows whether the parameter value comes from a domain-wide setting or from the host setting itself, like the lsbks listing does. There are two host parameters' values that could come from a domain-wide setting. They are "Local userdata check" and "Timezone" in the hostadm listing parameters.

• boksrule can now be used with the option ---list --not or -l -N to negate the search criteria. For more information see the BoKS man page boksrule.

• A new version of the boks_errlog file is now created, where messages that include the text "Can't connect to" are filtered out and not included. This separate boks_errlog file is named boks_errlog_filtered.txt.
• A man page is added for the program boksnativesshdadm.
• Added support for TLS 1.3.
• Upgraded the version of OpenSSH that BoKS SSH is based on from 8.1p1 to 8.6p1.

Fixes

• Fixed an unhandled error from a network read in the boks_bridge that caused it to exit, affecting replication and causing all Replicas to be marked down.
• Added input checking so the modifiers kslsize and ksltime cannot be set where keystroke logging is not specified for an Access Rule.

• When deploying a 8.1 Server Agent in a 6.7.0 domain, hotfix HFBM-0051 is required for full cadm functionality. 6.7.1 and onwards are good to go.

• Support for reading/writing the file $BOKS_etc/files using the cadm command has been removed as this file is no longer used.

• hostkey option -r to remove a local nodekey file is no longer supported.

• Database encryption algorithms ND2 and DES are no longer supported.

• The default value for the ENV variable FREE_SHARED_MEMORY_LIMIT (now db/shm/free-limit) is now 15 (was 30 before), and the lower allowed value is 3 (was 5 before).

• Removed option to run kslog_stalefile_check remotely from the master since all supported versions of BoKS now have kslog_stalefile_check executed periodically by boks_cron.

• Removed support for ENV variable REVOKE_IGNORE_ISSUER intended for compatibility with BoKS 4.x which did not support issuer in revocation records.

• USE_RW_DB_LOCK is dropped from ENV as it is now always turned on (from BoKS 8.0).

• When issuing BoKS host certificates for Server Agents 8.1 or later the P12 credential container no longer uses the host's nodekey for locking key.

  Instead a random key dedicated for P12 locking is generated. P12 containers intended for pre-8.1 Server Agents continue to use the nodekey as locking key. BoKS 8.1 Server Agents can still use a nodekey locked credential container when operating in a pre-8.1 MR-domain.

• If the home directory prefix is not specified when adding a host of type REPLICA,UNIXBOKSHOST or DYNIPCLIENT, it will default to "/home". For other host types the default is as before, empty string (= not set).

• Fixed an issue where cadm -w denied writing files with ".." in the name.
• Fixed an issue where creating a user with homedir / and setting an SSH key for the user with sshpkadm could cause clntd to use 100% CPU.
• Fixed a potential database deadlock problem on Replicas when downloading.
• Fixed an issue where the adsync function required that hostnames were in lower case, and did not work with host names that were in upper case.
• The BoKS ENV variable ACED_OPT_STRIPHOSTNAME is obsolete and is removed.
• Fixed an issue where enabling debug for boks_sshd displayed the password/yubikey in cleartext in the debug output when using certain SSH authentication methods.
• bokslogview is enhanced to be able to read very long lines that could exceed the standard limit for syslog.
• The bccsetup and bccgethostcert programs now prompt for the key length to use for host certificate.
• Fixed an issue on Red Hat 8 where check_daemon failed to find running PIDs in some cases.
• Added more information to the boksrule man page about what regular expressions can be used, with examples.
• The boksrule man page and Administration Guide have been updated to clarify that YubiKey authentication is not supported for the FTP, PWCO and RSH access methods.
• Web Services Interface no longer displays "=+1" for modifiers when listing Access Rules.

• The program name parameter in boks_errlog records is changed for some BoKS daemons as a result of updates to the error logging framework.

  By default the program name in boks_errlog records is set to the basename of the program binary. There are some exceptions to this.

  For program binaries that are used for multiple functions, an extension is added to the program name parameter in the boks_errlog to make it possible to see which instance of the program generated the log.

  There were previously also some daemons that used the program basename without the "boks_" prefix in boks_errlog. This is now changed so that all daemons use the program binary basename including the "boks_" prefix:

  "master" -> boks_master

  "servc" -> boks_servc

  "servm" -> boks_servm

  "clntd" -> boks_clntd

  Multi-function daemons like the boks_bridge and boks_drainmast still use a postfix extension to basename.

• Fixed an issue with boks_clntd_helper that could cause provisioning of large numbers of users and groups to fail on AIX platforms.
• Fixed an issue in boks_clntd_helper that caused it to set lastchange = 0 in the /etc/security/passwd when modifying a user without a password.
• Fixed an issue whereby removing an AIX host from a Host Group could leave stray Unix groups on the host.
• Fixed an issue where restoring a pre-8.0 backup with boks_bru disabled boks_upgrade privatekey compatibility mode.
• The upgrade_client program no longer returns a message that the host key cannot be registered when it reuses the old host keys.
• Resolved an issue where programs running on a Replica could write to the database on the Master.
• Fixed an issue where checkdomain didn't work for IPV6 addresses on Red Hat 8.
• Support for the -v (verbose) option has been added again to the program classadm.
• The bokscron.conf file is split into separate files for Master/Replica and Server Agent functions. See the BoKS Manager 8.1 documentation set for more information.
• BoKS SCP is enhanced to ensure that files larger than 4GB can be successfully transferred with BoKS File Transfer Logging on 32-bit systems.
• Fixed an issue where specific sequences of database operations could make boks_master stop responding.
• The BoKS CA now creates host certificates with the BoKS registered host name in the certificate subject altname othername attribute to ensure that certificate-to-host mapping functions correctly when hosts are not registered with FQDN in the BoKS security database. BoKS hosts with certificates created in earlier versions of the BoKS CA need to have a new certificate created after upgrading the BoKS Master to 8.1 to take advantage of this. For more information see the BoKS Manager 8.1 Administration Guide.
• Resolved an issue where, in Solaris 11.4, from SRU 21, the pam_dhkeys PAM module no longer being installed by default caused warnings to be generated when a user logged in with BoKS activated.
• The adsync interval is no longer configured in the boksinit.master file, but using the BoKS configuration variable ad/sync/interval. For details see the BoKS Manager Administration Guide.
• Improved error handling and documentation for the case where a password that is enabled for checkout is changed, but no EMS encryption certificate has been created.
• The entry for a user with no password set created by BoKS in /etc/shadow will now be more similar to what the OS useradd command creates.
• The hostprereg command now checks whether a Host Group exists when adding/modifying a host or type entry. If it does not exist, an error is generated and the command does nothing.
• hostprereg now logs all parameters set when a host preregistration entry is added and all old and new values when an entry is modified. The only exception is that the comment is not logged.
• The overlap check when adding a host has been speeded up (when enabled).
• The BoKS configuration variable communication/host-identifier should be set to a non-loopback local ip-address if used (or a hostid for a DYNIPCLIENT). If it is incorrect, Boot complains, and daemons ignore the incorrect value. This may cause communication with BoKS infrastructure to fail until it is fixed.
• If a BoKS host did not have all its IP-addresses registered in BoKS, ssh and sshd (in the hostbased authentication case) would not be able to find the hostkey for the machine in the BoKS database in all cases. This has been fixed by having both send the full list of IP-addresses found in DNS. If one of those addresses is registered in BoKS, the hostkey can be found.
• Information from the file $BOKS_var/hotfix_install.log is added to the output of boksinfo.
• The -N option for cadm, which suppressed logging, has been removed.
• Information about audit log configuration corresponding to the output of "bokslogadm -lv" is added to the output of boksinfo.
• Removed a duplicated line in /etc/pam.d/login on Red Hat 7.
• Fixed an issue where "adsynchelper -u" did not find principal names for all users.
• The mkhome command failed if the homedirectory of a user ended in '/'. This has been fixed.
• Running 'boksversion -b -s' now displays the native package version number for 'boks-server'. You can still run 'boksversion -b' to display the number for 'boks-client'.
• Enhanced handling of corrupt data and error reporting in the Keystroke Log File transfer mechanism.
• The default minimum password length is increased to 10 characters.
• The following ENV variables from previous versions are now controlled using bksdef: CHANGE_PSW_ED_QUOTIENT -> bksdef --psw-look-alike-edq CHANGE_PSW_LCS_PERCENT -> bksdef --psw-look-alike-lcs SUROOT_AUTHENTICATE -> bksdef --suroot-require-a-and-a
• The command "boksdir -E", previously used to view ENV environment variables on a host, is deprecated.
• Fixed an issue where running SSH_X11 on Red Hat failed with a message saying that this function was disabled or not supported by server.
• Standardized the umask for files output by BoKS programs to umask 022.
• Added support for SHA512, MD5 and Blowfish password hashes in the BoKS EMS LDAP function for propagating password updates from BoKS to LDAP.
• Improved the ability of BoKS audit logging to recover from a full-disk scenario.
• boksinfo is updated to include new configuration files for troubleshooting configuration.
• Fixed issues where boksinfo could fill up $BOKS_var, and corrected the boksinfo man page.
• Fixed an issue where it was possible to create an invalid Access Rule that could not be viewed or deleted.
• Fixed an issue where client_helper removing Unix groups on AIX could cause timeout errors.
• upgrade_client now automatically updates any 128 bit node key on a BoKS Server Agent to a 256 bit node key, if the longer key exists in the BoKS database.
• Fixed an issue where users were locked out of hosts where LDAP authentication is required when their passwords are set to "force change on next login".
• boks_portmux no longer listens on the servc port if servc/allow-external-req=false, thus completely stopping Server Agents from connecting to the Master. This can for example be used to prevent Server Agents from sending keystroke logs directly to the Master.
• Enhancements have been added to how keystroke log transport is handled, with a limit added to the number of open connections to keystroke log handling daemons. You can configure the limits using the BoKS configuration variables ftsd/conn-max and kslog/ksllogsd/maxconn. Also Server Agents can now be prevented from sending keystroke logs directly to the Master by setting the configuration variable servc/allow-external-req to false. See the BoKS man page boksconfig for more information.
• Improved the performance of "hostprereg -l -h <host>" and "-t <type>" by replacing a linear table scan with use of the key index.
• Fixed an issue where the log message hostname parameter was incorrectly set to the DNS name instead of the hostname registered in BoKS for a number of BoKS programs.
• When installing a BoKS Master, a default domain name is no longer set as part of the installation. If required it can be set after install using hostadm -M <domainname>.
• Optimized the use of system calls in order to improve efficiency of database calls in environments with a heavy load.
• Added functionality to identify which processes are locking the BoKS database in the event of a suspected database deadlock. The function is activated by setting the BOKS configuration variable db/lock-info to "true" (on) and the command "boksdiag lockinfo" can then be used to list the process ids of processes having a write- or readlock on the BoKS database.
• Fixed an issue where the $BOKS_etc/bokscron.conf file was not updated correctly with new entries needed when restoring a boks_bru backup from a version prior to 7.1 and the $BOKS_etc/ENV file could get wrong permissions if the current umask was too restrictive.
• Fixed issues where "lsbks -B" and "lsbks -L" did not give expected output and "lsbks -Dm" was slow.
• Fixed an issue where an inactive host pre-registration could be classed as type AGENTHOST, causing licensing violations.
• Added a feature where BoKS warns when the node key is not in sync between the Server Agent and BoKS database, which is active as long as automatic node key rotation is not activated.

 

October 2020

Version 7.2 (version update)

October 6, 2020

New Features

• Support is added for BoKS Server Agent 7.2 on SUSE 15 on s390.

June 2020

Version 8.0 (version update)

June 3, 2020

New Features

• Support is added for BoKS Server Agent 8.0 on Ubuntu Linux 20.04.

Version 8.0 (version update)

June 1, 2020

New Features

• Support is added for BoKS Server Agent 8.0 on Amazon Linux 2. Note that the support is for the RPM package only and the Red Hat 7 package should be used for Amazon Linux 2.

• BoKS 8.0 has been qualified to run as a Server Agent on IBM VIOS 3.1.1.10. Please note that the AIX 7.1 / 7.2 package should be used for this.

March 2020

Version 8.0 (version update)

March 3, 2020

New Features

• Support is added for BoKS Server Agent 8.0 on Debian 10

December 2019

Version 8.0

New Features

• Segmented Network Mode

Network communication within a BoKS domain has been redesigned with a special mode for segmented networks where the BoKS Master is not allowed to contact BoKS Server Agents.

• Improved DB shared memory index handling

BoKS database shared memory index handling has been completely redesigned to enhance responsiveness and performance.

Enhancements

• Upgraded the version of OpenSSH that BoKS SSH is based on from 7.3p1 to 8.1p1.

This causes the following changes:

• Only SSH protocol version 2 is supported (regardless for BoKS activated or not)
• Privilege Separation mandatory and cannot be disabled.
• Chroot environment for scp and sftp needs to include a /dev/random device (not needed if internal sftp server is used)
• The following sshd_config options are no longer supported.
  serverkeybits
  keyregenerationinterval
  rhostsauthentication
  rhostsrsaauthentication
  rsaauthentication
  skeyauthentication
  uselogin
  protocol
  verifyreversemapping
  reversemappingcheck
  authorizedkeysfile2
  useprivilegeseparation
• Default key length when generating RSA keys is increased from 2048 to 3072 bits.
• BoKS supports DSA keys, but the DSA key support in SSH is disabled by default since it uses an older and weaker encryption algorithm. For more information, see http://www.openssh.com/legacy.html.
• The deprecated CLI programs ttyadmin and routeadm which were previously used to define Access Rules, are removed in this version of BoKS Manager. The deprecated functions used for managing access policies for the program bksdef are also removed.
• SSH privilege separation is always active for SSH access in BoKS 8.0. The -p option to activate privilege separation is removed for the install, setup and sshd_setup programs. If there is no existing sshd user, you must either specify the uid and gid for the user and the user will be created, or create the user manually.

NOTE: In order to use the boks_upgrade program to upgrade Server Agents, the user 'sshd' and the directory /var/empty must exist on the Server Agent host.

• If an Access Rule with chroot includes scp and sftp access, the chroot environment must include a /dev/random device. For sftp, this is only required if you are using an external sftp server subsystem; it is not required for internal sftp.
• The cadm program has the following functional changes:
  • Prevent execution of arbitrary BoKS files in BOKS_lib and BOKS_sbin. Scripts placed there by users are still possible to execute, as are Boot and sysreplace.
  • Prevent writing and deletion of certain variables in the ENV file on Server Agents. The forbidden variables are BOKS_* (the install paths of BoKS), VERSION, OSREL, BOKSINIT, ISMASTER, PKG_HOTFIX, SSM_ACTIVE, and ENVDONTSAVELIST.
  • The ability to execute non-BoKS scripts in BOKS_lib and BOKS_sbin is deprecated, and will be removed in a future version.
  • A new directory BOKS_local (default BOKS_DIR/local) should be used instead.
• If a host is removed from the BoKS database, and it has queued batch messages, these messages will be removed after some 30-40 minutes. If the primary IP address for a host with queued batch messages is changed, the IP address will be changed for the queued batch messages as well. Due to this change, the functionality in boksdiag to change IP address for batch messages has been removed (boksdiag fque -bridge -move fromip toip).
• The option -D is removed for the setup program.
• A new bokscron job is added to periodically remove expired suexec tickets.
• On Linux, pam_limits.so has been changed from optional to required in the boks_sshd PAM configuration file.
• The option -Z is removed for the prgrpadmin program.
• The option -d is removed for the mkhome program.
• The mapcert program now supports setting a comment when adding a UUID or hash mapping, with the optional parameter "-C" to "mapcert set". Listing mappings also lists the comments.
• The hostadm program has a new list option -J to display the database id for the host (Note the database id is only used internally in BoKS and is unrelated to the hostid string used for DHCP hosts):

BoKS # hostadm -l -J

• New bksdef option: bksdef --compat-pre71-suexec { enable | disable }

Prior to BoKS 7.1, suexec did not distinguish between spaces that separate arguments, and spaces within arguments. In BoKS 7.1 this was corrected, but suexec Access Rules created prior to BoKS 7.1 will not work as expected with Server Agents of version 7.1 and above if there are spaces within arguments. Similarly, suexec Access Rules created in BoKS 7.1 and above will fail to grant access to pre-7.1 Server Agents, if there are spaces in arguments. bksdef now has a configuration option that restores the pre-7.1 behavior, where there is no difference between spaces that separate arguments, and spaces within arguments. This is only necessary if there are suexec access rules with spaces in arguments, and

1. Access rule is created prior to BoKS 7.1, and there are Server Agents of version 7.1 and above that need this access, or
2. Access rule is created in BoKS 7.1 or above, and there are Server Agents of version 7.0 or below that need this access.
• There is now an auto-registration proxy running on Replicas, so when auto-registering a Server Agent, you can specify the name/IP address of a Replica instead of the Master provided you have issued a host certificate to the Replica.
• New bksdef option "bksdef --segmented-network-mode { enable | disable }" to enable/disable direct Master/Server Agent communication. For details on Segmented Network Mode, see the BoKS Manager 8.0 Administration Guide.
• BoKS setup now attempts to stop and disable the system SSH server in order to enable boks_sshd at BoKS install. Added SYSTEM_SSHD_ENABLE_ON_UNINSTALL environment variable, which is used by BoKS uninstall to restore the system SSH server. Added the -d option to BoKS install and setup scripts in order to prevent stopping and disabling the system SSH server (and thus not enabling boks_sshd).

As previously, new SSH host keys are generated by default at BoKS installation. A new option to the install and setup programs can be used to specify that any found system SSH host keys are used by copying them to the $BOKS_etc/ssh directory. If a needed host key type is missing after the system's host keys have been copied, the missing host key is generated.

• In BoKS 8.0 cacreds is no longer used to manage encrypted Keystroke Logging certificates, instead kslogadm is used and the KSL administration password is always required when performing any operations affecting the encrypted KSL cert. See the BoKS man page kslogadm for more information.
• Provided enhanced support for creating host credentials from an external CA. Four new commands added:
  • bokshostcertreq - create a certificate request for a host
  • bokshostcertreqgenp12 - create host credentials given issued cert
  • bokshostp12import - create host credentials from a PKCS#12 file with a private key and certificate created by an external CA
  • bokshostmkp12 - create host credentials from the internal BoKS CA.

  Also added manpages for these programs and a manpage externalca.5

• Added support for default global timezone to use when evaluating access rules. If set it is used if the Server Agent the request originated from does not have a timezone set in the BoKS DB.

  Commands:

  bksdef --set-default-timezone <timezone>

  bksdef --clear-default-timezone

• The host flag HOST_MULTIADDR is removed. This was included in the bccas API as host attribute "multiAddr".
• The BoKS ENV var BRIDGE_MASTER_S_USE_CHUNK_BATCH is now obsolete. The replica master send bridge now always uses this mode.
• The program fccsetup is renamed to bccsetup.
• Due to changes in the way password changes are handled, it is not supported to run BoKS Server Agents 8.0 in a domain where the BoKS Master and Replicas are older than version 6.6.x.

Other Updates

• CAS-0010165047 - Added additional information to the ENV(4) man page about the AUTOREGISTER_POSTPROGRAM variable.
• CAS-0010156868 - Fixed an issue where the setup program could exit as successful in a false context.
• CAS-0010178140 - The ENV(4) man page is updated to clarify the behavior of the variable BKSD.
• CAS-0010178526 - Fixed an issue with audit log entries not being sent from Server Agents using cadm.
• CAS-0010173513 - Fixed an issue with unnecessary delays to local keystroke logging sessions.
• CAS-0010176629 - Fixed a number of issues in the CRL import function.
• CAS-0010141723 - kslog no longer issues audit log messages about no primary log server being defined if running in a pre-BoKS 7.0 server domain.
• CAS-187378-N4P6L5, #12950 - The kslog program is updated to handle multiple remote logging disconnects.
• CAS-0010175314 - Updated the routines to add Unix groups and delete Unix groups from Server Agents so they no longer lock the database during the entire operation.
• CAS-0010152275 - A home directory is no longer created when the home directory specified in the user record and parent are not the same as the parent specified with CREATE_HOMEDIR_PATH, and this is not incorrectly logged as a directory being created for a non-existent user.
• CAS-0010136355 - BoKS upgrade is improved to ensure that any changes made to config files are properly migrated.
• CAS-0010165070 - When using the host preregistration flag "REMOVE_DISCONNECT", the action on disconnect was not logged, and there was no way to tell the status of the host.
• CAS-0010152275 - When BoKS creates a home directory the correct name of the home directory is included in the audit log message.
• CAS-0010154294 - Upgrading from BoKS 6.7 correctly inteprets program group names for suexec Access Rules.
• CAS-0010157907 - getreports is now able to fetch customized file monitoring reports and transfer them to the Master.
• CAS-0010165590 - Fixed issue with host certificate verification if CA chain longer than 2, affecting database download, host pre-registration, host auto-registration and audit log relaying.
• CAS-0010166786 - Made a number of security enhancements to the cadm program.
• CAS-0010123279 - The bccgethostcert command was updated to work if the Master has host type UNIXBOKSHOST instead of REPLICA. Previously it only worked with Master of host type REPLICA.
• CAS-0010141459 - Fixed issue where not all users and Unix groups where pushed out to all hosts in a Host Group.
• #14110, CAS-188995-R4W7S0 - The documentation for the "sequence" option in the BoKS man page boksdiag(1) has been enhanced.
• #9410, CAS-189097-X2G9W3 - Running the command "mkhome -d <directory>" without specifying a user or host could cause BoKS to dump core, but this command is now removed from BoKS.
• CAS-0010131126 - An issue was fixed whereby renaming a user with the command "modboks -n" could cause boks_master to end up in an infinite loop.
• CAS-0010134853 - A check of authentication method used has been added to suexec tickets so that access within the session is only granted for the explicit authentication method configured.
• #14535, CAS-184623-Y0J9S3, CAS-0010103964 - The extension "=+1" which is for internal database use is no longer included in Access Rule report listings for CLI programs.
• CAS-0010118596 - boks_bru is updated to resolve an issue where it failed to restore very large database backups with an error message from the shell.
• CAS-0010155060 - The HIDE_LOGIN_MESSAGE=on parameter now correctly hides the login message when logging in using SSH.

July 2019

Version 7.2 (version update)

Enhancements

• Support is added for BoKS Manager and BoKS Server Agent 7.2 on Red Hat Enterprise Linux 8 on x64
• Support is added for BoKS Server Agent 7.2 on Red Hat Enterprise Linux 8 on PowerPC LE (Power 8)

March 2019

Version 7.2 (version update)

Enhancements

• Support is added for BoKS Server Agent 7.2 on SuSE Linux Enterprise Server 15 on x64
• BoKS Server Agent is released as native packages (RPM and DEB format) for various platforms.

November 2018

Version 7.2

New Features

• RADIUS Authentication

  Support is included for authentication against a RADIUS server.

• Yubikey Authentication

  Support is included for authentication using Yubikey password tokens as a secondary authentication method. Note that only the primary authentication method is recorded in the BoKS audit log.

• Disable password hash formats

  Functionality is added so that password hash formats for user password can be allowed / disallowed in the domain. You can allow / disallow different sets of formats for functional and non-functional accounts. The ability is added to indicate which accounts are functional in order to be able to manage password hash formats separately in this way.

• Database download speedup

  Enhancements to database download operations are added with 2 new daemons for improved download speeds.

• Host last activity

  A function for monitoring and listing host last activity is added to enable you to more easily see hosts that are not being used and proactively manage your BoKS domain.

Removed Functionality

• Support for SafeWord Tokens

Authentication using SafeWord tokens is no longer supported, therefore the SafeWord authenticator type and the Access Rule modifiers desgold and harddesgold are removed.

Any Access Rules in the database that have the desgold or harddesgold modifiers for Safeword authentication are not restored when you upgrade. These Access Rules are instead listed in the file $BOKS_tmp/deleted-access-rules-<pid of boks_bru>.txt. You can review the Access Rules in this file, if any, and determine whether they need to be recreated with an alternative authentication method in the new BoKS database.

• Support for xRBAC

  The xRBAC feature is removed, including support for xRoles and xRolesets, OSroles, and the SWROLE access method.

• Support for BoKS Desktop / User Virtual Cards

  Support for the BoKS Desktop product and user virtual cards is removed.

  CA classifications related to user virtual cards, KR, SCLOCK, OLD and TEMPORARY, are removed.

  The usrcreds program is removed.

  User certificates from external CAs are still supported for certificate authentication in BoKS SSHD. External certificate mapping to BoKS users is managed using the mapcert and certadm CLI programs.

• Support for BoKS Server Agent for Windows

  Support for the BoKS Server Agent for Windows product is removed. This means the following are not included / supported in BoKS Manager and FoxT Control Center:

  • The user types Windows Local and Windows Domain, including support for these user types in LDAP synch.
  • The host types Windows server agent and Windows server agent DHCP.
  • The access methods NETSHARE, WINLOGIN, WINNETSHARE, WINRDP and WINRUNAS.

  See also the changes to programs and other functions relating to this removal in the Enhancements section.

Enhancements

• Access Rules The supported host prefixes for use in Access Rules have changed. In BoKS Manager 7.1, the following prefixes were supported: ANY, BOKS, KNOWN, NONBOKS, UNIXBOKS, WINBOKS. In BoKS Manager 7.2, the following prefixes are supported: ANY, KNOWN, NONBOKS, UNIXBOKS

• For boksversion, a new option, -h, can be used to list the hotfixes currently installed on the host. For more information, see the BoKS man page boksversion.
• lsbks -p now lists user info in passwd format without including the password hash. The letter 'x' is printed in the password hash position of the output. The lsbks -D <list-spec> option by default uses newline as delimiter both between different users and between different attributes for a user. The new option -d <delimiter> can be used to change the user attribute delimiter to something other than newline so that all output for a user is printed on a single line.
• Host virtual cards are converted to PKCS#12 containers. Host PKI credential container format changed from Virtual Card to PKCS#12. Existing Host Virtual Cards are converted to PKCS#12 format when restoring a pre-7.2 backup with boks_bru. To be backward compatible with pre-7.2 Master/Replica domain, BoKS 7.2 Server Agents can still use host PKI credentials in Virtual Card format. To supply pre-7.2 Server Agents with host certificates, BoKS 7.2 Master/Replicas need the boksp12tovc program to convert PKCS#12 containers to Virtual Card format. The boksp12tovc program is not included in the BoKS 7.2 distribution, but can be installed as a hotfix if needed.
• For dumpbase, the option -t can now be used to dump multiple tables. The parameter is a comma-separated string of table numbers or names with no spaces allowed. Tables are dumped in the order specified.
• For bksdef:
  • a new flag is added, --trust-dns-less {enable | disable}. Enabling this fixes issues #9814 and #9816, but makes some small changes to the way BoKS tests authorization so can affect customers upgrading (for this reason, this flag is disabled if upgrading an old database). See NOTE ON DNS in the bksdef man page for a full description.
  • removed obsolete flags -p and -u (used for disabling updating of password hashes in /etc/passwd).
  • removed 'lastchange' field from bksdef. It was prominently printed first, but was only updated by rmbks, mkbks, and modbks, and thus misleading.
• A LASTACTIVITY field is added for hosts which is updated once per day if the host is up. 7.2 Server Agents will make a call once per day if they are up so the field is updated. For older clients the field is updated only if they make calls to servc. "hostadm -l -o N" will list hosts with LASTACTIVITY older than N days sorted with youngest first with hostname and date, one per line. For hosts with no LASTACTIVITY set, it is listed as -. Also shows up in host listing (hostadm -l) for BoKS hosts.
• The maximum supported value for shared memory, set using the SHM_MAX ENV var, is now 4000000.
• When running boksinfo, the resulting BoKS/boks_var.txt file no longer includes the files below $BOKS_var/kslog unless the -k switch is given. The reason is that the information is seldom needed, and some customers have very many files below that directory, so the resulting archive becomes very large and cannot easily be uploaded to FoxT Customer Service.

• A new CLI program has been added for managing external authentication server list, extauthadm. The extauthadm program supersedes ldapauthadm but ldapauthadm is still supported. extauthadm adds support for multiple types of authentication servers. Currently only type "ldap" is used but further server types will be added in future BoKS versions. The new ENV variable EXTAUTHSITE can be used to get a site-specific lookup of external auth server, see ENV(4B).

• ENV SERVC_EXTERNAL_REQ_DISABLE can now also be used on Replicas. Previously it was only effective on the Master and ignored on Replicas.

• ABAC/boks_bccasd changes: The removal of virtual cards (replaced by PKCS#12 for hosts only), Windows users and groups, and the XRBAC functionality affects the bccasd API accordingly. In particular, the ABAC rules in an existing bccas-abac.yaml file from an earlier BoKS version will probably need to be updated. In BoKS 7.2 the file will be successfully read, but warnings will be logged in $BOKS_var/boks_errlog. Running bccasdabac will check the bccas-abac.yaml and print the warnings on stderr. Old "virtualCard" references should be changed to "certificate", except in the case "read host virtual card" (now P12) which should be changed to "hostP12".

• For kslog:
  • on 7.2 Server Agents, when using kslog=4 on SUEXEC or SSH access rules, it no longer reads configuration from the local ENV variable KSLOG_DEFINITION. Instead you should use modifiers kslsize, ksltime, kslog_max_input and kslog_max_output on the SUEXEC or SSH access rule. These can be applied to any kslog level. Without these modifiers kslog=4 will behave as kslog=3 on 7.2 Server Agents. To make older Server Agents behave the same way, you need to apply hotfixes. HFBM-0230 (BoKS 6.7), HFBM-0231 (BoKS 7.0) and HFBM-0232 (BoKS 7.1).
  • changed the logging message for log started in kslog, where the new tty is now logged.
• For boksdiag, you can now use boksdiag pushbatch ip-address [ip-address ...] to force a send retry of batched Server Agent updates to given IP addresses instead of waiting for up to 30 minutes for it to happen.
• RFE #13863 - For setup / convert, when the BoKS Master is set up, the nodekey is now saved in the file $BOKS_etc/nodekey. This means that you do not have to enter the nodekey manually if you convert the Master to a Replica.
• The upgrade_client script now attempts to migrate any changes in the old $BOKS_etc/sshd_config..* files to the new ones. The original files are saved with extension .pre_upgrade as before. If any changes are made to the new sshd_config..* files, the original ones are saved with extension ..org. Any changes in the new files is prefixed by a comment. Exceptions to migrating changed attributes:
  • Any changes to the PermitTunnel attribute are not migrated as allowing this presents a security risk. This must be turned on manually after migration if it is wanted.
  • The attribute KerberosAuthentication was set to yes in the BoKS 6.6 sshd_config..active file. This attribute is now ignored when BoKS is active (and kerberos authentication is controlled by flags to Access Rules), so it is not migrated.

  See also fixed issue #9912, #12297.

• The BoKS ENV variable TRUST_EXTERNAL_PASSWORD is no longer supported.
• $BOKS_var/btmpx is now removed and has merged with $BOKS_var/btmp. This has enhanced the stability of inactivity timeouts. The command "bwho" no longer supports the options -x and -X.
• When a license is in violation, it is not possible to add new User Classes or Host Groups, in addition to new hosts.
• The default maximum password length is now 72 (instead of 8).
• The password history max length of 20 is now enforced, it was previously documented but not enforced.
• The concept of "functional account" (as opposed to a "real user") is now expressed with a flag in the user database and can be modified and viewed with mkbks/modbks/lsbks and through boks_bccasd. The previous boks_bccasd specific function with $BOKS_etc/funcacc.conf has been removed. The file $BOKS_etc/funcacc-template.conf is no longer part of the distribution. When upgrading, users are updated according to the old funcacc.conf file (using the tool funcaccupdate), if there is one, and the config file removed.
• Two new daemons have been added to handle database table download from Master to Replicas. boks_download_m runs on the Master and boks_downlaod_s on the Replicas. They use TLS for encryption and use the BOKS servc port (via portmux) for communication. They are introduced to speed up database download. The following ENV vars are added to manage these daemons:
  • DOWNLOAD_CIPHER_LIST (MR) List of TLS cipher suites to use
  • DOWNLOAD_M_NTHREADS (M) Number of worker threads used by boks_download_m daemon. This sets the maximum number of replicas the daemon can download to simultaneously, 1 - 128 , default 16.
• The BoKS internal CA store for certificate and private keys (earlier VC files now P12 files) moved from $BOKS_data/sso_creds/ca_creds/keypkgs/ to $BOKS_var/ca/. If container lock pin is saved, the file with the saved pin is also stored in the $BOKS_var/ca/ directory.
• The KSL Administrator password hash format is changed from an MD5 hash to a standard SHA512 password hash. The old MD5 hash is still accepted for verification, but when setting a new KSL Administrator password the SHA512 password hash will be used.
• The boks_pkcs7 command has been replaced by bokspkcs7 with similar functionality but using P12 container format instead of Virtual Cards.
• BoKS internal CA is changed to use PKCS#12 (P12) containers for certificate and private keys instead of the proprietary Virtual Card (VC) container format. As a result of the change a number of CLI programs for management of VCs are replaced by corresponding programs for P12 container management:
  • vcgen -> boksp12gen
  • mkvc -> boksp12create
  • vcdata -> boksp12data

  BoKS Server Agents can use host certificates stored in either P12 or Virtual Card format to allow 7.2 Server Agents to be used in pre-7.2 Master/Replica domain. When upgrading the Master in a pre-7.2 domain, Host Virtual Cards in the database are converted to P12 format. CA Virtual Cards conversion to P12 format is also done automatically for CAs with saved CA pin. For CAs where the pin is not saved to file the conversion can be performed after restoring the database by running the script boksca_vc_to_p12.pl in interactive mode and entering the CA pin when prompted.

  BoKS # pcb $BOKS_data/perl/boksca_vc_to_p12.pl

• ssh_keyreg now silently ignores the -t keytype option when doing "ssh_keyreg -w [-i ip] -k base64key -t keytype". The key type is extracted from the base64key string.
• When running "BoKS # hostcreds list [-h host]" and no host credentials found the command earlier exited with code != 0. Now empty credentials list only gives exit code != 0 if a host is explicitly specified.
• servm now logs DB compound DB updates that take longer than 20 seconds to complete to a file servm.slow in the monitoring directory. By default this file grows to 1000 Kb before it is renamed servm.slow.bck and a new file is created. The size can be changed using the ENV parameter SERVM_SLOW_MAXFILESIZE_KB (or SERVM_SLOWLOG_MAXFILESIZE_KB).
• The password "look alike" check has been completely rewritten. See the documentation for the new variables CHANGE_PSW_ED_QUOTIENT and CHANGE_PSW_LCS_PERCENT in ENV.1. The ENV variable CHANGE_PSW_DIFF has been removed, as it is no longer used.
• The "hgrpadm -R" command is no longer supported. See also Fixed Issue #9906.
• From BoKS 7.0-7.1 it was possible to add multiple LDAP server URIs in a single database record. This is no longer supported. Server URIs must be added one by one. This also makes it possible to modify server URIs independently of each other. When upgrading from pre-7.2 LDAP server URI records with multiple URIs will be split up into multiple records with one URI each.
• Added support for use of StartTLS in ldap protocol for external LDAP authentication with the optional parameter START_TLS=1.
• For boks_uname, removed all lowercase options, and thus the call to the system's uname command. They were just passed on to the system's uname which returns very different things on different OSes with the same flags, and were never used by the BoKS installation/setup procedure anyway.
• It is now supported to modify the name or GID of multiple Unix Groups in one operation using groupadm. This can be useful if you need to change names or GIDs but doing this for one group at a time would create conflicts. For example to change the GID for multiple Unix groups: groupadm -m -n H1:grp -n H2:grp ... -i 4711 -c 'new gid' or groupadm -m -n '*:grp' -i 4711 -c 'new gid' In both cases the groups must already exist and have the same groupname and GID. To change the group name on multiple Unix groups: groupadm -m -n H1:grp -n H2:grp ... -R newgroupname -c 'new name' or groupadm -m -n '*:grp' -R newgroupname -c 'new name' In this case the groups must already exist and have the same name, but can have different GIDs.
• As part of the removal of functionality related to BoKS Server Agent for Windows, the following changes have been made to the CLI and BoKS database.
  • CLI:
    • lh: removed flag -p
    • checkovacts: flag -f obsolete but still accepted
    • bksdef: removed flags -W, -h and -c and options W, h and c to the -D flag
    • modbks: removed flags -K, -O, -R, -W and -S
    • mkbks: removed flags -a, -K, -O, -R, -S, -W and -n
    • mapkerberos: removed flags -w and -g
    • hostadm: removed support for host types WINBOKSCLIENT and WINDYNIPCLIENT
    • groupadm: removed flags -L and -N
    • adgroup: removed flags -m and -w
    • boksrule: removed flag --share and support for access methods WINLOGIN, WINRDP, WINRUNAS, WINNETSHARE and NETSHARE
    • boks_bru when restoring an old database: – Users of type WINLOC or WINDOM are removed – hosts of type WINBOKSCLIENT or WINDYNIPCLIENT are converted to NONBOKSHOST – The access methods that are no longer supported are removed from Access Rules – Program group members that refer to windows programs are removed – Any data in tables 23 (WINUSERATTR) and 30 (WINUSER2GROUP) is removed – In table 68 (KERBEROS2USERMAP) the field WINDOMUSER is removed – In table 71 (SSHPUBLICKEYUSER) if the owner field refers to a Windows user it is cleared
  • DB:
    • Table 0 (SYS) fields NETSHARE_CACHE_TIMEOUT and NETSHARE_LOG_INTERVAL removed
    • Table 23 (WINUSERATTR) has been changed to SPARE_23 with different fields
    • Table 30 (WINUSER2GROUP) has been changed to SPARE_30 with different fields
    • Table 68 (KERBEROS2USERMAP) field WINDOMUSER has been dropped
• For lsbks:
  • removed the obsolete flag -n
  • removed support for flags -O, -w, and -E
  • option -P has been removed. It was previously used to support a since discontinued GUI in a very old version of BoKS.

• For Replica communication / load-balancing, for BoKS Server Agents older than 7.1 that don't have the load-balancing hotfix (HFBM-0191 / HFBM-0192) installed, load-balancing is achieved by the Replica delaying the reply to ServerAgent Replica discovery calls. The amount of delay used for the discovery call reply is changed since the boks_bdpsd daemon now uses direct access to boks_udsqd when reading the servc queue length. This should result in a delay that better matches what is described in the BoKS documentation. Earlier, the queue length query itself ended up in the queue and delayed the reply in addition to the delay specified by BRIDGE_QUEUE_DELAY and BRIDGE_QUEUE_LOW. Note that this change only affects Server Agents older than 7.1 that don't have the load-balancing hotfix installed.

• For mkhome:
  • option # to the command mkhome -H no longer has any special meaning. As a consequence, mkhome no longer sends options -M or -n to the mkhome hook scripts.

  • the program now always calls any configured hook scripts, when creating home dirs. Previously the flag -H was needed, but this behavior was a remnant from the old BoKS Administration GUI, and it overloaded the -H flag normally used for physical home dirs.

• For Access Rules, modifiers kslfblocal, and the misspelled variant kslfblocally, are no longer valid. This behavior was already the default, and the modifiers had no effect. These modifiers are stripped from existing rules upon upgrade to BoKS 7.2.

• The programs pgrpadmin, lsbks, hostadm, hgrpadm, groupadm, and classadm now return 2 instead of 0 (or in some cases instead of 1) when trying to list fully specified objects that do not exist. See man pages for details.

• For boksrule:

  • The command boksrule --list now does literal searches by default. To perform regex searches for options --user-name, --user-class, --method, --source, and --destination, you can use the new option --regex.

  • boksrule -l now lists modifiers as "modifier" instead of "modifier=+1", and "-modifier" instead of "modifier=-1".

  • Added capability in boksrule to search for Access Rules with given modifiers. If '=' is given, the part following it may be a regular expression, e.g. boksrule -l --flags 'chroot=/.*/foo', or boksrule -l --flags 'kslog=(2|3)'.
• For hostadm:

  • As part of stricter argument checking, if you convert a host to a DYNIPCLIENT you MUST specify hostid. Any existing ip-address for the host in the DB is removed. If you convert a host from DYNIPCLIENT, you MUST specify an ip-address. The existing hostid in the DB is removed.

  • ‘hostadm -d -b hostid’ is no longer supported. This operation did not function as intended since it removed the hostid, but left the HOST_DYNIP flag set. The correct way is now to convert the host to another type (and provide an ip-address if the host does not yet have one).

  • hostadm no longer supports setting and clearing dynip flag. The only way to affect this flag is to change typ to/from DYNIPCLIENT.

• For routeadm / setup, option -D is removed (used to add default legacy routes / classes). The file $BOKS_etc/userclass_default_routes (used by above) is removed.

• Removed the $BOKS_etc/ports file, which is not used.

• The programs modrun, module, and ssoconf, related to BoKS Application Agents, are removed from $BOKS_lib. The bccas function listAgentMethods is also removed.

• The Heimdal kerberos library used in previous BoKS versions has been replaced by MIT kerberos as this is considered a more widely supported platform.
• OpenSSL has been upgraded in this BoKS version from v. 1.0.2 to v. 1.1.1.
• SSH stream forwarding, which is subject to some security vulnerabilities, is disabled in this version of BoKS.
• The root account can now be defined as a role on Solaris hosts. See the BoKS Manager 7.2 Installation Guide for more information.

Other Updates

• RC5-128 encryption is deprecated and may not be supported in future versions of BoKS. The BoKS Server Agent upgrade program is modified to use AES-128 encryption instead of RC5-128 encryption if the local nodekey is 128-bit.
• The command modbks -G, used to change the Host Group part of a user account, is enhanced with support for wildcard members added to Host Groups and support for handling users with the same login name in different Host Groups.

• CAS-0010121791 - An enhancement was made in the code for deleting items from the BoKS database that speeds up deletion in large tables by a factor of ~ 2.

• CAS-0010118871 - The boks_bdpd daemon is redesigned to minimize reply times to UDP discovery messages. Also the SERVC_EXTERNAL_REQ_DISABLE is now effective both on Master and Replicas.

• CAS-0010123577 - A fix for the vulnerability CVE-2017-15906 is included in this release.

• CAS-0010118605 - boks_bridge connection counter handling is updated so counter value always matches the actual number of connections, thus avoiding false triggering of the max connection limit.

• CAS-0010120910 - Max history length for checkout-enabled passwords is now set to 10 to minimize risk of overflow.

• #12920, CAS-184249-V9D0D0 - An issue was fixed that caused multiple shared scp sessions and FTL to stop responding and could generate SSH ID mismatch errors.

• CAS-0010115630 - The man page for boksrule no longer lists use_frompsw as a valid modifier for SUEXEC.

• CAS-0010114897 - An issue was fixed that caused SecurID authentication to stop working when the authenticating user had the environment variable http_proxy set.
• CAS-0010104374 - Auto-registered hosts no longer experience a delay in the population of the /etc/passwd file when they connect to the BoKS infrastructure.
• CAS-0010112941 - The initial PATH set by boks_sshd has been updated to match that of the native ssh.
• CAS-0010114844 - The option "hostadm -l" now has correct error handling for any unsupported additional arguments.
• CAS-0010114844 - The option "hostadm -l -t NONBOKSHOST" now lists all hosts with type NONBOKSHOST as it is supposed to.
• CAS-0010114844 - The option "hostadm -lC" did not function correctly from BoKS 7.0 and produced identical output to "hostadm -l -S". This is fixed.
• CAS-0010114682 - An issue in the freeradius client used by the BoKS RADIUS client caused it to always set identifier to 103 in the RADIUS packet. This issue is fixed.
• CAS-0010102348 - BoKS was not able to set field 3 in /etc/shadow to NULL. This field now becomes empty if PSWLASTCHANGE for a user in the BoKS database is 0 (e.g. when user is created but no password is set).
• CAS-0010108922 - A fix for the vulnerability CVE-2016-12 in boks_sshd is included in this release.
• CAS-0010108922 - A fix for the vulnerability CVE-2016-11 in boks_sshd is included in this release.
• CAS-0010108922 - A fix for the vulnerability CVE-2016-10 in boks_sshd is included in this release.
• CAS-0010108922 - A fix for the vulnerability CVE-2016-8858 is included in this release.
• CAS-0010104374 - When adding a host to a Host Group, BoKS could send out bogus update_group requests for all users on that host that had the secondary group flag set if Unix Groups were created on the host. This issue is fixed.
• CAS-0010108500 - Improvements have been made in the error statuses written to boks_errlog, for example in the case of a DNS mismatch with /etc/hosts.
• CAS-0010105415 - An issue has been fixed whereby if a user performed suexec to run a BoKS shell as root, and then performed subsequent suexec commands, these were logged as being done by root, not the original user. Now the original user is logged in this scenario.
• #14535, CAS-184623-Y0J9S3, CAS-0010103964 - The extension "=+1", which is for internal use in the BoKS database, is no longer displayed in Access Rule listings by boksrule and lsbks, and access modifiers are correctly transferred when upgrading.
• #14120, CAS-184583-L2Y7F3 - You could not debug the program $BOKS_lib/boks_create_homedir using bdebug, but now you can use the program label "createhomedir" for bdebug if the ENV file parameters CREATEHOMEDIR_DEBUG_LEVEL and CREATEHOMEDIR_DEBUG_FILE are set.
• CAS-184728-J9L0P3 - Under certain circumstances servc could dump core for a user with a "must use" LDAP authenticator, leaving the user unable to log in to servers.
• CAS-0010103938 - Trying to block an already blocked user, or unblock a user that was not blocked, made BoKS Web Services Interface return a 500 internal server error.
• CAS-0010102899 - When you set a limit for maximum number of SSH user keys using the command "bksdef -k", there was insufficient input validation. A maximum limit of 65535 has now been set on the value for this setting.
• #14471, CAS-184612-K2M0D2 - When you tried to import Unix Groups from a host in FCC 7.1 the operation could fail in some circumstances with the message that the host did not exist, due to an issue in the admin server code.
• #14402, CAS-189060-Q0T2F8 - When the Master is installed the function to "truncate UNIX password to first 8 characters when checking new password against password policy" is disabled by default. In previous versions it was enabled by default. You can if required enabled this function using the command "bksdef -T enable". Note that if this function is enabled and the minimum password length is greater than 8, the password length restriction check always fails and users are prohibited from changing their passwords.
• #13832, CAS-184201-M4Q1K7 - Inactivity timeout settings for to-user on SU and SUEXEC Access Rules with keystroke logging enabled did not function correctly.
• For the deprecated program ttyadmin the option -LP|C has been removed as it did not return the correct output. The option -LA (list all access methods) is still supported.
• #13947, CAS-184579-H3V9S8 - When you installed BoKS an SSH host key was registered to the database without this being logged. This was because the command ssh_keyreg -b, which is run by sshd_setup during BoKS installation, did not generate any logs.
• #12297, CAS-187552-F3N4Y9 - When upgrading a Server Agent using upgrade_client, only the UsePrivilegeSeparation and Subsystem sftp settings in the sshd_config* files were restored. Now all customizations in these files are restored except PermitTunnel and KerberosAuthentication.
• #13945, CAS-183999-L1J9V4 - When boks_init gave up respawning a process and reported this to boks_errlog, the severity classification label was set to “warning” when it should have been “error” to better draw attention to the issue.
• #13787, CAS-187041-W6J8T8 - The output from bokslicense -l always listed non-enforcing licenses as “In compliance” even if they were over the limit on number of hosts. These type of licenses are now listed as “Not enforced”.
• #13930, CAS-188980-M4L4W2 - Updates to the BoKS bridge communication protocol on BoKS Master/Replica caused incompatibilities with BoKS 6.5 and 6.6 Server Agents.
• #13896, CAS-188970-F5N8G9 - Alarm log handling commands with parameters or that expected an end of file did not work correctly, changes to configuration required a Boot of BoKS and proper error messages were not provided for bad commands.
• #12544, CAS-186858-Y5P7F4 - The boks_drainmast process used a write lock on the database even though it only reads. Also, in some cases boks_drainmast generated more psw update messages to the clntd send bridge than needed.
• #13860, CAS-183997-Z9G3S4 - When keystroke logging (kslog) was enabled for SSH_EXEC Access Rules, the uid was changed to root and not changed back to the login user.
• #13930, CAS-188980-M4L4W2 - When servc is communicating with BoKS 6.5 Server Agents and cannot extract the BoKS version and OS release from the startup log message, it dumps core as a result.
• #13225, CAS-187156-D0L4B0 - When creating a user account in BoKS and providing an LDAP Distinguished Name, the mkbks command required a one-to-one mapping between the user and the Distinguished Name (DN). This made it impossible to map a single LDAP user to multiple BoKS users defined in different Host Groups. The one-to-one enforcement has now been removed from mkbks.
• #13778, CAS-187272-Q3M1M7 - Under certain circumstances udsqd attempted to free memory multiple times, with a resulting negative impact on performance. Also, forked receive bridges looked up the last hostkey for each message to de/encrypt even though they only read/write messages to the same host. The forked receive bridges now cache the hostkey in local memory, improving performance.
• #13620, CAS-184240-T9F8L0 - When user data checking (UDC) failed, a generic error message was displayed that did not provide information about the specific problem.
• #8717, CAS-189106-Q8Z4V9 - If TLOCK has been configured for a user, the inactivity checker in boks_bksd ignored changes on modification date of the tty device, even if logged in on a non-Solaris host (i.e. a host that lacks support for Tlock).
• #8323, CAS-189101-V3Z8Z0 - The command hgrpadm -R, which could be used to list Host Groups, was much slower than the command hgrpadm -l, also used for listing. Support for hgrpadm -R has been dropped from BoKS 7.2, and hgrpadm -l should be used instead.
• #13722, CAS-187285-X8M1H7 / #13734, CAS-187290-Y9C4M9 / #13719, CAS-187289-T8M9L3 - Secondary UNIX groups were not properly updated on Server Agents in certain scenarios depending on the order in which commands were executed.
• #13507, CAS-184238-N2T1P8 - Shared memory was allocated with a default size 1MB, no matter what size was configured, when a BoKS host was converted from Replica to Master.
• #8052, CAS-188393-J7Q1T1 - The lsbks command had an obsolete option -n that improperly listed non-functioning authenticators that were administrated through modbks rather than authadm.
• #13562, CAS-187349-S6N1C7 - ssh failed intermittently with the error “Permission denied” when there was a large number of messages in the servc queue.
• #13662, CAS-187014-G3R3G3 - The operation to delete a Host Group with a large amount of members could return an error “Internal server error” and cause some processes on the BoKS Master to stop responding.
• #9531, CAS-184007-W6N5J9 - The filmon program could incorrectly report that a file had changed even though this was not the case.
• #9938, CAS-185034-H5Z1M2 - When logging in to HP-UX with rlogin and a script configured in the ENV parameter T_LOGOUT to control inactivity monitoring, the corresponding btmp file entry could be erroneously deleted, disabling inactivity monitoring.
• #9754, CAS-185079-G2X3M6 - When an issue occurred during setup of BoKS, the setup program aborted and could leave the installation in a half-finished state. The setup program has been enhanced to exit in the event of one operation failing and report which operation failed so that you can take appropriate action and rerun the setup.
• #13532, CAS-187310-G0X3N5 - The boks_bridge process failed to bind the address if IPv6 had been disabled.
• TFS-110905-012857, CAS-188746-B5S9L6 - The adminwiz and, later, fccsetup programs did not check for the existence of a nodekey for the BoKS Master if it was moved to new hardware but no nodekey was created, so did not display a useful warning to enable the issue to be resolved.
• #13417, CAS-187096-G5G9K8 - The command “adgroup -l” accepted the admin_user argument (i.e. “admin@DOMAIN”) without returning an error, but admin_user should only be used with the -a and -d options for adgroup.
• #13069, CAS-184145-B7S7Y3 - The ENV variable BRIDGE_DOMAIN has a documented range 0-9 and enforcement of this range was added in code to enhance load-balancing. However there is actually no need for a 0-9 limit as long as the resulting port numbers are below 65535.
• TFS140924-015120, CAS-183979-Z7M4N4 - On some platforms if the showmaster program was unable to locate the server, the message "Alarm clock" was printed on the user’s screen.
• #13206, CAS-184127-R1V6B2 - If $BOKS_etc/savefiles or $BOKS_var/savefiles were empty boks_bru aborted with exit 1 and no error message was produced.
• #12686, CAS-187446-Z1Y7H7 - It was possible to remove the Master from the BoKS database using the hostadm program without supplying a force flag to the program.
• #11802, CAS-184079-N3D5Q0 - The suexec safepath test deemed it unsafe to run an executable in the /tmp directory because the directory is world writable, but if the /tmp directory has the sticky bit set (the normal case) it is actually safe.
• #11973, CAS-187679-C0G4L3 - If the $BOKS_etc/nodekey file was missing or corrupt the hostkey command failed and was thus terminated by a SIGSEGV without logging a warning to $BOKS_var/boks_errlog.
• #12298, CAS-184349-B8R8V3 - If you had a definition in host2profiles specifying a Host Group, but used the -h option to specify a hostname using the CLI program mkhome, the Host Group wasn’t matched.
• #9938, CAS-184349-B8R8V3 - Inactivity timeout had three separate problems for telnet on HPUX: 1) The T_LOGOUT parameter for custom configuration was not recognized. 2) The action at timeout sent SIGUSR1 to the user’s shell once and this could be trapped and ignored by the user. 3) The btmp entry was cleared unconditionally so that no further inactivity checking could be made in that case.
• #13292, CAS-187242-D9D9K0 - A lack of validity checking by ssh_keyreg meant that invalid SSH public keys could be created both using the CLI and FCC.
• #14102, CAS-184591-D2H1X4 - BoKS xdl failed to start on Debian 9.
• #14357, CAS-189062-D4P9K1 - A segmentation violation occurred in boks_sshd with remote command execution if the length of the command line argument exceeded 10232 characters (approx 10 KB).
• CAS-0010102573 - SecurID login to FCC did not work with hotfix HFBM-0234-2 installed.
• #14269, CAS-184631-P1C8B1 - Child receive bridge could crash if the caller closed the connection prematurely.
• #13236, CAS-189160-P7V2S4 - A timeout could occur when listing Host Groups with many members using "hgpadm -l".
• #14127, CAS-184796-F7B8V8 - A suexec Access Rule with a wildcard in the to-user part allowed access to root. This is changed to work like SU Access Rules, i.e root access is not included for wildcards.
• #14127, CAS-184796-F7B8V8 - A user logging in with BoKS sshd on Red Hat with SELinux enabled did not get all the ENV vars in their session they would get with the OS sshd. Now the following ENV vars are also available when logging in with BoKS sshd: SELINUX_ROLE_REQUESTED, SELINUX_USE_CURRENT_RANGE, SELINUX_LEVEL_REQUESTED.
• #14164, CAS-184766-V1H1N6 - internal-sftp generated SELinux violations when SELinux was enabled.
• #13901, CAS-184854-Y5M9G7 - A security vulnerability when provisioning registered SSH user public keys to local authorized_keys files was fixed.
• #13874 - The vulnerability "CVE-2017-3736 bn_sqrx8x_internal carry bug on x86_64" was fixed.
• #13874 - The vulnerability "CVE-2017-3738 rsaz_1024_mul_avx2 overflow bug on x86_64" was fixed.
• TFS111124-013071 - The $BOKS_etc/consoles file was not documented but now the man page consoles.4 has been added.