New Changes With LogonBox VPN 2.3.19

Posted on by Lee Painter
Windows two-factor authentication

Introduction

LogonBox is pleased to announce the immediate availability of LogonBox VPN 2.3.19.
This release includes support for Twilio SMS and improvements to the SSH User Directory, and validated emails for OTP authentication.

Twilio

LogonBox now supports Twilio directly for sending SMS messages. Previously this was configurable by using a custom SMS task with a trigger.
With this release, you can now select Twilio as an SMS provider in Authentication Flows->Authentication Options->SMS, then enter your Twilio SIDs and Token in the Twilio tab that appears.

This feature is pre-configured and free to use on our cloud services during the evaluation period. There will be options to purchase credits to continue using our Twilio service in production with no requirement to set up a Twilio account yourself.

SSH User Directory improvements

The SSH User Directory now supports password locks (using faillock) on RedHat systems.
Previously this supported account locks only (using passwd -l), which is still supported.

When reading the /etc/passwd file when synchronizing users, the previous limitation of a 32KB file size no longer applies, meaning it is now possible to synchronize a greater number of users.

One Time Password validated emails changes

Due to how OTP worked previously with validating a user’s email address, if that user’s directory email changed at any point, any OTPs would still be sent to the old address.
We have made some changes to address this:

If you are using directory emails, users will not need to validate their email on their first login.
If a user’s email address changes on the directory, then any new OTPs will be sent to the new email as expected.
If you add an Additional Email to the user’s account in LogonBox, the user will also have the option to send an OTP to that address.

When Use Directory Email is enabled, users will no longer see a list of validated emails in My Credentials->OTP.

If you have turned off Use Directory Email, then validated emails for OTP will work as previously, using emails stored in LogonBox only.

Changes to admin user login

Previously, the admin user would log in by default to the web UI via the user portal logon.
This previous functionality was easy to use but meant that if you had configured a separate authentication flow specifically for the Admin, then using the standard user portal login would not follow this flow.

Therefore, any newly deployed VPN servers will ship with the Admin Logon option enabled by default.
Any existing servers which upgrade to this release will continue to work as before, but if you wish to enable the Admin Logon, navigate to Authentication Flows->Authentication Options->Admin and set Admin Logon to ON and apply the changes.

When Admin Logon is enabled, your admin account must log on to the URL /app/admin.

A new Show Administration Link option is now available in Authentication Flows->Authentication Options->Admin. This option will add an Administration link underneath the user login page, which you can use to switch to the admin login page instead of manually visiting /app/admin.

This change brings the LogonBox VPN in line with the other LogonBox products.

Upgrade Instructions

You can directly upgrade from the web UI or the operating system.

To upgrade from the web UI, log on with your admin account, navigate to Server Status from the main dashboard and click Update. You may also be prompted automatically on login if you have Updates, Features & Licensing->Update Prompt turned on.

To upgrade from the operating system:

On Windows – download the new installer, run the installer, and follow the prompts.

On a LogonBox VM – from a shell, type in:

apt update
apt upgrade

If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:

https://docs.logonbox.com/app/manpage/en/article/6172513

Our support team will upgrade Cloud customers over the coming week.

Changes

Here is a summary of the changes in this release.

Features

  • Twilio SMS support was added and set to default on a cloud evaluation.
  • SSH Directory now supports password and account locks on Redhatsystems (faillock and passwd -l).
  • SSH Directory can now read in /etc/passwd files larger than 32KB.
  • Changes added to validated emails with OTP (AD email changing, use Additional Emails).
  • New option to show Administration link. Newly deployed VPN servers will ship with the Admin Logon option enabled by default.

Bugs

  • AD user’s Fullname attribute incorrectly using AD’s description attribute.
  • End users now receive Account Suspended emails again.
  • Completed profile counts are now consistent (graphs vs profile counts on the Users menu).
  • Added some missing database cascades, which prevented some resources from being deleted.
  • Let’s Encrypt adds the intermediate certificate.
  • Profile status gets updated when PIN and Questions are in use.
  • Added some missing i18 strings for Lock Threshold, Window and Time.
  • Added permissions to fix 403 error on My Resources->Passwords.
  • VPN server now correctly handles v1 cookies sent by the VPN client.
  • Added missing i18n strings on some AD attributes (givenName, sn, displayName) visible in User Directory->User Attributes and on the end user My Profile.
  • Added a missing i18n string for Early Access update repository.

VPN client (2.4.0-938)

  • When the client performs an IP address fallback, it now sends a device identity cookie (LBVPNDID) during the connection test.
  • When the computer comes out of Hibernate/Sleep, timer problems no longer cause the client to get stuck in states such as “Temporarily Offline”.
  • The client now saves only a single device identifier cookie, and unexpected reauthorizations should no longer occur.