This release have major focus on authentication and login mechanisms and login pages.
With this release we have rewritten the way authentication is done in deaddrop. This change is to address a problem that was introduced by microsoft via intune, in its strategy to deprecate the basic auth web authentication mechanism. Our solution is to add a new account type that uses so called form based login. At the same time also keep the old account type, to allow backward compatibility for some use cases. We now call the basic auth login the “API account type”. See this post for a longer explanation on the Microsoft intune issue.
In the 3.1 release we introduced the option to authenticate using client certificates instead of passwords. Some of our users that have adapted this login scheme are using certs stored on hard tokens with ASN.1 that have unusual data encodings, and have encountered problems with special types of client certificates. We have improved the parsing of ASN.1 to allow government ID cards with escape characters in identifying data fields.
As a result of the new login forms and certificate logins, we now have better support for login screens that will not show password fields, but only show authentication with certificates.
There are multiple changes in behavior that make the usage of deaddrop easier, including using the same SMS password for different dispatches.
The release also addresses some minor bugs that have been reported in earlier releases.
Customers with customized branding of deaddrop
We have performed some changes to strings in the default install. Customers with customized branding of deaddrop must verify their strings and messages if they want to have similar messages and text in their branded versions of deaddrop.
New account types
- The default permanent account time has been changed from basic authentication to form based login with a session cookie. Basic Auth authentication is still available as the “API” account type.
Client certificate authentication
- Deaddrop can now handle escape characters in subject and issuer.
- The list support application is now more friendly in escaping and suggesting proper JSON for certificate mapping.
API user
- The new API user account type retains the previous default ‘perm’ account type functionality. It was previously the default.
Changes in behavior
- When receiving a SMS with a one time password, with the new release, the latest password sent by SMS will be used for all of deaddrops that a user have received. In previous deaddrop versions each deaddrop was related to a specific SMS with a specific password. This change makes it easier for users to not mix the wrong password with the wrong dispatch.
- New accounts will now use cookie based authentication.
- Access to sent files will now use cookie based authentication
New config options
- It is now possible to disable MX lookups globally. This is convenient for restricted environments where there is no DNS access
- It is now possible to change the notification method from email to a custom one. This allows users to extend deaddrops notification methods. Notification method changes are still subjected to SELinux enforcement
- It is now possible to disable the password UI elements for environments where passwords are not in use
Bug fixes
- Fix an raise condition in the restore function in the deaddrop replica
- Improved the logout behavior for SAML and Client Certificate users
- Fixed upload errors for files larger than 40Gb
Messages
- We have changed some of the texts that are emailed to receivers or users of deaddrop. Some messages that could be misunderstood or misinterpreted have been rewritten to be easier to read and understood.
Known issues
- When Session cookie users get logged out from inactivity, they will be redirected to the main login page. Previously a logged out user was given a prompt to re-login without needing to fill in their username. This will be resolved in a future release