Release notes

What’s new in the latest release of Rebex Buru SFTP Server for Windows?

Release notes

2.15.4 (2024-10-01)

  • Added burusftp certgen command to generate self-signed X.509 (TLS) certificates. This is an alias for burusftpwa certgen.
  • Web Admin - FTP certificate group can now be renamed.
  • Web Admin - fixed FTP binding custom certificate group not being saved properly.

2.15.3 (2024-10-01)

  • Web Admin - fixed error when loading FTP settings page.

2.15.2 (2024-09-19)

  • Web Admin - fixed browser cache issue after application upgrade.

2.15.1 (2024-09-17)

  • Fixed an issue where username leading/trailing whitespace was not trimmed when creating a user.
  • Web Admin - fixed error when loading user detail page for user with special characters in username.
  • Web Admin - fixed error message when adding user with existing username.

2.15.0 (2024-09-13)

  • Initial FTP protocol support:
    • Added support for FTP protocol (plain FTP, implicit and explicit FTPS).
    • Disabled by default. Can be enabled globally in configuration or per user.
    • Each FTPS endpoint can be configured with different certificate(s).
  • Added user field ’note’ for user comments.
  • Installer - Buru SFTP Command Prompt now runs with administrator privileges by default.
  • Removed server configuration parameters passwordPolicy and usernamePattern. These parameters have been deprecated since v1.1.0.
  • Web Admin - configuration pages are now accessible when configuration file is invalid but readable.
  • Fixed burusftp user key delete -F <fingerprint> behavior with SHA-256: prefix.
  • Updated Serilog logging libraries.

2.14.5 (2024-08-01)

  • Fixed errors when parsing some configuration IP addresses with leading or trailing whitespace.
  • Web Admin - added SSH port placeholder on SSH endpoints page.
  • Web Admin - fixed Maximum renegotiation threshold caption on Additional SSH settings page.
  • Web Admin - fixed minor UI issue when typing a file path containing a space character.

2.14.4 (2024-06-07)

  • Web Admin - fixed error when multiple IP address ranges were used in IP filtering textboxes.

2.14.3 (2024-06-25)

  • Added logging of user lockout events.
  • Fixed burusftp user update <username> --password "" behavior - now removes password instead of setting an empty password.
  • Fixed burusftp user add <username> --password "" behavior - now does nothing instead of setting an empty password.

2.14.2 (2024-06-21)

  • Web Admin - fixed loading comment from user public keys.
  • Web Admin - server key list now also shows certificate details for keys with certificates.

2.14.1 (2024-06-10)

  • Added support for loading private keys in new OpenSSH key format encrypted using AES/GCM or ChaCha20/Poly1305.
  • Fixed handling of client’s SSH_MSG_EXT_INFO message.
  • Added logging of SSH ciphers supported by the client on mismatch (log level: debug).
  • Environment variables can be used in server key paths (see keys).
  • Web Admin - fixed missing log level dropdown on logging configuration page.
  • Web Admin - server configuration page now shows full path to configuration file and revert buttons.

2.14.0 (2024-05-21)

  • Web Admin - major changes:
    • Form visuals have been updated.
    • Multiple users can now be selected for certain actions (lock, unlock, delete).
    • UI customization changes:
      • Full Material UI schema is no longer supported.
      • Secondary palette is no longer supported.
    • Error shown when multiple server SSH keys of same type are added.
    • Public server keys can now be easily exported from the web interface.
    • SSH algorithm selection is now simplified. Manual sorting is still supported by editing the configuration file.
    • User public keys are now displayed with SSH key type prefix.

2.13.0 (2024-04-25)

  • Removed KeyCertSign and CrlSign usages from burusftpwa certgen-generated certificates.
  • SSH banner is now configurable.

2.12.1 (2024-04-23)

2.12.0 (2024-04-15)

2.11.4 (2024-03-18)

  • Fixed user update command:
    • Fixed error message when Windows account is not found.
    • Fixed error when updating fields other than Windows account and related, when Windows account is already set, using Free license.

2.11.3 (2024-01-18)

  • Fixed configuration backup when upgrading using installer.
  • Updated signing certificate.

2.11.2 (2024-01-04)

  • Added support for strict key exchange extension (thwarts the so-called ‘Terrapin attack’ - CVE-2023-48795).
    • This is not a critical fix, since neither version of Buru SFTP Server relies on RFC 8308 extension negotiation mechanism, so Terrapin attack can only be used by an attacker to disrupt authentication, causing the SSH session to fail.
  • Fixed ’not authenticated’ instead of ’not connected’ error message.
  • Allowed dates outside 1970-2999 range in SFTP v4 (or higher).

2.11.1 (2023-11-22)

  • Web Admin - fixed error when saving SSH algorithms on Windows 7/8.

2.11.0 (2023-11-21)

  • Support for ecdh-sha2-1.3.132.0.10 and ecdsa-sha2-1.3.132.0.10 algorithms on Windows 10+ and Windows Server 2016+ (enabled by default) - see configuration.

2.10.2 (2023-08-11)

  • Web Admin - added config.yaml text editor.
  • Web Admin - configuration split to separate pages.

2.10.1 (2023-07-31)

  • Fixed file access issue that prevented users from accessing files being currently written to (for example, log files).

2.10.0 (2023-07-26)

2.9.6 (2023-07-10)

2.9.5 (2023-06-21)

  • Web Admin - configuration pages now allow to “Save and restart service”.
  • Web Admin - added startup logs browser.

2.9.4 (2023-06-05)

  • Changed ‘An existing connection was forcibly closed by the remote host.’ message severity (from Error to Warning)

2.9.3 (2023-06-01)

  • Updated internal libraries, including Serilog.

2.9.2 (2023-05-29)

  • Fixed exit code for --help
  • path list now supports CSV output format using --format csv.

2.9.1 (2023-05-18)

  • AES-CBC encryption algorithms are now categorized as ‘intermediate’ (formerly ‘modern’).
  • Fixed broken login after invalid password attempt with MFA enabled.
  • Optimized moving files on the same volume when using SFTP or SCP.

2.9.0 (2023-05-02)

2.8.3 (2023-03-07)

  • Web Admin - responsive design improvements.
  • Improved client public key authentication process.
  • Fixed escaping of special characters in SSH/SCP commands.

2.8.2 (2023-02-16)

  • Web Admin - fixed SSH service status sometimes stuck at “Checking…”

2.8.1 (2023-02-16)

  • Web Admin - fixed highlighting in navigation menu.
  • Web Admin - warning is shown when connection to server is lost.
  • Web Admin - SSH service status is now indicated in real time.
  • Web Admin - SSH algorithm configuration moved to separate page.
  • Web Admin - now using slightly less contrasting default colour theme.

2.8.0 (2023-01-16)

  • Comments can now be added to user public keys to help get organized.
  • Buru SFTP Command Line shortcut now opens shell in the installation directory (previously in Windows SYSTEM directory).
  • CLI - user update --remove-keys now accepts dsa; ecdsa now matches any ECDSA key.
  • CLI - user public keys can now be managed using user key add and user key delete commands.
  • CLI - user public keys can now be specified directly using user add --keys <key>, user update --add-keys <key> and user update --set-keys <key>.
  • CLI - virtual paths in path and path delete commands can now be specified without / prefix.
  • CLI - when virtual path (-v <path>) in path and path delete commands is not specified, it defaults to root / path.
  • Web Admin - user public keys can now be added directly, without the need for public key file upload.
  • Breaking changes:
    • CLI - removing last public key using user update will no longer disable public key authentication. When public key authentication is set to required, user will not be able to log in.
    • Changed SSH shell and SFTP encoding from win-1252 to UTF-8.

2.7.3 (2022-12-09)

  • Web Admin - fixed performance issue on user edit page.

2.7.2 (2022-09-26)

  • When bindings section is missing in the configuration file, the SSH server will listen on both IPv4 and IPv6 “any” addresses.
  • Server will now not use IPv4 “any” address for empty (not missing) bindings section in the configuration file.
  • SSE2 fallback for ChaCha20 for processors without AVX2.
  • Fixed sometimes missing or wrong error message for invalid command line input.
  • Web Admin - fixed error when address is missing in SSH binding.
  • Web Admin - server configuration page now displays proper values for server private keys and SSH bindings when default values are used.
  • Web Admin - fixed description for log pages without logs.

2.7.1 (2022-08-19)

  • Increased SSH terminal buffer sizes for better performance with tools such as rsync.

2.7.0 (2022-08-08)

  • Added support for server-sig-algs SSH extension (RFC 8332).
  • Optimized ChaCha20Poly1305 and AEAD ciphers internals.
  • Web Admin - user lockout management moved from user edit form to independent dialog accessible directly from Users page.
  • Web Admin - users can now check for updates on home page.
  • Web Admin - fixed caption for default SSH shell in user edit form.
  • Web Admin - users using unsupported browsers (such as Internet Explorer) will now see a user-friendly error message.

2.6.2 (2022-05-09)

  • Web Admin - improved validation for empty rows in user’s path mappings.
  • Added IPv6 Any ([::]:22) to the list of SSH server’s default listening addresses.

2.6.1 (2022-05-02)

2.6.0 (2022-04-04)

2.5.3 (2022-02-11)

  • Web Admin - Windows account and password fields in user detail no longer prefills values from web browser.

2.5.2 (2022-01-28)

  • Fixed a bug in custom logging configuration that caused a failure at startup when using a file sink.
  • Web Admin - added notification flash bar.

2.5.1 (2022-01-20)

  • Fixed occasional freeze in legacy / terminal console mode.
  • Web Admin - user sessions are no longer valid after complete reinstall.
  • Web Admin - fixed application hanging after failed start.
  • Web Admin - added suppressHttpEndpointWarning option to disable HTTP endpoint warning when running e.g. behind a reverse proxy.

2.5.0 (2021-12-23)

  • Added Terminal support.
  • Added new CLI command: user inspect <username> [--query <jmespath>].
  • Log level can be now overridden from command line burusftp run --log-level <loglevel>.
  • --no-color option will toggle off color output and ANSI/VT codes for most commands.
  • --verbose option is now a shortcut for --log-level debug.
  • Breaking changes:
    • Changed public key fingerprint (used in e.g. user update --remove-keys) to SHA-256 base-64.
    • --log-level verbose log level now logs unencrypted packet data - use with caution!

2.4.6 (2021-11-30)

2.4.5 (2021-11-16)

  • Fixed an issue when some IPv4 and IPv6 bindings could not be used together.

2.4.4 (2021-10-27)

  • Support for SSH session inactivity timeout (max idle duration) - see configuration.

2.4.3 (2021-10-21)

2.4.2 (2021-10-01)

  • Support for SFTP v5. This improves compatibility with WinSCP client, which expects SFTP v5 to enable File Hashing extension that makes it possible to calculate checksums of remote files.
  • Fixed not requesting read permission in addition to delete for source path of rename operation.
  • Fixed compatibility issues in SCP protocol.
  • Fixed SSH aliases sometimes returning invalid exit code and error message.

2.4.1 (2021-07-26)

  • Fixed an error when SFTP module could not be initialized with write-only root directory.
  • Fixed physical path incorrectly marked as non-existing in path mapping section (Web Admin).
  • Fixed access rights inheritance for nested virtual paths.
  • Write-only directories are now properly visible from parent directory.

2.4.0 (2021-06-08)

  • Web Admin client-side performance optimizations.
  • Added Web Admin theming (Pro edition only).
  • Web Admin will display a warning when service user is not able to access user folder.

2.3.0 (2021-05-06)

  • SSH renegotiation is now configurable using maximum data transferred or time period threshold or can be disabled altogether.
  • Users can now connect using SFTP even when they have no path mappings defined (empty read-only directory is shown).
  • user add no longer requires the process user to be able to query service definition user.

2.2.0 (2021-03-16)

  • Major performance improvement for Chacha20/Poly1305 encryption.
  • Added burusftp svc restart and burusftpwa svc restart commands.
  • Web Admin improvements:
    • Added [Restart] button to service management page.
    • Showing detailed error message when service fails to start.
    • Faster feedback on service management page.
    • SSH host key widget on server configuration page improved.

2.1.1 (2021-03-11)

  • Fixed library loading issue for custom logging.

2.1.0 (2021-02-05)

  • Users can be added with password hash only (e.g. when importing from existing user database) - see burusftp user add.
  • Fixed log highlighting issues.
  • Updated color scheme and layout (Web Admin).
  • Home page dashboard (Web Admin).
  • Breaking changes:
    • No longer looking for free license in application’s root path.
    • SSH session ID now added to most log entries, where relevant.
    • User password hashes are rehashed on successful login to specified algorithm - see configuration.

2.0.1 (2021-01-28)

  • Fixed installer UI scaling issues.

2.0.0 (2021-01-25)

  • New major features
    • Windows installer is now available for download.
    • Added Windows authentication and impersonation support (Pro edition only).
    • Support for custom logging configuration file - see configuration.
    • Config folder is now searched for in the following paths:
      • [INSTALLATION_PATH]\config
      • %PROGRAMDATA%\Rebex\BuruSftp (this path is used by installer by default)
  • Breaking changes:
    • Re-installation is needed when upgrading to version 2.x - see the upgrade guide.
    • SSH server will now shutdown when the trial license expires.
    • Command line changes:
      • We plan to release more Buru applications in addition to the SFTP server, and hence buru.exe is renamed to burusftp.exe, buruwa.exe to burusftpwa.exe.
      • Password and public key authentication are now required by default when set.
      • Password and public key can no longer be setup as enabled or required without password or public key, respectively.
      • init, install and run commands now perform more extensive environment checks which might include patching the user database to new version.
      • burusftp user list -v now lists locked users with L prefix.
      • Some options were renamed, e.g. --keyAuth to --key-auth. In most cases a temporary fallback is available allowing you to use previous option names with a warning.
    • Services and their display names were renamed.

1.9.1 (2020-10-12)

  • Support recursive directory creation (mkdir -p).
  • No longer logging packet data in verbose mode.

1.9.0 (2020-08-10)

  • Added account lockout support.
  • Show confirmation dialog when deleting user (Web Admin).
  • Breaking changes:
    • Account lockout is now enabled by default.

1.8.4 (2020-08-08)

  • Fixed access issue (Web Admin).

1.8.3 (2020-07-29)

1.8.2 (2020-07-27)

  • burusftp init also checks configuration files.

1.8.1 (2020-07-21)

  • Fixed freeze on certain IP filter ranges and logging set to debug.

1.8.0 (2020-07-16)

  • Added burusftp init command for quick non-interactive installation - see burusftp init.
  • Fixed handling of unknown SSH packets received before authentication.
  • Fixed auto-redirection to home page after login (Web Admin).
  • Fixed installation abort when service user not found.
  • Workaround for very old OpenSSH 4.x/5.x clients that refuse to accept data packets while SSH renegotiation is in progress.
  • Web administration can now start even without valid configuration file.
  • Breaking changes:
    • Changed access log default level to Information (was Warning).
    • Unsupported SSH algorithms will prevent server from starting (before just displayed an error).
    • (users.usernameCaseSensitive) option is no longer supported. Usernames case-insensitive.

1.7.4 (2020-05-26)

  • Minor UI tweaks in web administration (Web Admin).
  • Fixed license check for beta versions.

1.7.3 (2020-05-22)

  • Fixed Chacha20-Poly1305 decryption issue.

1.7.2 (2020-05-18)

  • Fixed license upgrade page (Web Admin).

1.7.1 (2020-05-05)

  • Support for aes256-gcm@openssh.com and aes128-gcm@openssh.com encryption (enabled by default) - see configuration.
  • Support for hmac-sha2-512-etm@openssh.com and hmac-sha2-256-etm@openssh.com MACs (enabled by default) - see configuration.

1.7.0 (2020-05-04)

  • Support for two-factor authentication (password + public key) - see burusftp user add, burusftp user update
  • Support for chacha20-poly1305@openssh.com encryption (enabled by default) - see configuration.
  • Support for curve25519-sha256 key exchange (enabled by default) - see configuration.
  • Added support for ‘check-file’ SFTP extension, making it possible to calculate hashes of remote files.
  • Fixed hanging burusftpwa.exe service after service shutdown.
  • Fixed reporting of writable permissions for read-only files.

1.6.0 (2020-04-28)

  • New design of web administration UI.
  • Changed some configuration defaults:
    • config/config.yaml is now required for the server to start.
    • Default server keys location is now config/keys (was /keys). /keys directory is still used in search when no paths are specified.
  • Configuration file is now generated upon install.
  • Keys are now generated upon install. You can still generate the keys manually - see burusftp keygen.
  • Configuration samples (e.g. config/config-sample.yaml) are renamed to examples (config/config-example.yaml).
  • Added default configuration files (e.g. config/config-default.yaml).
  • Added checking for duplicate port bindings.
  • Cannot start server without fully persisted SSH keys.
  • Browser should no longer autofill passwords on user administration page.
  • Removed invalid warning when hostname was supplied as hostname for web admin binding.
  • Obsoleted configuration keys are no longer supported.

1.5.0 (2020-03-23)

  • Fixed SFTP/SCP binding deserialization issue.
  • FileZilla import supported (experimental).
  • Upgraded to .NET Core 3.1.
  • Removed support for obsoleted enableCrashReporting flag.

1.4.3 (2019-08-06)

  • Improved error message when service fails to start.
  • Fixed error message when license expired.

1.4.2 (2019-06-10)

  • Fixed error message when loading invalid user SSH public key.
  • Fixed loading of authorized_keys format of user public keys.
  • Fixed log level dropdown (Web Admin).
  • Fixed Web Admin log display.
  • Key manipulation messages are more readable.

1.4.1 (2019-05-20)

  • Fixed virtual path validation.

1.4.0 (2019-05-10)

  • Added 32-bit Windows version.

1.3.2 (2019-04-24)

1.3.1 (2019-04-17)

  • Fixed console log level.

1.3.0 (2019-04-03)

  • Access log now also includes IP addresses.
  • Fixed ‘File not found’ issue for virtual paths mounted into existing filesystem.
  • Fixed verbose log level when writing to logfile.
  • Empty audit file no longer created on startup in logging folder.

1.2.0 (2019-03-20)

  • Added virtual path format check (Web Admin, path command).
  • Installer now grants ‘Logon as Service’ privilege for service user.
  • Fixed typos in webconfig configuration documentation.
  • Fixed SSH alias execution when user has no path mappings.
  • Fixed install process privilege elevation when run from mingw shell.
  • Fixed service user lookup for users without domain qualified name.

1.1.3 (2019-02-22)

  • Fixed parsing of obsoleted values in config.yaml.

1.1.2 (2019-02-21)

1.1.1 (2019-02-19)

  • Added an option to disable username case sensitivity.
  • Minor Web Admin user interface enhancements performed.

1.1.0 (2019-02-07)

  • Fixed memory leak (updated internal libraries).
  • Password salt size, algorithm and username regex patterns moved to ‘users’ section in config.yaml. Old configuration files are still compatible but a warning will be shown.
  • Fixed loading of PKCS#8 public keys.
  • Web Admin - Fixed redirection to login page when user session expired.
  • Web Admin - Fixed username regex pattern not being properly applied.
  • Web Admin - External changes now properly trigger reload of config.yaml configuration file.
  • Removed crash reporter (errors are saved to logfiles).

1.0.4 (2018-12-11)

  • Added minLevel and aspNetMinLevel to Web Admin configuration.

1.0.3 (2018-11-21)

  • Support for authorized_keys users’ public keys.
  • Updated internal libraries.

1.0.2 (2018-11-08)

  • Added user list command.
  • Fixed logging of unhandled exceptions.
  • Fixed notification of user public key error (web admin).
  • path list no longer encloses username in double quotes.

1.0.1 (2018-10-22)

  • Added support for custom shell host names.
  • Added logging section to webadmin server configuration.

1.0.0 (2018-10-04)

  • BREAKING: Changed user database format.
  • Non-admin accounts can no longer log in to web administration (there was no content available anyway).
  • Removed SSH Tunneling configuration section from web administration (as it was still incomplete).
  • Fixed algorithm selection widget that didn’t work properly in Chrome / Edge.

0.2.2 (2018-10-03)

  • BREAKING: Logging configuration section revamped:
    • Added an option to specify different server and access log locations.
    • Can specify minimal level for server log.
  • BREAKING: WebAdmin role setting simplified:
    • Users can now access web administration by adding --webadmin to user add or user update.
    • Revoking WebAdmin role is done by adding --noadmin to user update.
  • Displays warnings when SFTP server service does not have access to user folder or folder does not exist.
  • Minor UI tweaks performed.

0.2.1 (2018-09-18)

  • BREAKING: SSH algorithms use __INTERMEDIATE level (previous: __MODERN) for increased compatibility.
  • Fixed an issue where SSH algos were not draggable in web administration.
  • Fixed SSH key information in web administration.
  • Fixed ‘burusftpwa svc’ auto-elevation.

0.2.0 (2018-09-18)

  • BREAKING: User database no longer contains default user - user must be created manually using burusftp install or burusftp user add.
  • BREAKING: Using NETWORK SERVICE user as default when installed as Windows Service.
  • Install/uninstall scripts now use auto-elevation (burusftp install).
  • Fixed error when startup type was explicitly set for svc install.
  • Errors and warnings are shown with an alert in console.
  • Minor UI fixes performed.

0.1.12 (2018-07-13)

  • Added support for service startup Windows Eventlog logging.

0.1.11 (2018-07-11)

  • Fixed missing manpage for ‘burusftp user update’.
  • Fixed manpage crash when console buffer height was too small.
  • Added manpage support for msys console.
  • Additional SSH public key formats added.