ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-11-10 09:12:54 +08:00
Code Issues Projects Releases Packages Wiki Activity

release 3.16.00

Browse source
This commit is contained in:
Stéphane Lesimple 2024-04-10 09:19:52 +00:00 committed by Stéphane Lesimple
parent 7487597d61
commit 3646badbdf
5 changed files with 40 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
bin/plugin/restricted/groupCreate
View file

@ -45,6 +45,7 @@ Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE
For ED25519, size is always 256. For ED25519, size is always 256.
--no-key Don't generate an egress SSH key at all for this group --no-key Don't generate an egress SSH key at all for this group
EOF EOF
OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0); OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
return 0; return 0;

28
doc/CHANGELOG.md
View file

@ -1,3 +1,9 @@
## v3.16.00 - 2024/04/10
- feat: support hardware-based Secure Keys (FIDO2) for ingress authentication
- enh: remove netcat dependency by using perl builtins
- enh: --wait now checks whether the TCP port is open instead of just pinging the host
- fix: logic error in etc/pam.d/sshd.rhel breaking MFA handling if enabled
## v3.15.00 - 2024/03/22 ## v3.15.00 - 2024/03/22
- feat: add ``dnsSupportLevel`` option for systems with broken DNS (fixes #397) - feat: add ``dnsSupportLevel`` option for systems with broken DNS (fixes #397)
- enh: allow ``@`` as a valid remote user char (fixes #437) - enh: allow ``@`` as a valid remote user char (fixes #437)
@ -6,17 +12,17 @@
- fix: avoid a warning when an non-resolvable host is specified with ``scp`` or ``sftp`` - fix: avoid a warning when an non-resolvable host is specified with ``scp`` or ``sftp``
## v3.14.16 - 2024/02/20 ## v3.14.16 - 2024/02/20
feat: add ``ttyrecStealthStdoutPattern`` config - feat: add ``ttyrecStealthStdoutPattern`` config
enh: ``batch``: openhandle() is overkill and doesn't work on EOF - enh: ``batch``: openhandle() is overkill and doesn't work on EOF
enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins - enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock`` - enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
enh: plugins: better signal handling to avoid dangling children processes - enh: plugins: better signal handling to avoid dangling children processes
fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts - fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
fix: don't exit with ``fping`` when host is unreachable - fix: don't exit with ``fping`` when host is unreachable
fix: ``fixrights.sh``: add +x ``run-tool.sh`` - fix: ``fixrights.sh``: add +x ``run-tool.sh``
fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433) - fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
fix: install: generation of the MFA secret under FreeBSD - fix: install: generation of the MFA secret under FreeBSD
fix: install: silence ``tr`` message on secret generation - fix: install: silence ``tr`` message on secret generation
## v3.14.15 - 2023/11/08 ## v3.14.15 - 2023/11/08
- feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140) - feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140)

20
doc/sphinx/installation/upgrading.rst
View file

@ -27,6 +27,26 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
Version-specific upgrade instructions Version-specific upgrade instructions
===================================== =====================================
v3.16.00 - 2024/04/10
*********************
This version adds support for Secure Keys (FIDO2) for ingress authentication. It requires at least OpenSSH 8.2
installed on the server hosting The Bastion, as support for FIDO2 was added in this version.
Of the currently supported OS versions, the following are known to have a recent-enough version:
- Debian 11
- Debian 12
- Ubuntu 20.04
- Ubuntu 22.04
- OpenSUSE Leap 15.5
- Rocky Linux 9
Note that if you are upgrading, you'll need to enable the new ingress algorithms in the ``/etc/bastion/bastion.conf``
file, under the ``allowedIngressSshAlgorithms`` option. You may want to add ``ecdsa-sk`` and ``ed25519-sk`` to the list
if you want to support the FIDO2-backed versions of these two algorithms.
You may also refer to the distributed default configuration file in ``etc/bastion/bastion.conf.dist``,
which enables them by default.
v3.15.00 - 2024/03/22 v3.15.00 - 2024/03/22
********************* *********************

1
doc/sphinx/plugins/restricted/groupCreate.rst
View file

@ -47,6 +47,7 @@ Create a group
Don't generate an egress SSH key at all for this group Don't generate an egress SSH key at all for this group
A quick overview of the different algorithms: A quick overview of the different algorithms:
.. code-block:: none .. code-block:: none

2
lib/perl/OVH/Bastion.pm
View file

@ -5,7 +5,7 @@ use common::sense;
use Fcntl; use Fcntl;
use POSIX qw(strftime); use POSIX qw(strftime);
our $VERSION = '3.15.00'; our $VERSION = '3.16.00';
BEGIN { BEGIN {
# only used by the handler below # only used by the handler below