Bug Fixes
-
dgw: revert
service as "Local Service"(c4f8d24) -
dgw: Content-Type header present twice for Json responses (#315) (c0976d8)
Indeed,
Content-Typeis a "singleton field": a single member is anticipated as the field value.RFC9110 says:
Although Content-Type is defined as a singleton field,
it is sometimes incorrectly generated multiple times,
resulting in a combined field value that appears to be a list.
Recipients often attempt to handle this error by using
the last syntactically valid member of the list, leading to
potential interoperability and security issues if different
implementations have different error handling behaviors. -
jmux-proxy: properly cancel proxy task (#327) (f62143e)
Previously, JMUX proxy task wasn't properly shut down because tokio
tasks are detached by default (similar tostd::thread::spawn). This
adds a helper wrapper to explicitely specify whether a task should be
joined or detached.
Features
-
OpenAPI document and auto-generated C# and TypeScript clients
-
dgw: retrieve KDC token from the path (f9b66c1)
-
dgw: expose gateway ID in configuration endpoint (f15d33a)
-
dgw: add general claim
jet_gw_id(#293) (7a22ea1)When this claim is specified, a given token can only be used on a Gateway with the very same ID.
-
dgw: config pushing endpoint (8ff1ebe)
-
dgw: lossless and simpler config DTO (ba68301)
-
dgw: subscriber API (a80282e)
-
dgw: add --config-init-only cli option (89cd2b7)
-
dgw: limit JMUX wildcard addresses (#302) (8a95130)
The same port must be used.
-
dgw:
jet/healthendpoint now returns Gateway identityThe
AcceptHTTP header must be set toapplication/jsonfor this. -
powershell: update module (71e15a4)
-
Deprecate
PrivateKeyFileandCertificateFilein favor of
TlsPrivateKeyFileandTlsCertificateFile. This change is backward
compatible (older naming are recognized by cmdlets). -
Add
Id,SubscriberandSubProvisionerPublicKeyto config class. -
Allow
Set-DGatewayConfigto setId,Subscriberand
SubProvisionerPublicKeyvalues.
-
-
dgw: forced session termination support (16c119b)
This adds the endpoint
POST /jet/session/<id>/terminate.
This is similar to what we had back in Wayk Bastion except it’s not P2P. -
dgw: maximum session lifetime enforcing (9b80162)
This adds a new claim
jet_ttlspecifying the maximum lifetime for a
given session. Devolutions Gateway will kill the session if it is still
running after the deadline. -
jetsocat: HTTP proxy listener (04bd6da)
HTTP proxy listener now handles both HTTPS (tunneling) proxy requests
and HTTP (regular forwarding).
Security
-
dgw: Smaller token reuse interval for RDP sessions (832d00b)
With this change, we do not allow reuse for RDP sessions more than a few
seconds following the previous use. The interval is 10 seconds which is
expected to give plenty of time to RDP handshake and negotiations. Once
this interval is exceeded, we consider the RDP session is fully started
and the same token can't be reused anymore.Two reasons why this is beneficial:
- Security wise: the reuse interval is considerably shortened
- Feature wise: more efficient forced RDP session termination
Regarding the second point: Windows’ mstsc will keep alive the session
by re-opening it immediately. Because we allow token reuse in a limited
fashion for RDP, as long as the association token is not expired,
the terminate action has effectively no visible effect (besides that
multiple sessions occurred). Reducing the reuse interval greatly
improves the situation.