Releases: ovh/the-bastion
v3.01.03
- fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86)
- fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket)
- fix: osh.pl: plugin_config 'disabled' key is a boolean
- chore: speedup tests by ~20%
- chore: osh-accountDelete: fix typo
v3.01.02
Changelog:
- feat: support CentOS 8.3
- fix: is_valid_remote_user: extend allowed size from 32 to 128
- doc:
bastions.conf.dist
: wrong options values inaccountMFAPolicy
comments - chore: packages-check: remove unused packages
Now we're supporting (and automatically testing) the last 3 point releases of CentOS 7 and CentOS 8, to allow for a smoother upgrade path. Previously, we would only test the latest point release.
v3.01.01
Changelog:
- fix: interactive mode: mark non-printable chars as such to avoid readline quirks
- fix: osh-encrypt-rsync: remove
logfile
as a mandatory parameter - fix: typo in
MFAPasswordWarnDays
parameter inbastion.conf.dist
- enh: interactive mode: better autocompletion for
accountCreate
andadminSudo
- enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly
- doc: add information about
puppet-thebastion
andyubico-piv-checker
+ some adjustments - chore: tests: fail the tests when code is not tidy
v3.01.00
Changelog:
- feat: add FreeBSD 12.1 to automated tests, and multiple fixes to get back proper FreeBSD compatibility/experience
- feat: partial MFA support for FreeBSD
- feat: add
interactiveModeByDefault
option (#54) - feat: install: add SELinux module for TOTP MFA (#26)
- enh: httpproxy: add informational headers to the egress side request
- fix: osh.pl: validate remote user and host format to fail early if invalid
- fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind
- fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we miss
/root/.gnupg/secring.gpg
- fix: selfListSessions: bad sorting of the list
- misc: a few other fixes here and there
Specific upgrade instructions:
A new bastion.conf
option was introduced: interactiveModeByDefault. If not present in your config file, its value defaults to 1 (true), which changes the behavior of The Bastion when a user connects without specifying any command. When this happens, it'll now display the help then drop the user into interactive mode (if this mode is enabled), instead of displaying the help and aborting with an error message. Set it to 0 (false) if you want to keep the previous behavior.
An SELinux module has been added in this version, to ensure TOTP MFA works correctly under systems where SELinux is on enforcing mode. This module will be installed automatically whenever SELinux is detected on the system. If you don't want to use this module, specify --no-install-selinux-module
on your /opt/bastion/bin/admin/install
upgrade call (please refer to the generic upgrade instructions for more details).
v3.00.02
- feat: add more archs to dockerhub sandbox, it is now available for
linux/386
,linux/amd64
,linux/arm/v6
,linux/arm/v7
,linux/arm64
,linux/ppc64le
andlinux/s390x
. - fix:
adminSudo
: allow called plugins to read from stdin - fix: add missing
echo
in the entrypoint of the sandbox - chore:
install-ttyrec.sh
: adapt for multiarch
v3.00.01
- feat: add OpenSUSE 15.2 to the officially supported distros
- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
- enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
- enh: provide a separated Dockerfile for the sandbox, squashing useless layers
- doc: a lot of fixes here and there
- chore: remove spurious config files
- chore: a few GitHub actions workflow fixes