2.1.6 (January 7 2024)
- Improved session recording subsystem.
- With syslog enabled, the events are now send in raw auditd format.
- Renamed the 'RemoteAuditLogs' setting to 'RecordSyslog'.
- Added support for Windows expired accounts (now refused).
- Reorganized session-based settings.
2.1.5 (September 16 2024)
- Fixed welcome message not displaying newlines correctly.
- Fixed warnings with out of scope groups.
2.1.4 (April 12 2024)
- Added support for WebADM bruteforce protection with IP blacklisting.
2.1.3 (September 5 2023)
- Fixed empty TTY audi / log when user cancelled the MFA login.
- Do not update fail counter or blocking timers with MFA is cancelled.
- Return OpenOTP errors and messages when MFA authentication failed.
- Added a configuration to send remote hosts' Auditd events to syslog.
2.1.2 (June 13 2023)
- Enhanced the added user agreement functionality.
> Update required with WebADM v2.3.1.
2.1.1 (May 30 2023)
- Added support for WebADM v2.3 (this version requires WebADM v2.3).
- Added user agreement / contract signing during login transaction.
> With HTML documents, a user consent is shown for signed confirmation.
> With other documents, the user has to sign the attached document.
> These features are configured via Client Policies and provide eIDAS-
compliant login terms and conditions signature with PaDES (PDF) or
CaDES, during a user authentication worklow.
2.1.0 (January 19 2023)
- Added compatibility with WebADM 2.2.
- Updated the application icons.
- Removed the XMLRPC service API.
- Fixed password change and session unlock not working when require
MFA option is enabled.
- Removed deprecated FIDO U2F authentication and enrolment.
- Added support for FIDO2 SSH keys.
2.0.22
- Added support for password change with WebADM password reset app.
> The linux 'passwd' command changesd the password remotely.
2.0.21 (November 11 2022)
- Added compatibility with WebADM v2.1.16.
2.0.20 (September 2 2022)
- Added SQL audit log event types (requires WebADM >= 2.1.15).
2.0.19 (January 13 2021)
- Fixed several issues with user tag matching.
- Removed debug output leftover in the tag verification code.
2.0.18 (December 16 2021)
- Fixed authorized key files not working with Allowed Local Users.
2.0.17 (December 5 2021)
- Added support for x.509 certificates with external certificates
(ex. eIDAS ID cards).
- Certificates from external CAs are verified using CRL or OCSP.
2.0.16 (October 21 2021)
- Added Client ID chaining with OpenOTP.
- Authorized keys return backup keys even on user key failure.
- Added specific error for ActiveDirectory password lockout.
- Added support for LDAP language attributes in the form 'FR-fr'.
- Forced login shell now works dynamically per client policy.
- Requested server tags can be provided as boolean expressions.
- Non-absolute home directories are prepended with the HomeDir Prefix.
2.0.15 (September 13 2021)
- Fixed issues with LDAP case in user and group names.
2.0.14 (April 13 2021)
- Voice Biometric authentication forces Voice request via Mobile Push.
- Non interractive session (ie. SCP/SFTP) removes the 'LDAP' factor
requirement when 'LDAP' or 'LDAPOTP' MFA method is configured.
- License checks now occurs at session start request time instead of
authorized keys requests.
- Added a new setting for configuring Forced OTP Type with SCP sessions.
- Added per-domain email sender with service provider licenses.
2.0.13 (April 4 2021)
- Added Client ID chaining with OpenOTP and SMSHub Web services.
> When SpanKey sends a MFA request to OpenOTP, the client ID is
forwarded. You can also implement cross services client policies.
- Added %DATE% and %SERVICE% to the message templates' variables.
2.0.12 (March 8 2021)
- Fixed broken contextual extra factors' feature.
2.0.11
- Added compatifility with WebADM 2.0.11.
2.0.10
- Fixed configured backup/recovery keys not beeing returned.
- Added a 'Forced OTP Type' setting to force aspecific OTP method when
OpenOTP Extra login factor is required.
2.0.9
- Fixed some issues with the FIDO-U2F private bundle import.
2.0.8
- Added support for OpenSSH v8.2 with FIDO U2F Devices.
> FIDO device keys can either be enrolled graphically or imported.
- Fixed client certificates not always working with shared accounts.
- Certificate keys are now feeded as SSH public keys.
- Added comatibility with WebADM v1.7.10.
- Multiple code rewrites and optimizations.
2.0.7
- Added contextual authentication when extra login factors is enabled.
> Users do not need to re-enter the LDAP/MFA password for all servers
for a limited period as long as the connect from the same source IP.
- Added MaxUID and MaxGID setting for NSS account filtering.
- Added support for SSH access with WebADM client certificates.
- Optimizations to the tagging subsystem.
2.0.6
- This update is required for WebADM version >= 1.7.6.
- Fixed Sudo Commands not working when configured on both user/group and
client policies.
- Improved SSH generation time.
- Highly improved ECC key support.
- Allow existing key import for all supported key types.
- Prevent import for key not matching the key lenght in self-services.
- Added password change retries count (to be used in upcoming SpanKey agent).
- Re-scoped some application settings.
> If you configured blocking policies or geo-fencing on a user or group,
please configure it in the application or client policy.
2.0.5
- Added client server hostname in the SQL logs.
- Added final support for Auditd dynamic rules.
- Added support for variables in the welcome message.
- Added support for WebADM cluster-level caching API.
- Added support for external public key registration via self-services.
> A new Manager method allows registration with external keys too.
- Added support for sudo commands and privilege elevations in WebADM.
> Sudo can be configured in client policies, users and groups.
> The sudo feature will be available in SpanKey Client v2.1.2.
2.0.4
- Added an options to limit the max usage count for a SSH public key.
> Automatic re-enrolment email link via SelfReg is supported.
- Added login statistics (login count, success and failures) to the
SpanKey user data.
- Fixed broken key export in PPK format (Putty).
- Fixed key register with the Manager API when no key size is provided.
- Added login shell per host via a Client policy configuration.
- Added schedulable reporting utility in 'bin/report' with CSV output.
- Added Auditd rule configuration for terminal and SCP sessions.
> This feature will be available with SpanKey client v2.0.3.
2.0.3
- Added support for WebADM v1.7 (it does not work with previous versions).
- Fixed issues with ECC key management.
- Fixed search base when the group search base is defined on the domain.
- Added support for accounts with local authorized keys files.
> Accounts list can be adjusted per client policy.
> Authorized keys files can be configured on the server.
> Authorized keys files can also be set per user and per group too.
- Added NSS caching optimization under very high load.
- Added support for records with Auditd event logs.
- More and better SQL logs.
2.0.2
- Added OTP challenge response support with the optional MFA login.
> OTP retries are also supported.
- Added LDAP and LDAPOTP options for MFA login.
- Added a terminal session unlock feature.
- Removed trust domain support (dropped in the upcoming WebADM 1.7.0).
- Added LDAP password change feature via SpanKey PAM module.
2.0.1
- Shared account login shows the real user identity in the audit log.
- Unlock retries are limited to 3 LDAP password attempts.
- Added support for MinUID and MinGID policy settings.
- Added record session's data size limitation.
- Added support for expired password reset links via email and SMS.
- Added optional MFA login (only SimplePush is supported with the current
SpanKey Client).
- Added user notifications when password or SSH key expired.
- Multiple code and performance enhancements.
2.0.0
- Brand new version with compatibility break with SpanKey v1 branch.
- Added session recording capabilities (WebADM 1.6 Record feature).
- Added support for SpanKey client agent v2.0 for Linux.
- New NSS integration.
- Much faster response time.
- Added support for SSH session lock screen.
- Added support for offline SSH access.
1.0.3-3
- Added the possiblity to import an existing RSA SSH public key.
> Available under the admin portal actions only.
- Added localized messages API compliance with WebADM v1.5.10.
- Fixed an issue with NSS users missing login shell.
1.0.3
- Added error IDs to the error reponses.
- Added support for WebADM service protocol API version checking.
1.0.2
- Fixed a NSS issue when no Posix user or no Posix group exists.
- Added an option to download both the PEM and PPK SpanKey private
keys bundled in a ZIP file.
- Added the %GROUPS% variable to the Authe Success URL setting.
- Added session monitoring with session start and stop audit.
1.0.1
- Added the SpanKey NSS methods.
> SpanKey is now a NSS provider for Posix users and groups.
> Integrated Linux systems do not need NSS-LDAP anymore.
> Note that SpanKey NSS functionalities requires SpanKey client
v1.0.1 which will be release soon.
- The authorized keys API does not append the username to the keys.
- Many optimizations.
1.0.0
Initial SpanKey release.
- Improved session recording subsystem.
- With syslog enabled, the events are now send in raw auditd format.
- Renamed the 'RemoteAuditLogs' setting to 'RecordSyslog'.
- Added support for Windows expired accounts (now refused).
- Reorganized session-based settings.
2.1.5 (September 16 2024)
- Fixed welcome message not displaying newlines correctly.
- Fixed warnings with out of scope groups.
2.1.4 (April 12 2024)
- Added support for WebADM bruteforce protection with IP blacklisting.
2.1.3 (September 5 2023)
- Fixed empty TTY audi / log when user cancelled the MFA login.
- Do not update fail counter or blocking timers with MFA is cancelled.
- Return OpenOTP errors and messages when MFA authentication failed.
- Added a configuration to send remote hosts' Auditd events to syslog.
2.1.2 (June 13 2023)
- Enhanced the added user agreement functionality.
> Update required with WebADM v2.3.1.
2.1.1 (May 30 2023)
- Added support for WebADM v2.3 (this version requires WebADM v2.3).
- Added user agreement / contract signing during login transaction.
> With HTML documents, a user consent is shown for signed confirmation.
> With other documents, the user has to sign the attached document.
> These features are configured via Client Policies and provide eIDAS-
compliant login terms and conditions signature with PaDES (PDF) or
CaDES, during a user authentication worklow.
2.1.0 (January 19 2023)
- Added compatibility with WebADM 2.2.
- Updated the application icons.
- Removed the XMLRPC service API.
- Fixed password change and session unlock not working when require
MFA option is enabled.
- Removed deprecated FIDO U2F authentication and enrolment.
- Added support for FIDO2 SSH keys.
2.0.22
- Added support for password change with WebADM password reset app.
> The linux 'passwd' command changesd the password remotely.
2.0.21 (November 11 2022)
- Added compatibility with WebADM v2.1.16.
2.0.20 (September 2 2022)
- Added SQL audit log event types (requires WebADM >= 2.1.15).
2.0.19 (January 13 2021)
- Fixed several issues with user tag matching.
- Removed debug output leftover in the tag verification code.
2.0.18 (December 16 2021)
- Fixed authorized key files not working with Allowed Local Users.
2.0.17 (December 5 2021)
- Added support for x.509 certificates with external certificates
(ex. eIDAS ID cards).
- Certificates from external CAs are verified using CRL or OCSP.
2.0.16 (October 21 2021)
- Added Client ID chaining with OpenOTP.
- Authorized keys return backup keys even on user key failure.
- Added specific error for ActiveDirectory password lockout.
- Added support for LDAP language attributes in the form 'FR-fr'.
- Forced login shell now works dynamically per client policy.
- Requested server tags can be provided as boolean expressions.
- Non-absolute home directories are prepended with the HomeDir Prefix.
2.0.15 (September 13 2021)
- Fixed issues with LDAP case in user and group names.
2.0.14 (April 13 2021)
- Voice Biometric authentication forces Voice request via Mobile Push.
- Non interractive session (ie. SCP/SFTP) removes the 'LDAP' factor
requirement when 'LDAP' or 'LDAPOTP' MFA method is configured.
- License checks now occurs at session start request time instead of
authorized keys requests.
- Added a new setting for configuring Forced OTP Type with SCP sessions.
- Added per-domain email sender with service provider licenses.
2.0.13 (April 4 2021)
- Added Client ID chaining with OpenOTP and SMSHub Web services.
> When SpanKey sends a MFA request to OpenOTP, the client ID is
forwarded. You can also implement cross services client policies.
- Added %DATE% and %SERVICE% to the message templates' variables.
2.0.12 (March 8 2021)
- Fixed broken contextual extra factors' feature.
2.0.11
- Added compatifility with WebADM 2.0.11.
2.0.10
- Fixed configured backup/recovery keys not beeing returned.
- Added a 'Forced OTP Type' setting to force aspecific OTP method when
OpenOTP Extra login factor is required.
2.0.9
- Fixed some issues with the FIDO-U2F private bundle import.
2.0.8
- Added support for OpenSSH v8.2 with FIDO U2F Devices.
> FIDO device keys can either be enrolled graphically or imported.
- Fixed client certificates not always working with shared accounts.
- Certificate keys are now feeded as SSH public keys.
- Added comatibility with WebADM v1.7.10.
- Multiple code rewrites and optimizations.
2.0.7
- Added contextual authentication when extra login factors is enabled.
> Users do not need to re-enter the LDAP/MFA password for all servers
for a limited period as long as the connect from the same source IP.
- Added MaxUID and MaxGID setting for NSS account filtering.
- Added support for SSH access with WebADM client certificates.
- Optimizations to the tagging subsystem.
2.0.6
- This update is required for WebADM version >= 1.7.6.
- Fixed Sudo Commands not working when configured on both user/group and
client policies.
- Improved SSH generation time.
- Highly improved ECC key support.
- Allow existing key import for all supported key types.
- Prevent import for key not matching the key lenght in self-services.
- Added password change retries count (to be used in upcoming SpanKey agent).
- Re-scoped some application settings.
> If you configured blocking policies or geo-fencing on a user or group,
please configure it in the application or client policy.
2.0.5
- Added client server hostname in the SQL logs.
- Added final support for Auditd dynamic rules.
- Added support for variables in the welcome message.
- Added support for WebADM cluster-level caching API.
- Added support for external public key registration via self-services.
> A new Manager method allows registration with external keys too.
- Added support for sudo commands and privilege elevations in WebADM.
> Sudo can be configured in client policies, users and groups.
> The sudo feature will be available in SpanKey Client v2.1.2.
2.0.4
- Added an options to limit the max usage count for a SSH public key.
> Automatic re-enrolment email link via SelfReg is supported.
- Added login statistics (login count, success and failures) to the
SpanKey user data.
- Fixed broken key export in PPK format (Putty).
- Fixed key register with the Manager API when no key size is provided.
- Added login shell per host via a Client policy configuration.
- Added schedulable reporting utility in 'bin/report' with CSV output.
- Added Auditd rule configuration for terminal and SCP sessions.
> This feature will be available with SpanKey client v2.0.3.
2.0.3
- Added support for WebADM v1.7 (it does not work with previous versions).
- Fixed issues with ECC key management.
- Fixed search base when the group search base is defined on the domain.
- Added support for accounts with local authorized keys files.
> Accounts list can be adjusted per client policy.
> Authorized keys files can be configured on the server.
> Authorized keys files can also be set per user and per group too.
- Added NSS caching optimization under very high load.
- Added support for records with Auditd event logs.
- More and better SQL logs.
2.0.2
- Added OTP challenge response support with the optional MFA login.
> OTP retries are also supported.
- Added LDAP and LDAPOTP options for MFA login.
- Added a terminal session unlock feature.
- Removed trust domain support (dropped in the upcoming WebADM 1.7.0).
- Added LDAP password change feature via SpanKey PAM module.
2.0.1
- Shared account login shows the real user identity in the audit log.
- Unlock retries are limited to 3 LDAP password attempts.
- Added support for MinUID and MinGID policy settings.
- Added record session's data size limitation.
- Added support for expired password reset links via email and SMS.
- Added optional MFA login (only SimplePush is supported with the current
SpanKey Client).
- Added user notifications when password or SSH key expired.
- Multiple code and performance enhancements.
2.0.0
- Brand new version with compatibility break with SpanKey v1 branch.
- Added session recording capabilities (WebADM 1.6 Record feature).
- Added support for SpanKey client agent v2.0 for Linux.
- New NSS integration.
- Much faster response time.
- Added support for SSH session lock screen.
- Added support for offline SSH access.
1.0.3-3
- Added the possiblity to import an existing RSA SSH public key.
> Available under the admin portal actions only.
- Added localized messages API compliance with WebADM v1.5.10.
- Fixed an issue with NSS users missing login shell.
1.0.3
- Added error IDs to the error reponses.
- Added support for WebADM service protocol API version checking.
1.0.2
- Fixed a NSS issue when no Posix user or no Posix group exists.
- Added an option to download both the PEM and PPK SpanKey private
keys bundled in a ZIP file.
- Added the %GROUPS% variable to the Authe Success URL setting.
- Added session monitoring with session start and stop audit.
1.0.1
- Added the SpanKey NSS methods.
> SpanKey is now a NSS provider for Posix users and groups.
> Integrated Linux systems do not need NSS-LDAP anymore.
> Note that SpanKey NSS functionalities requires SpanKey client
v1.0.1 which will be release soon.
- The authorized keys API does not append the username to the keys.
- Many optimizations.
1.0.0
Initial SpanKey release.