Releases: ovh/the-bastion
v3.09.00-rc3
⚠️ This is a release candidate
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00
(first public version)
💡 Highlights
Please refer to the rc1
changelog.
📌 Changes
since rc2
:
- enh: install: better error detection
- fix: performance issues introduced by rc1
⚠️ This is a release candidate
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00
(first public version)
💡 Highlights
Please refer to the rc2
changelog.
📌 Changes
since rc2
:
- enh: install: better error detection
- fix: performance issues introduced in rc1
⏩ Upgrading
⏩ Upgrading
v3.09.00-rc2
⚠️ This is a release candidate
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00
(first public version)
💡 Highlights
Please refer to the rc1
changelog.
📌 Changes
since rc1
:
- enh: MFA: specify account name in message
- enh: print_public_key: better formatter
- enh: move some code from get_hashes_list() to a new get_password_file()
- doc: osh-encrypt-rsync.conf: add verbose
⏩ Upgrading
v3.09.00-rc1
⚠️ This is a release candidate
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00
(first public version)
💡 Highlights
This version has quite a lot of commits. This includes a standardization of satellite scripts configuration format and standard parameters, hence some configuration review might need to be done after upgrading (detailed in the specific upgrades instructions below).
The 3 main changes of this version are:
-
The
osh-encrypt-rsync.pl
script functionalities have been extended to not only cover the encryption/rotation/exporting ofttyrec
files, but now also each user's local access logs and sql logs, where applicable. Previously, these logs where handled by thecompress-old-logs.sh
script, which was just compressing these files in-place. The latter script has now been removed in favor of the new features ofosh-encrypt-rsync.pl
, which not only handles compression/encryption, but also export of these files to the same remote escrow filer than you may have configured for yourttyrec
files. -
The NRPE probes we use to monitor our bastion clusters have been added to the
contrib/
folder, if you're using Nagios, Icinga or any other NRPE-compatible monitoring system, you might want to have a look to said folder. -
Ubuntu 22.04 LTS is now supported and part of the automated tests. CentOS 8 has been removed, as this distribution has been EOL for some time. The software might still work for the meantime, but any potential future incompatibility might go undetected, and is not guaranteed to be fixed. Note that however, RockyLinux 8 is supported and tested.
As a side note, an overhaul of the left menu of the documentation has been done, in an effort to enhance documentation navigation as the documentation book thickens.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat:
osh-encrypt-rsync.pl
: handle sqlite and user logs along with ttyrec files - remove:
compress-old-logs.sh
script, asosh-encrypt-rsync.pl
does the job now - remove: delete CentOS 8 from tests (EOL)
- feat: add
osh-cleanup-guest-key-access.pl
script - feat: add NRPE probes in
contrib/
- enh: standardize snake_case for all system scripts json config files
- enh: cron scripts: factorize common code and standardize logging & config
- enh:
osh-lingering-sessions-reaper.pl
: make it configurable - enh:
osh-piv-grace-reaper.pl
: run only on master, standardize config reading - enh: add more info in syslog warnings for
accountDelete
- fix:
ping
: force a deadline, and restore default sighandlers - fix:
accountInfo
: missing creation date on non-json output - fix:
osh-remove-empty-folders.pl
: fix folders counting (logging only) - fix:
osh-encrypt-rsync.pl
: delete +a source files properly - fix:
osh-encrypt-rsync.pl
: ensure $verbose is always set & make it configurable - fix:
install
: ensure that the healthcheck user can always connect from 127.0.0.1 - fix:
install
: avoid cases of sigpipe ontr
- fix: don't emit a membership log when nothing changed
- fix:
{group,account}Delete
: move() would sometimes fail, replace by mv - fix: workaround for undocumented caching in
getpw
/getgr
funcs - doc: better menu organization and more complete config files reference
⏩ Upgrading
v3.08.01
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00
(first public version)
💡 Highlights
The main change of this version is:
- A new system script, osh-remove-empty-folders.sh, called by cron and responsible for cleaning up the
ttyrec/
directory of users homes, which may contain a high amount of empty folders for busy users tonnecting to a lot of different servers, as we create one folder per destination IP.
An exhaustive list of changes can be found below.
📌 Changes
- feat: add
osh-remove-empty-folders.sh
script - enh: better errror detection and logging in
accountDelete
&groupDelete
⏩ Upgrading
v3.08.00
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00
(first public version)
💡 Highlights
The 2 main changes of this version are:
-
System scripts are now using GnuPG 2.x instead of GnuPG 1.x. All supported OSes do support GnuPG 2.x. The 2.x series of GnuPG support more key algorithms (such as ECDSA and Ed25519), for both higher security and speed. Please refer to the specific upgrade instructions for more information.
-
New restricted plugin
accountUnlock
, to unlock accounts locked by eitherpam_tally
,pam_tally2
orpam_faillock
Additionally, the supported list of operating systems has changed:
- Removed official support for OpenSUSE Leap 15.2 (EOL), older minor releases of CentOS 7.x and 8.x (EOL). No code has been removed that would break compatibility, but we removed these OSes from the automated tests suite, so the code may stop working in the future on these OSes for a root cause that we wouldn't be able to detect automatically.
- Added official support for Debian "Bullseye" 11, RockyLinux 8.x
Also note that since v3.03.99-rc2
, the FreeBSD integration tests were not running properly, this has been fixed and the few non-passing tests since this version have also been resolved.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: move scripts to GnuPG 2.x, add tests & doc
- feat: add new OSes (Debian "Bullseye" 11, RockyLinux 8.x) and deprecate old ones (OpenSUSE Leap 15.2, older minor releases of CentOS 7.x and 8.x)
- feat: add the
accountUnlock
restricted plugin - enh: detect silent password change failures
- enh:
batch
: detect when asked to start a plugin requiring MFA - enh: rewrite
packages-check.sh
,perl-tidy.sh
andshell-check.sh
with more features and deprecated code removed - feat: add the
code-info
syslog type in addition tocode-warn
- enh: tests:
--module
can now be specified multiple times - fix: FreeBSD tests & portions of code, regression since v3.03.99-rc2
- chore: install: remove obsolete upgrading sections for pre-v3.x versions
⏩ Upgrading
v3.07.00
💡 Highlights
The two main features of this version are:
- The support of the Duo PAM auth as MFA (see #249 for more information)
- A new access setup option,
--force-password
, which is similar to--force-key
, but to be used when a specific egress password is required instead of a specific SSH key for a given host. Note that this doesn't work for guest group accesses yet, which will be implemented in a future version. More information can be found in #256.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: add support for Duo PAM auth as MFA (#249)
- feat: new access option:
--force-password <HASH>
, to only try one specific egress password (#256, thanks @madchrist) - fix: add helpers handling of SIGPIPE/SIGHUP
- fix: avoid double-close log messages on SIGHUP
- fix:
--self-password
was missing as a-P
synonym (#257, thanks @madchrist) - fix: tests under OpenSUSE (fping raw sockets)
- chore: ensure proper Getopt::Long options are set everywhere
- chore: move HEXIT() to helper module, use HEXIT only in helpers
- chore: factorize helpers header
⏩ Upgrading
v3.06.00
💡 Highlights
The main new feature of this version is the --pubkey-auth-optional
option to accountModify
, to tag some accounts so that they don't need a public key for the ingress connection, but only a password (and maybe a TOTP). Of course, as passwords are always less secure than public-key authentication, please only use it for specific use cases you may have. #237 for more details, along with the specific upgrade instructions (see below).
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat:
accountModify
: add--pubkey-auth-optional
(#237, thanks @madchrist) - fix:
accountPIV
: fix bad autocompletion rule - fix: groupdel: false positive in lock contention detection
- doc:
bastion.conf
: add superowner system group requirement
⏩ Upgrading
v3.05.01
💡 Highlights
A few minor features appear in this revision, if you don't need these you might skip this update.
-
It is now possible to sign the backups in addition to encryption
-
The interactive mode now supports an
mfa
command, to proactively request an MFA challenge that will be valid for a configured amount of time. The--proactive-mfa
parameter is the equivalent for non-interactive mode, e.g. to be used along with--osh clush
or--osh batch
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209)
- feat:
--proactive-mfa
andmfa
/nofa
interactive commands - doc: add help about the interactive builtin commands (#227)
⏩ Upgrading
v3.05.00
💡 Highlights
Documentation about the following satellite configuration files is now automatically generated:
- The script responsible for encrypting and optionally moving the ttyrec files out of the server (osh-encrypt-rsync.conf)
- The script responsible for backing up everything needed to be able to restore a bastion from scratch (osh-backup-acl-keys.conf)
- The script responsible for the expiration of PIV grace periods (osh-piv-grace-reaper.conf)
- The script responsible for the HA synchronization between instances (osh-sync-watcher.conf)
Good news for people having a hard time coming up with creative account names: these can now be up to 28 characters long, up from the previous 18 characters limit.
accountInfo
gets a speed boost by no longer listing the user's groups by default, you can still specify --list-groups
to get them.
Individual accounts can now be configured to be immune to the global account expiration policy, see the --max-inactive-days
option of both accountCreeate
and accountModify
commands.
We're also paving the way for Debian 11. All tests have been running fine since some time now, and starting from this release the pam template will now use pam_faillock
under Debian 11 instead of the deprecated pam_tally2
module.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: support pam_faillock for Debian 11 (#163)
- feat: add
--fallback-password-delay
(3) for ssh password autologin - enh: add
max_inactive_days
to account configuration (#230) - enh:
accountInfo
: add--list-groups
- enh: max account length is now 28 chars up from 18
- enh: better error message when unknown option is used
- enh: better use of account creation metadata
- enh: config reading: add rootonly parameter
- fix:
accountCreate
:--uid-auto
: rare case where a free UID couldn't be found - doc: generate scripts doc reference for satellite scripts
- doc: add faq about session locking (#226)
- misc: a few other unimportant fixes
⏩ Upgrading
v3.04.00
💡 Highlights
A lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.
The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
- Debian 8
- Ubuntu 14.04
- OpenSUSE 15.0/15.1
The following additional OSes major versions are now supported and part of the automated tests:
- OpenSUSE 15.3
📌 Changes
- OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
- feat: add the
groupDestroy
command for group owners - feat: add filtering options to several commands:
--include
and--exclude
toselfListAccesses
,accountListAccesses
,accountList
,groupList
,groupListServers
(#60) - feat: http proxy: greatly optimize performance for large payload responses (x10 or more)
- feat:
accountModify
: add a newaccept-new
POLICY inegress-strict-host-key-checking
parameter (@jonathanmarsaud) - feat: add UTF-8 chars to output when supported and allowed (new
fanciness
option) - feat: add admin and super owner accounts list in
info
plugin (#206) - enh: tests: refactor the framework for more maintainability
- enh: nicify the output of print_acls(), by omitting empty columns from output and properly aligning vertically, rendering
selfListAccesses
,accountListAccesses
,groupListServers
andgroupListAccesses
output more easily readable - enh: http proxy: add options to fine-tune logging
- enh: clearer error message on non-existing group
- enh:
setup-encryption.sh
: check thatluks-config.sh
exists (#181) - enh:
setup-gpg.sh
: clarify the use of^D
with--import
(#179) - enh: http proxy: add functional tests framework for this feature, along with the first tests
- fix:
setup-first-admin-account.sh
: support to add several admins (#202) - fix: localize
$_
beforewhile(<>)
loops - fix:
groupCreate
: deny groups starting with 'key' (#178) - fix: superowners need to have
+x
on group homes - doc: added a lot of new content (see highlights)
- doc:
clush
: document--user
and--port
- doc: several other fixes here and there