Govern file transfers with policy

27 July 2022

zli v. 6.7.3


  • Distinguish bzero targets by environment. zli connect allows users to differentiate non-unique bzero target names by adding its corresponding environment name or environment UUID to the command. Do this by appending a period and the environment name or UUID after the target you wish to connect to. This may look like:
    Command logs now include target type, environment UUID, and environment name columns for clarity. Connection event logs also include environment name and UUID
As part of this change, we strongly recommend that target names no longer contain periods. This will reduce the risk of conflict when trying to connect to a target containing periods in the name or a target that is distinguished by environment.

bzero v. 6.4.2


  • TCP connections. Resolved issue with certain TCP connections that caused data truncation and out-of-order writes
  • Kubectl exec commands. Resolved issue where daemon quit following a kubectl exec command
  • Sudo using ssm-user and bzero-user. Resolved issue when using the bzero agent as the bzero-user and ssm-user that required a password when executing a sudo command
  • [Released 25 June] SSH tunneling on bzero. Resolved issue with opening a tunnel using the bzero agent

Web app & backend


  • Use policy to govern file upload/download. Policy manages if a user can upload/download to a bzero target using scp and stfp protocols from their terminal. This capability allows administrators to remove a users' tunnel and/or shell access to a bzero target and maintain their file transfer access. File transfers will continue to appear in the session logs as an SSH event. To take advantage of this new feature, make sure to upgrade to zli v.6.7.3, bzero v.6.4.2, and run a fresh zli generate sshConfig from your terminal


  • Prompt for log in. Identity providers routinely rotate their keys. When this happens, BastionZero will prompt users for new log in


  • Container autodiscovery script on AL2 machines. Resolved an issue where running the container autodiscovery script on AL2 machines produced an error when starting the bzero agent
  • Connect to a non-unique target. Resolved an issue where naming conflicts between online and offline targets were not detected and blocked valid connection requests
  • zli connect error message. Resolved typo in the zli connect error message that displayed an erroneous $
  • Sort on the admin's user management tab. Resolved issue with sorting columns in the user management tab
  • [Released 10 June] Connect to bzero target using single-user policy. Resolved an issue where a zli connect to a bzero target, governed by a single-user policy, resulted in a handshake timeout
  • [Released 15 June] In response to CVE-2022-1650. Upgraded eventsource dependency proactively based on potential vulnerability outlined in CVE-2022-1650
  • [Released 17 June] User-specific registration keys. Resolved an issue where user-specific registration keys were being rejected as API keys when global registration keys were not enabled
  • [Released 27 June] Trouble accessing Resolved issue with intermittent 504s on the BastionZero web app