mirror of
https://github.com/ovh/the-bastion.git
synced 2024-11-10 17:26:51 +08:00
Release v3.08.00
This commit is contained in:
Stéphane Lesimple
Stéphane Lesimple
parent
1c8efa6590
commit
d7a898a5fa
4 changed files with 109 additions and 6 deletions
|
|
@ -1,3 +1,17 @@
|
|||
## v3.08.00 - 2022/01/04
|
||||
- feat: move scripts to GnuPG 2.x, add tests & doc
|
||||
- feat: add new OSes (Debian "Bullseye" 11, RockyLinux 8.x) and deprecate
|
||||
old ones (OpenSUSE Leap 15.2, older minor releases of CentOS 7.x and 8.x)
|
||||
- feat: add the ``accountUnlock`` restricted plugin
|
||||
- enh: detect silent password change failures
|
||||
- enh: ``batch``: detect when asked to start a plugin requiring MFA
|
||||
- enh: rewrite ``packages-check.sh``, ``perl-tidy.sh`` and ``shell-check.sh`` with
|
||||
more features and deprecated code removed
|
||||
- feat: add the ``code-info`` syslog type in addition to ``code-warn``
|
||||
- enh: tests: ``--module`` can now be specified multiple times
|
||||
- fix: FreeBSD tests & portions of code, regression since v3.03.99-rc2
|
||||
- chore: install: remove obsolete upgrading sections for pre-v3.x versions
|
||||
|
||||
## v3.07.00 - 2021/12/13
|
||||
- feat: add support for Duo PAM auth as MFA (#249)
|
||||
- feat: new access option: `--force-password <HASH>`, to only try one specific egress password (#256)
|
||||
|
|
@ -87,7 +101,8 @@ No changes since rc2.
|
|||
- fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
|
||||
- fix: `groupModify`: deny early if user is not an owner of the group
|
||||
- enh: `groupInfo`: nicer message when no egress key exists
|
||||
- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the `--no-wait` parameter now does nothing)
|
||||
- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed
|
||||
(and the `--no-wait` parameter now does nothing)
|
||||
- fix: `interactive`: omit inactivity message warning when set to 0 seconds
|
||||
- a few other internal fixes here and there
|
||||
|
||||
|
|
@ -173,7 +188,8 @@ No changes since rc2.
|
|||
|
||||
## v3.00.01 - 2020/11/06
|
||||
- feat: add OpenSUSE 15.2 to the officially supported distros
|
||||
- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
|
||||
- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb
|
||||
and .rpm packages & falls back to precompiled static binaries otherwise
|
||||
- enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
|
||||
- enh: provide a separated Dockerfile for the sandbox, squashing useless layers
|
||||
- doc: a lot of fixes here and there
|
||||
|
|
|
|||
|
|
@ -152,13 +152,13 @@ Once you are done with you configuration, you might want to test it by running:
|
|||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/admin/osh-encrypt-rsync.pl --config-test
|
||||
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
|
||||
|
||||
Or even go further by starting the script in dry-run mode:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/admin/osh-encrypt-rsync.pl --dry-run
|
||||
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --dry-run
|
||||
|
||||
Configuring keys, accounts & groups remote backup
|
||||
=================================================
|
||||
|
|
@ -178,7 +178,7 @@ start the script manually:
|
|||
.. code-block:: shell
|
||||
:emphasize-lines: 1
|
||||
|
||||
/opt/bastion/bin/admin/osh-backup-acl-keys.sh
|
||||
/opt/bastion/bin/cron/osh-backup-acl-keys.sh
|
||||
|
||||
Pushing backup file (/root/backups/backup-2020-05-25.tar.gz.gpg) remotely...
|
||||
backup-2020-05-25.tar.gz.gpg
|
||||
|
|
|
|||
|
|
@ -27,6 +27,93 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
|
|||
Version-specific upgrade instructions
|
||||
=====================================
|
||||
|
||||
v3.08.00 - 2022/01/04
|
||||
*********************
|
||||
|
||||
This version replaces usage of GnuPG 1.x by GnuPG 2.x for the backup/encrypt/rsync satellite scripts, namely:
|
||||
|
||||
- ``bin/cron/osh-backup-acl-keys.sh``
|
||||
- ``bin/cron/osh-encrypt-rsync.pl``
|
||||
|
||||
These are optionally used to help you backup your system, and encrypt/move out ttyrec files.
|
||||
If you don't use these scripts and never configured them as seen in the :doc:`/installation/advanced` section,
|
||||
then you have nothing to do.
|
||||
|
||||
The script ``setup-gpg.sh`` will now create an Ed25519 key by default, instead of a 4K RSA key.
|
||||
This type of key is usually seen as more secure (elliptic curve cryptography), and faster than RSA keys.
|
||||
If you have already configured your system, then the above scripts will continue using the previously generated
|
||||
RSA key, unless you generate a new key and reference it in the scripts configuration files.
|
||||
|
||||
If you want to generate new Ed25519 keys instead of using your preexisting RSA keys, you may proceed
|
||||
to the :ref:`Ed25519 section below <upgrading_ed25519>`.
|
||||
|
||||
Otherwise, on the first run, GnuPG 2.x should transparently import the 1.x keyring.
|
||||
To verify that it worked correctly, you may want to try:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
|
||||
|
||||
If you see *Config test passed*, and you're okay using your preexisting 4K RSA key, then you may stop here.
|
||||
|
||||
If the test fails, and you know that before upgrading, this script worked correctly, then you might need to
|
||||
manually import the GnuPG 1.x public keys:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
gpg1 --armor --export | gpg --import
|
||||
|
||||
Then, try again:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
|
||||
|
||||
If you don't see any errors here, you're done.
|
||||
|
||||
If you still see errors, then you might need to manually import the private key:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
gpg1 --armor --export-secret-keys | gpg --import
|
||||
|
||||
You may get asked for a password for the bastion secret key, which should be found in
|
||||
``/etc/bastion/osh-encrypt-rsync.conf.d/50-gpg-bastion-key.conf`` if you previously used the script to generate it.
|
||||
|
||||
A last config test should now work:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
|
||||
|
||||
If you prefer to generate Ed25519 keys instead, then you can proceed to the next section.
|
||||
|
||||
.. _upgrading_ed25519:
|
||||
|
||||
Ed25519
|
||||
-------
|
||||
|
||||
If you want to replace your RSA key by an Ed25519 one (which is optional), then you don't need to import the
|
||||
GnuPG 1.x keys as outlined above but you may run instead:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/admin/setup-gpg.sh generate --overwrite
|
||||
|
||||
Once the key has been generated, you may also want to generate a new admin key, by following this
|
||||
:ref:`section <installation/advanced:Generating and importing the admins GPG key>` of the Advanced Installation documentation.
|
||||
Note that you'll need to use the ``--overwrite`` parameter when importing:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/admin/setup-gpg.sh import --overwrite
|
||||
|
||||
Once done, a config test should work:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
|
||||
|
||||
v3.07.00 - 2021/12/13
|
||||
*********************
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ use common::sense;
|
|||
use Fcntl;
|
||||
use POSIX qw(strftime);
|
||||
|
||||
our $VERSION = '3.07.00';
|
||||
our $VERSION = '3.08.00';
|
||||
|
||||
BEGIN {
|
||||
# only used by the handler below
|
||||
|
|
|
|||
Loading…
Reference in a new issue