ThinLinc 4.10.0 Release Notes

Introduction

Cendio are proud to present ThinLinc 4.10.0, with more than 100 enhancements and fixes. The most prominent changes are:

  • The base requirements for the server and the Linux client have been raised. The requirements are still very low and all systems released the last 8 to 9 years should still be supported. Check the documentation for the exact details.
  • Upgraded graphical stack that includes bug fixes, performance improvements, many small features and generally gives better compatibility with applications running in a ThinLinc session.
  • The ability to partition a ThinLinc cluster into to sub-clusters for different use. The different sub-clusters can even use entirely different distributions.
  • An overhaul of the authentication in Web Access to increase compatibility with various authentication modules, such as the Duo Access one time password system.
  • Support for UNIX and Windows Application Servers has been removed in this version in favour of focusing more on the Linux desktop. Users are encouraged to switch to the applications provided by the distribution where this is still needed, and those applications should continue to work well in ThinLinc.

ThinLinc works on most modern Linux distributions and is supported on any platform that fulfils our documented requirements.

Changes in This Release

In the list below, the bug number is given in parentheses. For more information, visit https://www.cendio.com/bugzilla/.

Server

  • Subcluster support has been added. It is now possible to group agents into multiple subclusters which can be associated with specific users or groups. (7188)
  • The command tl-run-unixapp has been removed. Using single sign-on with the ssh client is still possible using the $SSH_ASKPASS mechanism and setsid. (7279)
  • Configuration parameters which have been renamed or moved can now automatically be migrated when upgrading the server. This feature is part of the 'parameters' migration choice in tl-setup. (7193)
  • The system requirements have been raised to require GLIBC 2.12 or newer, Python 2.6 or newer, and PyGTK 2.16 or newer. (5657, 5745, 7196)
  • Areas of the screen that have been sent in a reduced quality will now automatically be restored to a high quality once conditions allow it. Reasons for the reduced quality can be explicit user settings or because of bandwidth constraints. (2928)
  • The X server platform has been upgraded to 1.20.1. This gives greater compatibility with applications and access to modern X11 extensions. (5241)
  • OpenGL now works correctly on platforms using the new GLVND extension. (6177, 7225)
  • The high latency handling has been improved to give a more responsive experience for networks with large latency but also plenty of bandwidth. (4735)
  • An issue where the X server could crash when using Google Chrome has been fixed. (6234)
  • It is now possible to specify shadower by using a group instead of individual users for simpler administration. (7254)
  • An issue where the client could be disconnected when using fullscreen mode with two identical monitors has been fixed. (4516)
  • Sessions are now started correctly on modern systems that use a per-user D-Bus daemon rather than a per-session one. Previously some applications, or entire desktop environments, would not start correctly. (5950, 6190)
  • The new Ubuntu GNOME desktop environment is no longer incorrectly listed as Unity in the profile chooser, it is now listed as Ubuntu Desktop. Also, the Unity desktop environment will now properly be detected by the default profiles on Ubuntu 18.04. (7208)
  • An issue has been fixed where either the vsmserver or vsmagent service could start consuming 100% CPU and constantly logging "Unknown control command received on control pipe". (7097)
  • An issue has been fixed where the clipboard would become unreliable while using KDE klipper in a session. (7236)
  • An issue has been fixed where the setting /vsmserver/allowed_groups could be bypassed if the group lookup failed for every specified group. (7182)
  • Indirect OpenGL rendering is now disabled by default. This mode is rarely used and has historically had many security issues. The more common direct OpenGL rendering is still enabled. Indirect rendering can be enabled by adding +iglx to /vsmagent/xserver_args. (5241)
  • Upgrade of xorg-server to 1.20.1 fixes multiple vulnerabilities where a malicious application could cause the X server to crash or execute arbitrary code. [CVE-2013-4396, CVE-2015-3418, CVE-2017-10971, CVE-2017-10972, CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183, CVE-2017-12184, CVE-2017-12185, CVE-2017-12186, CVE-2017-12187, CVE-2017-13721, CVE-2017-13723] (4834, 5241)

General

  • Transfer of clipboard between client and server will now only occur if the client window has focus. (7240)
  • The transparent parts of mouse cursors are now handled fully. Previously a cursor pixel could only be fully opaque or fully transparent. (1122)
  • Caps Lock, Num Lock and Scroll Lock states are now synchronized between the client and server. This increases application compatibility by reducing the need for fake, server generated key presses when these lock keys are used. (400)
  • The client or server will no longer crash when configuring a very large session size (8192x8192 or larger). (7242)
  • nettle has been updated to version 3.4. (7114)
  • GnuTLS has been updated to version 3.5.18. (7115)
  • libtasn1 has been upgraded to version 4.13. (7116)
  • When upgrading the client or server on RPM systems, the desktop entries (program launchers) disappeared. This has been corrected. (7183)
  • Fixed an issue where all the ThinLinc services would be unresponsive when used on Fedora 29 (or any other system with a very recent SELinux policy). (7277)
  • OpenSSL has been upgraded to version 1.0.2q. This fixes an ECDSA signature generation timing attack, overflow bugs in AVX2 Montgomery multiplications and carry propagation issues in Montgomery squaring procedures. OpenSSL considers these issues to have low severity or unlikely to be exploited in practice. [CVE-2018-5407, CVE-2017-3736, CVE-2017-3738] (7118)

Native Client

  • The system requirements for GLIBC for the Linux client have been raised to version 2.12. As a result the client for Dell Wyse-Enhanced SuSE Linux has been removed as that platform no longer fulfils the basic requirements. (5745)
  • The Windows Client now supports configuration parameters which are longer than 255 characters. (7247)
  • The macOS client has received a facelift by using a new theme that better matches other macOS applications. (7238)
  • An issue with un-grab of mouse and keyboard has been fixed with the Linux client. This enables you to work with a ThinLinc session in fullscreen on one monitor and your local desktop on the other in a multi-monitor configuration without interference. (5481)
  • A hint is shown upon connection to inform how to access the context menu of the client. (7235)
  • The client will no longer crash when asking for the passphrase for a public key with French translations. (7250)
  • Keyboard handling on Windows has been improved and issues with the AltGr key, the right Shift key and the Break key have been resolved. (965, 5226, 5229, 7237)
  • An issue has been fixed where the Linux client could become unresponsive when used with Xorg or Xwayland 1.20 or newer. (7241)
  • An issue has been fixed where the Linux client could become unresponsive when connecting. (7285)
  • OpenSSH has been upgraded to version 7.9p1. This removes support for connecting to some very old SSH server implementations along with support for SSH protocol version 1. This change also removes support for the hmac-ripemd160 message authentication code and the arcfour, blowfish and CAST ciphers. CBC ciphers are no longer offered by default by the client. RSA keys less than 1024 bits in length are no longer accepted by the client. (7117)
  • An issue has been fixed where the Windows client could intermittently fail to connect to the agent. (7231)

ThinLinc Web Access

  • Restricting login access based on remote host is now possible in Web Access. Using the PAM system module pam_access.so, one can now restrict access based on user, group, PAM service and remote host. (6346)
  • Fixed crashes that occurred when sending or receiving large clipboards in Web Access. (7198)
  • It is now possible to log in using case insensitive usernames, or usernames that have several alternative forms (e.g. "user" and "user@DOMAIN"). (6209)
  • The authentication handling has been greatly improved. Web Access now handles messages and prompts as expected, allowing things such as expired password prompts and advanced PAM modules such as Duo Access. (5028, 5086)
  • Web Access can now handle more than 40 connected clients per agent. ThinLinc no longer has a fixed limit and will allow as many connections as the system can handle. (7187)
  • An issue has been fixed where Web Access could start refusing all attempts to log in. (7097)
  • An issue has been fixed where it could take a very long time to get an error when trying to log in with a user that doesn't exist. This issue has only been seen on recent Fedora systems. (7203)
  • Messages from the authentication system containing special characters are now correctly displayed. This could in theory have been used to inject malicious code in to a Web Access session, but no real world scenario is currently known. (7121)
  • Web Access now has basic protection against misbehaving clients. Such clients will be forcefully disconnected if unresponsive. This makes sure that system resources are not wasted needlessly. (7187)
  • Web Access now limits the number of concurrent authentications to 32 in order to protect against malicious clients trying to cause excessive load on the system. (7288)

Smart Card Support

  • An issue has been fixed where the ThinLinc client would fail to notice a smart card reader being added or removed. This caused issues for devices that integrate the reader and smart card in to a single device, e.g. Yubikey. (3572, 7253)
  • The bundled PKCS#11 smart card library has been upgraded in order to fix several security issues where a malicious smart card could cause the client to crash or execute arbitrary code. (7243)

Audio Redirection

  • ThinLinc no longer supports applications using the older EsounD protocol. All applications must now use PulseAudio, or a compatibility layer such as the ALSA plugin or padsp. (6108)

Administration

  • A new section for administrating subclusters has been added to the ThinLinc Web Administration interface. (7188)
  • The Web Adminstration now has basic protection against misbehaving clients. Such clients will be forcefully disconnected if unresponsive. This makes sure that system resources are not wasted needlessly. (7289)

Windows Integration

  • Integration with Microsoft Remote Desktop Services has been removed from ThinLinc. Installing and setting up such integration will now have to be performed separately from the ThinLinc installation. (7279)

Web Integration

  • In order to avoid confusion with Web Access and streamline tl-setup, the Web Integration is no longer installed by default. The Administrators Guide has been amended with manual installation and setup instructions. (5190)

Documentation

  • Improved upgrade documentation by adding recommendations for how to upgrade a ThinLinc cluster and explaining how existing sessions are affected by ThinLinc server upgrades. (7112)

Configuration Changes

New

  • New configuration folder: /vsmserver/subclusters/. Holds settings relating to subclusters. Subclusters replace both the parameters /vsmserver/terminalservers and /vsmserver/explicit_agentselection. (7188)
  • The folder /profiles/ubuntu has been added to /opt/thinlinc/etc/conf.d/profiles.hconf as part of the new Ubuntu profile. (7208)

Modified

  • The /vsmserver/terminalservers parameter has been renamed and moved into subclusters. Within each subcluster the agents parameter works the same way as terminalservers did before. (7188)
  • The default value of /profiles/order parameter in the /opt/thinlinc/etc/conf.d/profiles.hconf configuration file now includes ubuntu. (7208)

Removed

  • The /vsmserver/explicit_agentselection parameter has been removed. Subclusters can be used to achieve the same setup. (7188)
  • The configuration folder /appservergroups and all parameters within have been removed.

A complete configuration reference can be found in the ThinLinc Administrators Guide.

Corrected Issues

ThinLinc has also been enhanced in many other ways. The complete list of corrected issues is:

 400,  965, 1122, 2928, 3558, 3572, 3738, 4017, 4120, 4516, 4735,
4834, 4983, 4999, 5028, 5069, 5086, 5090, 5113, 5133, 5190, 5226,
5229, 5241, 5263, 5481, 5526, 5576, 5585, 5657, 5661, 5669, 5674,
5677, 5706, 5719, 5745, 5754, 5868, 5937, 5950, 6045, 6103, 6108,
6116, 6156, 6177, 6190, 6209, 6221, 6234, 6341, 6346, 6970, 7097,
7112, 7114, 7115, 7116, 7117, 7118, 7121, 7124, 7139, 7158, 7162,
7176, 7178, 7180, 7182, 7183, 7186, 7187, 7188, 7189, 7193, 7194,
7196, 7198, 7203, 7204, 7208, 7210, 7220, 7221, 7224, 7225, 7231,
7235, 7236, 7237, 7238, 7239, 7240, 7241, 7242, 7243, 7245, 7247,
7250, 7253, 7254, 7277, 7279, 7285, 7288, 7289, 7302, 7303, 7306,
7309, 7310
Dell is a registered trademark of Dell Inc.
Duo Access is a registered trademark of Duo Security, Inc.
Fedora is a registered trademark of Red Hat, Inc.
Linux is a registered trademark of Linus Torvalds.
OpenGL is a registered trademark of Silicon Graphics, Inc.
macOS and OS X are registered trademarks of Apple Computer, Inc.
ThinLinc is a registered trademark of Cendio AB.
Ubuntu is a registered trademark of Canonical Ltd.
UNIX is a registered trademark of The Open Group.
Windows is a registered trademark of Microsoft, Inc.
Wyse is a registered trademark of Wyse Technology Inc.

Frequently Asked Questions

  • ThinLinc is packaged in subscriptions with a tiered pricing system. A higher number of subscriptions will give a lower price. The subscriptions can be purchased for different periods, 12, 36 and 60 month. A longer duration will give a greater price. The payment of the subscriptions is done in advance.

    The default rule is that the prices are set in accordance with the number of subscriptions that are purchased at the actual call off. Deviation from this can be eventually agreed if a roll-out plan can be committed in advance.

  • Every valid ThinLinc Subscription Agreement has a specific ID. Contact Cendio at support@cendio.com and refer to your ID, and we will issue new user licenses for you.

  • Contact Cendio support team at support@cendio.com. And refer to your ThinLinc Subscription ID in your support request.

  • We will set up an evaluation account that gives the permission to receive support directly from our technical team. Cendio can also provide trial licenses for more than 10 users. Please contact sales@cendio.com directly.

  • Cendio wants to sponsor organizations where the business aims to make the world better. This means to help people, regions etc. that really need help. Please contact us a sales@cendio.com.

  • Cendio offers a non-profit discount for organizations that fall under the definitions that can be found at the https://www.cendio.com/thinlinc/shop/non-profit-organization/. Please contact us at sales@cendio.com for pricing. 

  • Cendio will, in good time before expiration of the ThinLinc Subscriptions Agreement, send a reminder by email. The renewal process will follow the same routines that are used in a new or additional purchase.

  • Other set-ups are possible for bigger deals. Contact sales@cendio.com.

  • Purchases can be done directly via invoice, web shop or by a reseller. Cendio is a Swedish and EU company with long experience from doing business with foreign organizations. If you have any questions or need support, please contact us at sales@cendio.com

     

  • Best functionality and performance will always be achieved by upgrading to the latest version, both on the server and client-side. A newer version on the client-side will always give a better user experience than a former version. Cendio’s ambition is to keep good compatibility and functionality between the different versions. Historically, good compatibility between versions has been 3-5 years.

  • A ThinLinc set-up consists of a server software, client software and user licenses.

    Server software

    The server software is the heart of ThinLinc installation and handles all sessions, desktop environments and generates the virtual desktop, workspace etc.

    User licenses

    To allow more than 10 sessions to connect access to the server software, user licenses need to be added into the server software. User licenses are bought from Cendio. Please note, when placing user licenses into the ThinLinc server, the counting starts from 0, not 10. In concrete, this means that you need to buy and install the number of user licenses that you need.

    Client software

    The client software is installed on the device that is used to connect to the server and provision the virtual desktop / workspace. If using the web access client, no local installation of client software is needed, the provisioning is generated via the web browser that is installed at the server.

  • It’s up to the licensee to decide who can connect into the server installation. The ThinLinc client software is free of charge and can be downloaded by everyone.

  • The licensing is per organization. There is no limitation on how the ThinLinc user licenses are distributed in the legal organization, as long as the number of consumed licenses don’t exceed the number of paid licenses. It’s allowed to move the user licenses, but not copy.

  • The license use can be seen in the status module, how to manage can be found at https://www.cendio.com/resources/docs/tag/tlwebadm_status.html#tlwebadm-status . ThinLinc will notify you when the limit of licenses has been reached, for detailed information see, https://www.cendio.com/resources/docs/tag/licensehandling.html?highlight=soft

  • Both the ThinLinc server and client software are free to distribute. The user licenses are connected to a purchase and are not allowed to distribute. For more detailed information, see https://www.cendio.com/thinlinc/docs/legal/eula

  • A specific version of ThinLinc is supported 3 years from release date. After 3 years, Cendio can’t guarantee support.

  • The number of user licenses that will be delivered will be in accordance with the number of subscriptions that have been acquired by the customer. The user licenses are perpetual.

  • When adding user licenses into the ThinLinc server, the counting will start from zero. So if you require 200 users, you need to have 200 user licenses

  • You need to buy user licenses and install them in the ThinLinc server. The user licenses are received through buying ThinLinc subscriptions.

  • It’s easy to add new users into a current ThinLinc set-up. By purchasing additional subscriptions into your agreement, so will we issue additional user licenses.

  • Cendio will, after receiving a valid order, distribute user licenses via email for the latest version after a purchase. If the purchase is a renewal and the customers have already received the latest version, no user licenses will be delivered by default, updated licenses will be delivered on request in this case.

  • It’s possible to merge existing agreements. When doing a merge, the period shall be at least 12 months.

  • The default rule is that the prices are set in accordance with the number of subscriptions that are purchased at the actual call off. Deviation from this can be eventually agreed if a roll-out plan can be committed in advance.

  • The client software packages are free of charge.

  • The ThinLinc license is perpetual and will still work after the expiry date of the ThinLinc subscriptions.

     

  • Both as an individual and as an organization, it is not allowed to use the free version of ThinLinc if you have valid user licenses.

  • ThinLinc is free to use for up to 10 concurrent users for both individuals and organizations (on a group basis).

  • ThinLinc Subscriptions give the possibility to run more than 10 concurrent users per ThinLinc installation. It also gives technical support directly from Cendio and the right to get upgrades (new versions) for ThinLinc.

  • ThinLinc Premium Subscription gives prioritized answers, faster response time, and direct access to our qualified technical support via telephone service.

  • The free version of ThinLinc is limited to 10 concurrent users and is supported via the ThinLinc Community. The commercial version of ThinLinc is packaged in a so-called subscription and can be scaled for more than 10 users. The subscriptions also give the right to get professional support in ThinLinc directly from the Cendio technical team.

  • ThinLinc is free to use up to 10 users at the same time per individual or organization worldwide, without any obligations. The usage can be 10 installations with one user per each or one installation with 10 users. What matters is that the 10 users aren’t exceeded.

How can we help you?