Authentication Service and Privilege Elevation Service 6.0.1 Release Notes (Verify Privilege Server Suite 2023.1)
About this Release
Authentication Service and Privilege Elevation Service, part of the product category IBM SecurityVerify Privilege Server Suite (previously called Centrify Infrastructure Services or Centrify Zero Trust Privilege Services), centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With IBM SecurityVerify Privilege Server Suite, enterprises can easily migrate and manage complex UNIX, Linux, and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. IBM Security Authentication Service, through IBM Security's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on legacy systems, separate identity from access management and delegate administration. IBM Security's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.
The Upgrade Guide describes the correct order to perform updates such that all packages continue to perform correctly once upgraded.
Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)
Feature Changes in this Release
For a list of the supported platforms by this release, refer to the "Supported Platforms" section in the Verify Privilege Server Suite Release Notes.
For a list of platforms that IBM Security will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Verify Privilege Server Suite Release Notes).
General
For more information about Delinea, see Delinea Announcement
Compatibility
If Direct Control is upgraded to 2023.1, Verify Privilege Server Suite OpenSSH needs to be upgraded to 2023.1 as well.
Security Fix
-
Upgraded OpenSSL from v3.0.8 to v3.1.2. (Ref: 524065)
-
Upgraded cURL to v8.1.2. (Ref: 489963)
-
Created a CVE-2024-6387 patch for OpenSSH 9.3p1. (Ref: 582210)
Verify Privilege Server Suite DirectControl Agent for *NIX
-
The user can now use either SamAccountName or User Principal Name of gMSAs in
adclient.krb5.cache.infinite.renewal.gmsa
to control what format of Kerberos principal to use in the credential caches. (Ref: 501818) -
Added a new authselect optional feature "with-nullok" for server suite profile. By default the Verify Privilege Server Suite profile will not use "nullok" in PAM configuration files. (Ref: 517300)
-
SSH login via
gssapi-with-mic
will be denied when Kerberos PAC validation fails. (Ref: 520206) -
Reduced unnecessary DN format name lookups to optimize performance. (Ref: 531870)
DirectControl Command Line Utilities
-
Added a new option
-X
or--computerpassword
for adjoin command to specify the password of the precreated computer account. (Ref: 481139) -
Added a new option
-password
for precreate_computer command to specify the password of the precreated computer account. (Ref: 484292) -
A new sub-option
--localkeytab
of--adopt
is added to the adkeytab command. When the options--adopt --localkeytab
are specified, adkeytab will just create the keytab file locally. The new sub-option can be used by a normal user to create a keytab file for passwordless authentication. The user is also able to select the principal keys to be put into the keytab file with this new sub-option. (Ref: 475138) -
Added a new tool named
adsshauthkeys
to retrieve user's public keys from user object in AD. (Ref: 488800) -
The full output of 'adcheck' will be printed in the log
centrifydc-install.log
as well when installing our agent. (Ref: 504317)
Configuration Parameters
New Parameters
-
krb5.conf.include.file
: This parameter specifiesinclude
directive adclient will addinto krb5.conf
. The default is empty. (Ref: 473411) -
krb5.conf.include.directory
: This parameter specifiesincludedir
directive adclient will add intokrb5.conf
. The default is empty. (Ref: 473411) -
adclient.autoedit.authselect
: false This parameter specifies whether to use authselect method to enable nss and pam configuration on the system which has authselect. The default is false. (Ref: 520232)
Modified Parameters
-
adclient.krb5.password.change.verify.retries
: 15 The default value of this parameter is changed from 0 to 15. (Ref: 506448) -
adclient.krb5.password.change.verify.interval
: 60 The default value of this parameter is changed from 0 to 60. (Ref: 506448) -
adclient.krb5.service.principals: ftp cifs ldap
The default value of this parameter is changed from "ftp cifs" to "ftp cifs ldap". (Ref: 495637) -
nss.runtime.defaultvalue.var.shell: /sbin/sh
The default value of this parameter is changed from "/usr/bin/sh" to "/sbin/sh". (Ref: 531614)
DirectControl Installation
-
On RHEL 9 systems with FIPS enabled, you need to import t6he GPG public key manually (only once and only on a new system):
rpm --import
https://cloudrepo.centrify.com/<token>/rpm-redhat/gpg.BDD3FD95B65ECA48.keyOn any RHEL system that has DirectControl previously installed (and so has Centrify GPG-key imported already), new yum repository config file needs to be generated:
curl -1sLf 'https://cloudrepo.centrify.com/<token>/rpm-redhat/setup.rpm.sh' | sudo -E bash
Verify Privilege Server Suite Access Manager
-
The users could specify the password for the computer account when they prepare one *NIX computer. (Ref: 481136)
-
The comparison of the joined time for the classic zone is given a +/- range. By default, the range is +/- 30 seconds. The range can be configured by the registry value
HKLM\Software\Centrify\CIMS\JoinTimeRange
. (Ref: 298722)
Verify Privilege Server Suite Access Module for PowerShell
-
The users could specify the password for the computer account when they prepare one *NIX computer using the PowerShell cmdlet
New-CdmManagedComputer
. (Ref: 481138)
Verify Privilege Server Suite OpenLDAP Proxy
-
Upgraded OpenLDAP from 2.5.13 to 2.5.14. (Ref: 502323)
-
Verify Privilege Server Suite OpenLDAP Proxy supports SASL/GSSAPI bind. (Ref: 495637)
-
Verify Privilege Server Suite OpenLDAP Proxy supports multiple attributes in search filter when doing zone search. (Ref: 508752)
Verify Privilege Server Suite OpenSSH
-
Upgraded OpenSSH to 9.3. (Ref: 477851)
-
Added
ssh-copy-id
to DirectControl OpenSSH. (Ref: 513256) -
Added
ssh-sk-helpe
r andssh-pkcs11-helper
for RedHat (amd64) and Debian (amd64) to DirectControl OpenSSH. (Ref: 509074)
Verify Privilege Server Suite Report Services
-
The existing database could be reused via Report Service silent configuration. (Ref: 509809)
Verify Privilege Server Suite Smart Card
-
Added Smart Card Support for Debian 12.0. (Ref: 514927)
Fixes in Release 2023.1 Component Update (2023.1.6 / July 2024)
-
Fixed issues related to CVE-2024-6387 by creating a patch for OpenSSH. (Ref: 582210)
Feature Changes in Release 2023.1 Component Update (Jan 2024)
-
Added support to create a role with the new Dzdo Rescue rights, which will allow users to control which users should be able to authenticate the system via dzdo if problems with multi-factor authentication to the cloud platform are preventing users from authenticating the system. (Ref: 536485)
-
A new system right titled 'HasDzdoRescueRight' was introduced for
New-CdmRole
,Set-CdmRole
, andGet-CdmRole
. (Ref: 537946)
Fixed Issues in this Release
Security Fixes
-
Patched the fix of CVE-2023-38408 for OpenSSH. (Ref: 521873)
Verify Privilege Server Suite DirectControl Agent for *NIX
-
Fixed a user visibility issue that some group members remain invisible after being added to an AD group that assigned visible roles. (Ref: 489972)
-
Fixed an issue that dzinfo may show duplicate entries. (Ref: 501815)
-
Fixed an issue that adjoin would prompt warning message when self-joining a computer pre-created using Access Manager. (Ref: 504183)
-
Fixed a deadlock issue in adclient. (Ref: 517984)
-
Fixed the file permission issue with
/var/centrifydc/.dz.cache.needs.refreshing
if adclient's umask is unexpectedly modified by some non-standard way. (Ref: 531408)
DirectControl Installation
-
Removed sudo from the dependencies of CentrifyDC. (Ref: 510459)
Verify Privilege Server Suite Access Manager
-
Fixed an issue that Access Manager cannot find the OU in the Setup Wizard. (Ref: 487239)
-
Fixed an issue that role definition is different on zone level and computer level. (Ref: 501534)
Verify Privilege Server Suite OpenSSH
-
Fixed an issue that Delinea OpenSSH cannot start on Amazon Linux 2023. (Ref: 508388)
Fixes in Release 2023.1 Component Update (Jan 2024)
-
The patch for cURL v8.1.2 has been updated to fix CVE-2023-38545. (Ref: 543817)
-
Fixed a bug in the addns command that when the
-r, --refresh
option is specified to update any HOST or PTR records, it will ignore the refresh option. (Ref: 535321) -
Fixed a bug in adclient where a background LDAP page search result refresh task may get run multiple times unnecessarily. (Ref: 543171)
-
Fixed a bug that after uninstallation of Verify Privilege Server Suite, authselect may still use the 'Verify Privilege Server Suite' profile. (Ref: 544959)
-
Fixed a bug with screen savers and RDP sessions where the user session would become unusable. (Ref: 543480)
This Component Update will deprecate the previous version, Component Update (Dec 2023).
Fixes in Release 2023.1 Component Update (Dec 2023)
-
Fixed issues related to CVE-2023-5363 by creating a patch to OpenSSL 3.1.2. (Ref: 541354)
-
This Component Update will deprecate the previous version, Rolling Update (April 2024)
Changes in Release 2023.1 Rolling Update (April 2024)
-
Fixed issues related to CVE-2023-42465 by creating a patch for Dzdo. (ref: 553401)
-
Fixed issues related to CVE-2023-48795 by creating a patch for OpenSSH. (ref: 552681)
-
Updated install.sh to check if the agent is installed for IBM Security Privilege Controls for Servers. (ref: 549578)
-
Fixed an upgrade issue when upgrading from version 2022.1 or earleir on Flatcar Linux. (ref: 560300)
-
Fixed an issue where
install.sh
may still install Verify Privilege Server Suitepackages when there areadcheck
errors. (ref: 560381)
Known Issues
The following sections describe common limitations or known issues associated with this Authentication Service and Privilege Elevation Service release.
For the most up to date list of known issues, please login to the Customer Support Portal at https://www.delinea.com/support and refer to Knowledge Base articles for any known issues with the release.
Verify Privilege Server Suite DirectControl Agent for *NIX
-
Known Issues with Multi-Factor Authentication (MFA)
If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)
-
Known Issues with AIX
On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)
Some versions of AIX cannot handle username longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameterLOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)
-
Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)
There are several potential issues on Fedora 19 and above:
- The adcheck command will fail if the machine does not have Perl installed.
- Group Policy will not be fully functional unless Text/ParseWords.pm is installed.
-
Known issues with RedHat
When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result inunpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)
- Known issues with rsh / rlogin (Ref: IN-90001)
- When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted, and the password is successfully changed.
-
Known issues with compatibility
DirectControl SELinux module is not compatible with RHEL 6.0 and the installation of the module will fail on RHEL 6.0. If SELinux is required, please upgrade to RHEL 6.1 or above, or upgrade the SELinux policy on the system. (Ref: 503757)
Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)
- DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.
Default zone not used in DirectControl 5.x (Ref: IN-90001)
- In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.
- This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
- A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.
Smart Card
-
There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)
-
When a SmartCard user attempts to login with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)
-
Any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. (Ref: CS-33175c)
-
If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usualcase, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)
-
To login successfully in disconnected mode (Ref: CS-29111a):
- For a password user:
* A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)
- For a SmartCard user:
- The above is not true of SmartCard login. Given a properly configured RedHat system with
valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
- If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
- If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
- The above is not true of SmartCard login. Given a properly configured RedHat system with
valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
- For a SmartCard user:
- For a password user:
-
When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred andtry again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)
-
A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)
-
Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)
-
Running "sctool -D" with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)
-
Screen saver shows password not PIN prompt (Ref: CS-31559a)
Most smart card users can log on with a smart card and PIN only and cannot authenticate with a username and password. However, it is possible to configure users for both smart card/PIN and username/password authentication. Generally, this set up works seamlessly: the user either enters a username and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.
However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.
On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)
Additional Information and Support
In addition to the documentation provided with this package, see the IBM Security Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone.
The IBM Security Resources web site provides access to a wide range of information including analyst reports, best practice briefs, case studies, datasheets, ebook, white papers, etc., that may help you optimize your use of IBM Security products. For more information, see the IBM Security Resources web site.
You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone. To contact IBM Security Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating IBM Security products, send email to info@delinea.com.