LogonBox SSPR 2.4.11 – Now Available

Posted on by Lee Painter
Windows two-factor authentication

Introduction

LogonBox is pleased to announce the immediate availability of LogonBox SSPR 2.4.11.

This release includes extra support for TOTP in our own authenticator as well as updated components to address potential security concerns.

TOTP additions

The LogonBox Authenticator now supports failover to using TOTP if the user’s mobile is offline or out of signal range.
On the LogonBox web UI at the Authenticator prompt, the user will now see an option to ‘Cancel Mobile Authentication and provide offline TOTP code’.

Note: This requires the latest LogonBox Authenticator app, version 0.20.

 

Security Updates

The UI components for Bootstrap have been upgraded to version 5 to address any security concerns reported by vulnerability scanners.

We have also added a new Content-Security-Policy header for ‘frame-ancestors’. This replaces the ‘X-Frame-Options’ header used previously and is now deprecated in most browsers.

Faster account unlocks

Unlocking a user account should now be significantly faster due to more efficient database calls.

 

Upgrade Instructions

You can directly upgrade from the web UI or the operating system.

To upgrade from the web UI, log on to your admin account, navigate to Server Status from the main dashboard, and click Update. If you have Updates, Features & Licensing->Update Prompt turned on, you may also be prompted automatically upon login.

 

To upgrade from the operating system:

On Windows – download the new installer, run the installer, and follow the prompts.

 

On a LogonBox VM – from a shell, type in:

apt update
apt upgrade

 

If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:

https://docs.logonbox.com/app/manpage/en/article/6172513

Our support team will upgrade Cloud customers over the coming week.

 

Changes

Here is a summary of the changes in this release.

Features

  • Added option to log off Azure when signing out of LogonBox (connected to Azure)
  • Links for deprecated password manager browser plugins has now been removed from a user’s web UI view
  • Updated Bootstrap components to the latest version
  • Added a new Content-Security-Policy for frame-ancestors to replace the now deprecated X-Frame-Options header
  • The /boot partition has been merged into / for new builds, as previous VMs had a too-small /boot partition.
  • Account unlocks should now be a lot faster
  • Clicking the manual Synchronize button will now re-enable the sync schedule if it is in a disabled state.
  • Added an option to prevent users from deleting their own TOTP authenticator configurations.
  • Added TOTP support to the LogonBox Authenticator, which can be used if your mobile cannot contact the server.

Bugs

    • Added a Password Policy View permission to fix a 403 error when the Password Generator is enabled
    • Fixed automatic log-off in Azure when logging out of LogonBox.
    • Services are now showing correctly again in VMCentre
    • The Support Callback service can now be launched again from the web UI and VMCentre
    • A user’s password expiry time is now displayed in the UI in the local server timezone rather than UTC.
    • Error messages on small (mobile) screens now wrap onto new lines so a user can read the full error.
    • Fixed a display issue with the database settings on a Windows install, now correctly displays H2 rather than MySQL
    • Fixed an error with the browser password plugin not able to fetch favicon when creating a new password entry
    • The user can now see their Active Directory password policy again on the reset password screen.
    • A user’s locked status is now updated on a sync if a user has been unlocked directly in AD.
    • A suspended user will resume as expected after the lockout time expires.