Rebex Buru SFTP Server 2.6: SSH shell support

  |   Lukas Paluzga

We have released Rebex Buru SFTP Server v2.6. Here is an overview of changes, fixes and improvements.

SSH Shell support

Since version 2.5 clients may use SSH to connect to their favourite shell (cmd.exe, PowerShell, bash, etc.), with similar experience as connecting to a Linux machine. The behavior can be configured globally with the possibility of per-user override.

Original shell behavior using so-called aliases is still supported (now referred to as legacy mode) but should not be relied upon for any new functionality as the feature is now marked as deprecated and most likely will be removed.

The server needs to run using privileged account (e.g. SYSTEM) in order to spawn impersonated processes. See the documentation for more details.

Initially, the functionality had several restrictions, which were removed in 2.6, namely:

  • The ssh terminal process no longer needs to run using the service account. When impersonation (formerly for SFTP/SCP access only) is enabled, the provided account is also used for terminal process.
  • Running the service under SYSTEM account (installation default) is recommended (again) as it no longer implies terminal process would be spawned with all the associated privileges. Note that using the terminal without impersonation is still strongly discouraged because of security risks.

Terminal mode relies on Windows' ConPTY API, which is only available on new platforms: Windows 10 version 1809 and newer, Windows Server 2019 and newer. Impersonation is available in Pro edition only.

'user inspect' command

In the spirit of our ongoing effort to make engineers' life easier, we created new CLI command - burusftp user inspect <username>. The command prints user details in JSON format (schema available here or using --print-schema subcommand). Result querying is available using JMESPath with --query <jmespath> option.

Breaking changes

Version 2.5.0 introduced two (minor) breaking changes:

  • Public key fingerprint algorithm was changed from SHA-1 to SHA-256 base-64, e.g. in user update --remove-keys <key> command.
  • With the introduction of --log-level option to command line we grabbed the opportunity to use verbose level for logging unencrypted data. Use this log level with caution! --verbose option is still available and is not affected as it is an alias for --log-level debug.

Minor fixes and improvements

  • 2.4.1
    • Fixed an error when SFTP module could not be initialized with write-only root directory.
    • Fixed physical path incorrectly marked as non-existing in path mapping section (Web Admin).
    • Fixed access rights inheritance for nested virtual paths.
    • Write-only directories are now properly visible from parent directory.
  • 2.4.2
    • Support for SFTP v5. This improves compatibility with WinSCP client, which expects SFTP v5 to enable File Hashing extension that makes it possible to calculate checksums of remote files.
    • Fixed not requesting read permission in addition to delete for source path of rename operation.
    • Fixed compatibility issues in SCP protocol.
    • Fixed SSH aliases sometimes returning invalid exit code and error message.
  • 2.4.3
  • 2.4.4
    • Support for SSH session inactivity timeout (max idle duration)
  • 2.4.5
    • Fixed an issue when some IPv4 and IPv6 bindings could not be used together.
  • 2.4.6
    • Added burusftp keygen --curve command option.
  • 2.5.0
    • Log level can be now overridden from command line burusftp run --log-level <loglevel>.
    • --no-color option will toggle off color output and ANSI/VT codes for most commands.
    • --verbose option is now a shortcut for --log-level debug.
    • Breaking changes:
      • Changed public key fingerprint (used in e.g. user update --remove-keys) to SHA-256 base-64.
      • --log-level verbose log level now logs unencrypted packet data - use with caution!
  • 2.5.1
    • Fixed occasional freeze in legacy / terminal console mode.
    • Web Admin - user sessions are no longer valid after complete reinstall.
    • Web Admin - fixed application hanging after failed start.
    • Web Admin - added suppressHttpEndpointWarning option to disable HTTP endpoint warning when running e.g. behind a reverse proxy.
  • 2.5.2
    • Fixed a bug in custom logging configuration that caused a failure at startup when using a file sink.
    • Web Admin - added notification flash bar.
  • 2.5.3
    • Web Admin - Windows account and password fields in user detail no longer prefills values from web browser.
  • 2.6.0
    • Fixed DNS resolution timeouts for bindings with domain names. Such timeouts occured after server reboot when network services were not yet fully initialized.

For complete list of fixes and improvements see Release notes