From 5c3c82dafdf64a1e45431ad1e9f65f8af028ea09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 20 Feb 2024 13:46:03 +0000 Subject: [PATCH 1/3] fix: generation of MFA secret under FreeBSD --- bin/admin/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/admin/install b/bin/admin/install index dee130e7a..bde542ba6 100755 --- a/bin/admin/install +++ b/bin/admin/install @@ -1272,7 +1272,7 @@ if [ "${opt[generate-mfa-secret]}" = 1 ]; then if [ -e "$BASTION_ETC_DIR/mfa-token.conf" ]; then action_na else - secret=$(tr -dc A-Za-z0-9 < /dev/urandom 2>/dev/null | head -c32) + secret=$(env LANG=C tr -dc A-Za-z0-9 < /dev/urandom 2>/dev/null | head -c32) touch "$BASTION_ETC_DIR/mfa-token.conf" chown 0:bastion-users "$BASTION_ETC_DIR/mfa-token.conf" chmod 640 "$BASTION_ETC_DIR/mfa-token.conf" From 915e550277e7b22d23c2354e05117e1404a32361 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 20 Feb 2024 13:56:40 +0000 Subject: [PATCH 2/3] fix: tests for FreeBSD --- tests/functional/launch_tests_on_instance.sh | 2 +- tests/functional/tests.d/325-accountinfo.sh | 2 +- tests/functional/tests.d/395-mfa-scp-sftp.sh | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh index 59c02cf9b..0bbc35467 100755 --- a/tests/functional/launch_tests_on_instance.sh +++ b/tests/functional/launch_tests_on_instance.sh @@ -672,7 +672,7 @@ runtests() configchg 's=^\\\\x22bastionCommand\\\\x22.+=\\\\x22bastionCommand\\\\x22:\\\\x22ssh\\\\x20USER\\\\x40'"$remote_ip"'\\\\x20-p\\\\x20'"$remote_port"'\\\\x20-t\\\\x20--\\\\x22,=' # account1 skips PAM MFA - success account1_nopam $r0 "usermod -a -G bastion-nopam $account0" + success account1_nopam $r0 "command -v pw \>/dev/null \&\& pw groupmod -n bastion-nopam -m $account0 \|\| usermod -a -G bastion-nopam $account0" # backup the original default configuration on target side now=$(date +%s) diff --git a/tests/functional/tests.d/325-accountinfo.sh b/tests/functional/tests.d/325-accountinfo.sh index 3718c57fe..942671fb8 100644 --- a/tests/functional/tests.d/325-accountinfo.sh +++ b/tests/functional/tests.d/325-accountinfo.sh @@ -47,7 +47,7 @@ testsuite_accountinfo() # a0 should see basic info about a2 success a0_accountinfo_a2_basic $a0 --osh accountInfo --account $account2 - json_document '{"error_message":"OK","command":"accountInfo","error_code":"OK","value":{"account":"'"$account2"'","always_active":1,"is_active":1,"allowed_commands":[],"groups":{}}}' + json_document '{"error_message":"OK","command":"accountInfo","error_code":"OK","value":{"account":"'"$account2"'","always_active":1,"always_active_reason":"account local configuration","is_active":1,"allowed_commands":[],"groups":{}}}' # a1 should see detailed info about a2 success a1_accountinfo_a2_detailed $a1 --osh accountInfo --account $account2 --with-mfa-password-info diff --git a/tests/functional/tests.d/395-mfa-scp-sftp.sh b/tests/functional/tests.d/395-mfa-scp-sftp.sh index 3c3ece8cc..b4282fde1 100644 --- a/tests/functional/tests.d/395-mfa-scp-sftp.sh +++ b/tests/functional/tests.d/395-mfa-scp-sftp.sh @@ -134,7 +134,7 @@ testsuite_mfa_scp_sftp() expect \":\" { sleep 0.2; send \"$a0_password\\n\"; }; expect eof; lassign [wait] pid spawnid value value; - exit \$value' | expect -f -" + exit \$value' | timeout --foreground $default_timeout expect -f -" retvalshouldbe 0 unset a0_password_tmp nocontain 'enter this:' @@ -149,7 +149,7 @@ testsuite_mfa_scp_sftp() expect \":\" { sleep 0.2; send \"$a0_password\\n\"; }; expect eof; lassign [wait] pid spawnid value value; - exit \$value' | expect -f -" + exit \$value' | timeout --foreground $default_timeout expect -f -" nocontain 'MFA_TOKEN=notrequired' if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then retvalshouldbe 0 @@ -166,7 +166,7 @@ testsuite_mfa_scp_sftp() expect \":\" { sleep 0.2; send \"$a0_password\\n\"; }; expect eof; lassign [wait] pid spawnid value value; - exit \$value' | expect -f -" + exit \$value' | timeout --foreground $default_timeout expect -f -" nocontain 'MFA_TOKEN=notrequired' if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then retvalshouldbe 0 @@ -182,12 +182,12 @@ testsuite_mfa_scp_sftp() json .error_code KO_MFA_FAILED_INVALID_FORMAT local invalid_token - invalid_token="v1,$(date +%s -d '1 hour ago'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b" + invalid_token="v1,$(perl -e 'CORE::say time()-3600'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b" run scp_upload_bad_token_expired $a0 --osh scp --host 127.0.0.2 --port 22 --user $shellaccount --mfa-token "$invalid_token" retvalshouldbe 125 json .error_code KO_MFA_FAILED_EXPIRED_TOKEN - invalid_token="v1,$(date +%s -d '1 hour'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b" + invalid_token="v1,$(perl -e 'CORE::say time()+3600'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b" run scp_upload_bad_token_future $a0 --osh scp --host 127.0.0.2 --port 22 --user $shellaccount --mfa-token "$invalid_token" retvalshouldbe 125 json .error_code KO_MFA_FAILED_FUTURE_TOKEN @@ -200,7 +200,7 @@ testsuite_mfa_scp_sftp() expect \"word:\" { sleep 0.2; send \"$a0_password\\n\"; }; expect eof; lassign [wait] pid spawnid value value; - exit \$value' | expect -f -" + exit \$value' | timeout --foreground $default_timeout expect -f -" retvalshouldbe 0 json .error_code OK .command selfMFAResetPassword else From 2bd579f0952d971428a4c5ac1cc196caec8a14d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 20 Feb 2024 12:51:57 +0000 Subject: [PATCH 3/3] release v3.14.16 --- doc/CHANGELOG.md | 13 +++++++++++++ doc/sphinx/installation/upgrading.rst | 5 +++++ lib/perl/OVH/Bastion.pm | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index e20c13a60..1d55886ac 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,16 @@ +## v3.14.16 - 2024/02/20 +feat: add ``ttyrecStealthStdoutPattern`` config +enh: ``batch``: openhandle() is overkill and doesn't work on EOF +enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins +enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock`` +enh: plugins: better signal handling to avoid dangling children processes +fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts +fix: don't exit with ``fping`` when host is unreachable +fix: ``fixrights.sh``: add +x ``run-tool.sh`` +fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433) +fix: install: generation of the MFA secret under FreeBSD +fix: install: silence ``tr`` message on secret generation + ## v3.14.15 - 2023/11/08 - feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140) - feat: add configuration option for plugins to override the global lock/kill timeout diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index f34abbe0b..60f86bf9e 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,11 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.14.16 - 2024/02/20 +********************* + +No specific upgrade instructions. + v3.14.15 - 2023/11/08 ********************* diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index 92dfc2544..8eb119dab 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.14.15'; +our $VERSION = '3.14.16'; BEGIN { # only used by the handler below