From 11b2bc60b224433104187bb04e8e50f3ad466f2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Fri, 15 Oct 2021 09:52:01 +0000 Subject: [PATCH] release v3.06.00 --- doc/CHANGELOG.md | 6 ++++++ doc/sphinx/installation/upgrading.rst | 13 +++++++++++++ lib/perl/OVH/Bastion.pm | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index a047b0dd2..c0d91be4f 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,9 @@ +## v3.06.00 - 2021/10/15 +- feat: accountModify: add --pubkey-auth-optional +- fix: accountPIV: fix bad autocompletion rule +- fix: groupdel: false positive in lock contention detection +- doc: bastion.conf: add superowner system group requirement + ## v3.05.01 - 2021/09/22 - feat: add ``--proactive-mfa`` and ``mfa``/``nofa`` interactive commands - feat: ``osh-backup-acl-keys``: add the possibility to sign encrypted backups (#209) diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index cd42dc0a5..1558fce04 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -24,6 +24,19 @@ Note that if you're using an infrastructure automation tool such as Puppet, Ansi Version-specific upgrade instructions ===================================== +v3.06.00 - 2021/10/15 +********************* + +The ``sshd_config`` templates have been modified to reflect the changes needed to use +the new ``--pubkey-auth-optional`` parameter of :doc:`/plugins/restricted/accountModify` (`#237 `_). +If you want to use it, don't forget to review your ``sshd_config`` and modify it accordingly: the templates can be found in ``etc/ssh/``. + +Note that misconfiguring `sshd` and `pam` together could at worst entirely disable sshd authentication. +If you have a custom configuration, different from the templates we provide, please double-check +that such corner case is not possible by design. +A good way to ensure this is to review the `pam` configuration and ensure that there is no execution +flow that pushes a `pam_success` value to the pam stack without requiring any form of authentication. + v3.05.01 - 2021/09/22 ********************* diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index 983075bc4..adf4dacb4 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.05.01'; +our $VERSION = '3.06.00'; BEGIN { # only used by the handler below