release 3.16.00

2024-09-20 06:55:58 +08:00 · 2024-04-10 09:19:52 +00:00 · 2024-04-10 09:19:52 +00:00 · 3646badbdf
parent 7487597d61
commit 3646badbdf
5 changed files with 40 additions and 12 deletions
--- a/bin/plugin/restricted/groupCreate
+++ b/bin/plugin/restricted/groupCreate
@ -45,6 +45,7 @@ Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE
                  For ED25519, size is always 256.

  --no-key      Don't generate an egress SSH key at all for this group
+
 EOF
    OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
    return 0;
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@ -1,3 +1,9 @@
+## v3.16.00 - 2024/04/10
+- feat: support hardware-based Secure Keys (FIDO2) for ingress authentication
+- enh: remove netcat dependency by using perl builtins
+- enh: --wait now checks whether the TCP port is open instead of just pinging the host
+- fix: logic error in etc/pam.d/sshd.rhel breaking MFA handling if enabled
+
 ## v3.15.00 - 2024/03/22
 - feat: add ``dnsSupportLevel`` option for systems with broken DNS (fixes #397)
 - enh: allow ``@`` as a valid remote user char (fixes #437)
@ -6,17 +12,17 @@
 - fix: avoid a warning when an non-resolvable host is specified with ``scp`` or ``sftp``

 ## v3.14.16 - 2024/02/20
-feat: add ``ttyrecStealthStdoutPattern`` config
-enh: ``batch``: openhandle() is overkill and doesn't work on EOF
-enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
-enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
-enh: plugins: better signal handling to avoid dangling children processes
-fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
-fix: don't exit with ``fping`` when host is unreachable
-fix: ``fixrights.sh``: add +x ``run-tool.sh``
-fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
-fix: install: generation of the MFA secret under FreeBSD
-fix: install: silence ``tr`` message on secret generation
+- feat: add ``ttyrecStealthStdoutPattern`` config
+- enh: ``batch``: openhandle() is overkill and doesn't work on EOF
+- enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
+- enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
+- enh: plugins: better signal handling to avoid dangling children processes
+- fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
+- fix: don't exit with ``fping`` when host is unreachable
+- fix: ``fixrights.sh``: add +x ``run-tool.sh``
+- fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
+- fix: install: generation of the MFA secret under FreeBSD
+- fix: install: silence ``tr`` message on secret generation

 ## v3.14.15 - 2023/11/08
 - feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140)
--- a/doc/sphinx/installation/upgrading.rst
+++ b/doc/sphinx/installation/upgrading.rst
@ -27,6 +27,26 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================

+v3.16.00 - 2024/04/10
+*********************
+
+This version adds support for Secure Keys (FIDO2) for ingress authentication. It requires at least OpenSSH 8.2
+installed on the server hosting The Bastion, as support for FIDO2 was added in this version.
+Of the currently supported OS versions, the following are known to have a recent-enough version:
+
+- Debian 11
+- Debian 12
+- Ubuntu 20.04
+- Ubuntu 22.04
+- OpenSUSE Leap 15.5
+- Rocky Linux 9
+
+Note that if you are upgrading, you'll need to enable the new ingress algorithms in the ``/etc/bastion/bastion.conf``
+file, under the ``allowedIngressSshAlgorithms`` option. You may want to add ``ecdsa-sk`` and ``ed25519-sk`` to the list
+if you want to support the FIDO2-backed versions of these two algorithms.
+You may also refer to the distributed default configuration file in ``etc/bastion/bastion.conf.dist``,
+which enables them by default.
+
 v3.15.00 - 2024/03/22
 *********************

--- a/doc/sphinx/plugins/restricted/groupCreate.rst
+++ b/doc/sphinx/plugins/restricted/groupCreate.rst
@ -47,6 +47,7 @@ Create a group
   Don't generate an egress SSH key at all for this group


+
 A quick overview of the different algorithms:

 .. code-block:: none
--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@ -5,7 +5,7 @@ use common::sense;
 use Fcntl;
 use POSIX qw(strftime);

-our $VERSION = '3.15.00';
+our $VERSION = '3.16.00';

 BEGIN {
    # only used by the handler below