Releases: ovh/the-bastion
v3.05.00
💡 Highlights
Documentation about the following satellite configuration files is now automatically generated:
- The script responsible for encrypting and optionally moving the ttyrec files out of the server (osh-encrypt-rsync.conf)
- The script responsible for backing up everything needed to be able to restore a bastion from scratch (osh-backup-acl-keys.conf)
- The script responsible for the expiration of PIV grace periods (osh-piv-grace-reaper.conf)
- The script responsible for the HA synchronization between instances (osh-sync-watcher.conf)
Good news for people having a hard time coming up with creative account names: these can now be up to 28 characters long, up from the previous 18 characters limit.
accountInfo gets a speed boost by no longer listing the user's groups by default, you can still specify --list-groups to get them.
Individual accounts can now be configured to be immune to the global account expiration policy, see the --max-inactive-days option of both accountCreeate and accountModify commands.
We're also paving the way for Debian 11. All tests have been running fine since some time now, and starting from this release the pam template will now use pam_faillock under Debian 11 instead of the deprecated pam_tally2 module.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: support pam_faillock for Debian 11 (#163)
- feat: add
--fallback-password-delay(3) for ssh password autologin - enh: add
max_inactive_daysto account configuration (#230) - enh:
accountInfo: add--list-groups - enh: max account length is now 28 chars up from 18
- enh: better error message when unknown option is used
- enh: better use of account creation metadata
- enh: config reading: add rootonly parameter
- fix:
accountCreate:--uid-auto: rare case where a free UID couldn't be found - doc: generate scripts doc reference for satellite scripts
- doc: add faq about session locking (#226)
- misc: a few other unimportant fixes
⏩ Upgrading
v3.04.00
💡 Highlights
A lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.
The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
- Debian 8
- Ubuntu 14.04
- OpenSUSE 15.0/15.1
The following additional OSes major versions are now supported and part of the automated tests:
- OpenSUSE 15.3
📌 Changes
- OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
- feat: add the
groupDestroycommand for group owners - feat: add filtering options to several commands:
--includeand--excludetoselfListAccesses,accountListAccesses,accountList,groupList,groupListServers(#60) - feat: http proxy: greatly optimize performance for large payload responses (x10 or more)
- feat:
accountModify: add a newaccept-newPOLICY inegress-strict-host-key-checkingparameter (@jonathanmarsaud) - feat: add UTF-8 chars to output when supported and allowed (new
fancinessoption) - feat: add admin and super owner accounts list in
infoplugin (#206) - enh: tests: refactor the framework for more maintainability
- enh: nicify the output of print_acls(), by omitting empty columns from output and properly aligning vertically, rendering
selfListAccesses,accountListAccesses,groupListServersandgroupListAccessesoutput more easily readable - enh: http proxy: add options to fine-tune logging
- enh: clearer error message on non-existing group
- enh:
setup-encryption.sh: check thatluks-config.shexists (#181) - enh:
setup-gpg.sh: clarify the use of^Dwith--import(#179) - enh: http proxy: add functional tests framework for this feature, along with the first tests
- fix:
setup-first-admin-account.sh: support to add several admins (#202) - fix: localize
$_beforewhile(<>)loops - fix:
groupCreate: deny groups starting with 'key' (#178) - fix: superowners need to have
+xon group homes - doc: added a lot of new content (see highlights)
- doc:
clush: document--userand--port - doc: several other fixes here and there
⏩ Upgrading
v3.03.99-rc2
⚠️ This is a release candidate
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
💡 Highlights
A lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.
The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
- Debian 8
- Ubuntu 14.04
- OpenSUSE 15.0/15.1
📌 Changes
- OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
- feat: add admin and super owner accounts list in
infoplugin (#206) - enh: replace bool 'allowUTF8' (introduced in rc1) by 'fanciness' enum
- enh: tests: refactor the framework for more maintainability
- fix:
setup-first-admin-account.sh: support to add several admins (#202) - fix: use local
$\_beforewhile(<>)loops - doc: added a lot of new content
- doc:
clush: document--userand--port - doc: several other fixes here and there
⏩ Upgrading
- General upgrade instructions: How to upgrade
- Specific upgrade instructions: Only if you're upgrading from rc1: the
allowUTF8option inbastion.confhas been renamed tofanciness. This is no longer a bool, but an enum. Replacetruebyfullandfalsebynone.
v3.03.99-rc1
⚠️ This is a release candidate
As several important pull-requests have been merged, we're starting a release candidate cycle.
This pre-release which will be battle-tested in the field for a few days.
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
Prerequisites before this version goes stable:
- No regression or blocking bug is found within ~2 weeks
- A minimal documentation about the HTTP Proxy is published
📌 Changes
- feat: add the
groupDestroycommand for owners - feat: add filtering options to several commands:
--includeand--excludetoselfListAccesses,accountListAccesses,accountList,groupList,groupListServers(#60) - feat: http proxy: greatly optimize performance for large payload responses
- feat:
accountModify: add a newaccept-newPOLICY inegress-strict-host-key-checkingparameter (@jonathanmarsaud) - feat: add UTF-8 chars to output when supported and allowed (new
allowUTF8option) - enh: nicify the output of print_acls(), by omitting empty columns from output and properly aligning vertically, rendering
selfListAccesses,accountListAccesses,groupListServersandgroupListAccessesoutput more easily readable - enh: http proxy: add options to fine-tune logging
- enh: clearer error message on non-existing group
- enh:
setup-encryption.sh: check thatluks-config.shexists (#181) - enh:
setup-gpg.sh: clarify the use of^Dwith--import(#179) - enh: http proxy: add functional tests framework for this feature, along with the first tests
- fix:
groupCreate: deny groups starting with 'key' (#178) - fix: superowners need to have
+xon group homes - doc: FreeBSD 13.0 is now tested instead of 12.1
⏩ Upgrading
- General upgrade instructions: How to upgrade
- Specific upgrade instructions: none
v3.03.01
Changes:
- enh:
osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs - enh: install.inc: try harder to hit GitHub API in CI
- fix:
fixrights.sh: 'chmod --' not supported under FreeBSD - fix:
packages-check.sh: centos: ensure cache is up to date before trying to install packages - fix:
groupDelServer: missing autocompletion in interactive mode - fix:
install-yubico-piv-checker: ppc64le installation was broken - fix:
scp: abort early if host is not found to avoid a warn() - fix:
osh-backup-acl-keys: detect file removed transient error - fix: add a case to the ignored perl panic race condition
- chore:
mkdir -pdoesn't fail if dir already exists - chore: tests: support multiple unit-test files
General upgrade instructions: How to upgrade
Specific upgrade instructions: none
v3.03.00
Changes:
- feat: transmit PIV enforcement status to remote realms, so that the remote policy can be enforced (#33)
- feat: add
groupGenerateEgressKeyandgroupDelEgressKey(#135) - feat: auto-add hostname as comment in
groupAddServerandselfAddPersonalAccesss(side-note in #60) - enh:
groupAddGuestAccessnow supports setting a comment (#17, #18) - enh:
groupAddServer: augment the returned JSON with the added server details - enh: move unexpected-sudo messages from
securitytocode-warningtype - enh: egress ssh key: compute an ID so that keys can be pointed to and deleted
- fix:
groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups - fix: groupSetRole(): pass sudo param to subfuncs to avoid a security warning
- fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
- fix:
groupModify: deny early if user is not an owner of the group - enh:
groupInfo: nicer message when no egress key exists - enh:
install: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the--no-waitparameter is now a no-op) - fix:
interactive: omit inactivity message warning when set to 0 seconds - a few other internal fixes here and there
General upgrade instructions: How to upgrade
Specific upgrade instructions: none
v3.02.00
Changes since v3.01.03:
- feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
- feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
- feat: realms: use remote bastion MFA validation information for local policy enforcement
- feat: add
LC_BASTION_DETAILSenvvar - feat:
accountModify: add--osh-only(closes #97) - feat:
rootListIngressKeys: report keys found in all well-known authkeys files, not just the one used by The Bastion - feat: add
--(in|ex)cludefilters togroupListandaccountList - enh:
groupList: use cache to speedup calls - enh: satellite scripts: better error handling
- enh: config: better parsing and normalization
- enh: config: detect
warnBefore/idleTimeoutmisconfiguration (#125) - fix: config: be more permissive for
documentationURLvalidation regex - fix:
TOCTTOUfixes in ttyrec rotation script and lingering sessions reaper - fix: confusing error messages in
groupDelServer - fix: proper sqlite log location for invalid realm accounts
- fix: tests: syslog-logged errors were not counted towards the total
- fix:
groupList: remove 9K group limit - fix: global-log: directly set proper perms on file creation
- fix:
realmDelete: invalid sudoers configuration - fix: remove useless warning when there is no guest access
- chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
- chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.
General upgrade instructions:
How to upgrade
Specific upgrade instructions:
Please read through the details, in a nutshell:
- Logs have been enhanced
- The main configuration file now supports proper booleans (in a backward compatible way)
v3.01.99-rc4
speed47
Stéphane Lesimple
This is a release-candidate.
As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released.
This rc (rc4) is expected to be the last before the release.
The following changes have been done since the previous rc:
- fix: admins no longer inherited superowner powers
v3.01.99-rc3
speed47
Stéphane Lesimple
This is a release-candidate.
As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released.
This rc (rc3) is expected to be the last before the release.
The following changes have been done since the previous rc:
- feat:
rootListIngressKeys: look for all well-known authkeys files - feat: add
--(in|ex)cludefilters togroupListandaccountList - enh:
groupList: use cache to speedup calls - enh: config: detect
warnBefore/idleTimeoutmisconfiguration (#125) - fix: scripts:
(( ))returns 1 if evaluated to zero, hence failing underset -e - fix: config: be more permissive for
documentationURLregex - fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
- fix: confusing error messages in
groupDelServer - chore: tests: also update totalerrors while tests are running
v3.01.99-rc2
This is a release-candidate.
As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.
The following changes have been done since the previous rc: