Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release v3.14.16 #448

Merged
merged 3 commits into from
Feb 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bin/admin/install
Original file line number Diff line number Diff line change
Expand Up @@ -1272,7 +1272,7 @@ if [ "${opt[generate-mfa-secret]}" = 1 ]; then
if [ -e "$BASTION_ETC_DIR/mfa-token.conf" ]; then
action_na
else
secret=$(tr -dc A-Za-z0-9 < /dev/urandom 2>/dev/null | head -c32)
secret=$(env LANG=C tr -dc A-Za-z0-9 < /dev/urandom 2>/dev/null | head -c32)
touch "$BASTION_ETC_DIR/mfa-token.conf"
chown 0:bastion-users "$BASTION_ETC_DIR/mfa-token.conf"
chmod 640 "$BASTION_ETC_DIR/mfa-token.conf"
Expand Down
13 changes: 13 additions & 0 deletions doc/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,16 @@
## v3.14.16 - 2024/02/20
feat: add ``ttyrecStealthStdoutPattern`` config
enh: ``batch``: openhandle() is overkill and doesn't work on EOF
enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
enh: plugins: better signal handling to avoid dangling children processes
fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
fix: don't exit with ``fping`` when host is unreachable
fix: ``fixrights.sh``: add +x ``run-tool.sh``
fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
fix: install: generation of the MFA secret under FreeBSD
fix: install: silence ``tr`` message on secret generation

## v3.14.15 - 2023/11/08
- feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140)
- feat: add configuration option for plugins to override the global lock/kill timeout
Expand Down
5 changes: 5 additions & 0 deletions doc/sphinx/installation/upgrading.rst
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
Version-specific upgrade instructions
=====================================

v3.14.16 - 2024/02/20
*********************

No specific upgrade instructions.

v3.14.15 - 2023/11/08
*********************

Expand Down
2 changes: 1 addition & 1 deletion lib/perl/OVH/Bastion.pm
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use common::sense;
use Fcntl;
use POSIX qw(strftime);

our $VERSION = '3.14.15';
our $VERSION = '3.14.16';

BEGIN {
# only used by the handler below
Expand Down
2 changes: 1 addition & 1 deletion tests/functional/launch_tests_on_instance.sh
Original file line number Diff line number Diff line change
Expand Up @@ -672,7 +672,7 @@ runtests()
configchg 's=^\\\\x22bastionCommand\\\\x22.+=\\\\x22bastionCommand\\\\x22:\\\\x22ssh\\\\x20USER\\\\x40'"$remote_ip"'\\\\x20-p\\\\x20'"$remote_port"'\\\\x20-t\\\\x20--\\\\x22,='

# account1 skips PAM MFA
success account1_nopam $r0 "usermod -a -G bastion-nopam $account0"
success account1_nopam $r0 "command -v pw \>/dev/null \&\& pw groupmod -n bastion-nopam -m $account0 \|\| usermod -a -G bastion-nopam $account0"

# backup the original default configuration on target side
now=$(date +%s)
Expand Down
2 changes: 1 addition & 1 deletion tests/functional/tests.d/325-accountinfo.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ testsuite_accountinfo()

# a0 should see basic info about a2
success a0_accountinfo_a2_basic $a0 --osh accountInfo --account $account2
json_document '{"error_message":"OK","command":"accountInfo","error_code":"OK","value":{"account":"'"$account2"'","always_active":1,"is_active":1,"allowed_commands":[],"groups":{}}}'
json_document '{"error_message":"OK","command":"accountInfo","error_code":"OK","value":{"account":"'"$account2"'","always_active":1,"always_active_reason":"account local configuration","is_active":1,"allowed_commands":[],"groups":{}}}'

# a1 should see detailed info about a2
success a1_accountinfo_a2_detailed $a1 --osh accountInfo --account $account2 --with-mfa-password-info
Expand Down
12 changes: 6 additions & 6 deletions tests/functional/tests.d/395-mfa-scp-sftp.sh
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ testsuite_mfa_scp_sftp()
expect \":\" { sleep 0.2; send \"$a0_password\\n\"; };
expect eof;
lassign [wait] pid spawnid value value;
exit \$value' | expect -f -"
exit \$value' | timeout --foreground $default_timeout expect -f -"
retvalshouldbe 0
unset a0_password_tmp
nocontain 'enter this:'
Expand All @@ -149,7 +149,7 @@ testsuite_mfa_scp_sftp()
expect \":\" { sleep 0.2; send \"$a0_password\\n\"; };
expect eof;
lassign [wait] pid spawnid value value;
exit \$value' | expect -f -"
exit \$value' | timeout --foreground $default_timeout expect -f -"
nocontain 'MFA_TOKEN=notrequired'
if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then
retvalshouldbe 0
Expand All @@ -166,7 +166,7 @@ testsuite_mfa_scp_sftp()
expect \":\" { sleep 0.2; send \"$a0_password\\n\"; };
expect eof;
lassign [wait] pid spawnid value value;
exit \$value' | expect -f -"
exit \$value' | timeout --foreground $default_timeout expect -f -"
nocontain 'MFA_TOKEN=notrequired'
if [ "${capabilities[mfa]}" = 1 ] || [ "${capabilities[mfa-password]}" = 1 ]; then
retvalshouldbe 0
Expand All @@ -182,12 +182,12 @@ testsuite_mfa_scp_sftp()
json .error_code KO_MFA_FAILED_INVALID_FORMAT

local invalid_token
invalid_token="v1,$(date +%s -d '1 hour ago'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b"
invalid_token="v1,$(perl -e 'CORE::say time()-3600'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b"
run scp_upload_bad_token_expired $a0 --osh scp --host 127.0.0.2 --port 22 --user $shellaccount --mfa-token "$invalid_token"
retvalshouldbe 125
json .error_code KO_MFA_FAILED_EXPIRED_TOKEN

invalid_token="v1,$(date +%s -d '1 hour'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b"
invalid_token="v1,$(perl -e 'CORE::say time()+3600'),9f25d680b1bae2ef73abc3c62926ddb9c88f8ea1f4120b1125cc09720c74268b"
run scp_upload_bad_token_future $a0 --osh scp --host 127.0.0.2 --port 22 --user $shellaccount --mfa-token "$invalid_token"
retvalshouldbe 125
json .error_code KO_MFA_FAILED_FUTURE_TOKEN
Expand All @@ -200,7 +200,7 @@ testsuite_mfa_scp_sftp()
expect \"word:\" { sleep 0.2; send \"$a0_password\\n\"; };
expect eof;
lassign [wait] pid spawnid value value;
exit \$value' | expect -f -"
exit \$value' | timeout --foreground $default_timeout expect -f -"
retvalshouldbe 0
json .error_code OK .command selfMFAResetPassword
else
Expand Down