From d7a898a5fafc22d344f097a9745851eb095e97cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 29 Dec 2021 17:23:01 +0000 Subject: [PATCH] Release v3.08.00 --- doc/CHANGELOG.md | 20 +++++- doc/sphinx/installation/advanced.rst | 6 +- doc/sphinx/installation/upgrading.rst | 87 +++++++++++++++++++++++++++ lib/perl/OVH/Bastion.pm | 2 +- 4 files changed, 109 insertions(+), 6 deletions(-) diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index fcb35ee..e0e8ab3 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,17 @@ +## v3.08.00 - 2022/01/04 +- feat: move scripts to GnuPG 2.x, add tests & doc +- feat: add new OSes (Debian "Bullseye" 11, RockyLinux 8.x) and deprecate + old ones (OpenSUSE Leap 15.2, older minor releases of CentOS 7.x and 8.x) +- feat: add the ``accountUnlock`` restricted plugin +- enh: detect silent password change failures +- enh: ``batch``: detect when asked to start a plugin requiring MFA +- enh: rewrite ``packages-check.sh``, ``perl-tidy.sh`` and ``shell-check.sh`` with + more features and deprecated code removed +- feat: add the ``code-info`` syslog type in addition to ``code-warn`` +- enh: tests: ``--module`` can now be specified multiple times +- fix: FreeBSD tests & portions of code, regression since v3.03.99-rc2 +- chore: install: remove obsolete upgrading sections for pre-v3.x versions + ## v3.07.00 - 2021/12/13 - feat: add support for Duo PAM auth as MFA (#249) - feat: new access option: `--force-password `, to only try one specific egress password (#256) @@ -87,7 +101,8 @@ No changes since rc2. - fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error - fix: `groupModify`: deny early if user is not an owner of the group - enh: `groupInfo`: nicer message when no egress key exists -- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the `--no-wait` parameter now does nothing) +- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed + (and the `--no-wait` parameter now does nothing) - fix: `interactive`: omit inactivity message warning when set to 0 seconds - a few other internal fixes here and there @@ -173,7 +188,8 @@ No changes since rc2. ## v3.00.01 - 2020/11/06 - feat: add OpenSUSE 15.2 to the officially supported distros -- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise +- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb + and .rpm packages & falls back to precompiled static binaries otherwise - enh: packages-check.sh: add qrencode-libs for RHEL/CentOS - enh: provide a separated Dockerfile for the sandbox, squashing useless layers - doc: a lot of fixes here and there diff --git a/doc/sphinx/installation/advanced.rst b/doc/sphinx/installation/advanced.rst index 3f76c5c..c7c62dd 100644 --- a/doc/sphinx/installation/advanced.rst +++ b/doc/sphinx/installation/advanced.rst @@ -152,13 +152,13 @@ Once you are done with you configuration, you might want to test it by running: .. code-block:: shell - /opt/bastion/bin/admin/osh-encrypt-rsync.pl --config-test + /opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test Or even go further by starting the script in dry-run mode: .. code-block:: shell - /opt/bastion/bin/admin/osh-encrypt-rsync.pl --dry-run + /opt/bastion/bin/cron/osh-encrypt-rsync.pl --dry-run Configuring keys, accounts & groups remote backup ================================================= @@ -178,7 +178,7 @@ start the script manually: .. code-block:: shell :emphasize-lines: 1 - /opt/bastion/bin/admin/osh-backup-acl-keys.sh + /opt/bastion/bin/cron/osh-backup-acl-keys.sh Pushing backup file (/root/backups/backup-2020-05-25.tar.gz.gpg) remotely... backup-2020-05-25.tar.gz.gpg diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index 63c921a..6261f36 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,93 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.08.00 - 2022/01/04 +********************* + +This version replaces usage of GnuPG 1.x by GnuPG 2.x for the backup/encrypt/rsync satellite scripts, namely: + +- ``bin/cron/osh-backup-acl-keys.sh`` +- ``bin/cron/osh-encrypt-rsync.pl`` + +These are optionally used to help you backup your system, and encrypt/move out ttyrec files. +If you don't use these scripts and never configured them as seen in the :doc:`/installation/advanced` section, +then you have nothing to do. + +The script ``setup-gpg.sh`` will now create an Ed25519 key by default, instead of a 4K RSA key. +This type of key is usually seen as more secure (elliptic curve cryptography), and faster than RSA keys. +If you have already configured your system, then the above scripts will continue using the previously generated +RSA key, unless you generate a new key and reference it in the scripts configuration files. + +If you want to generate new Ed25519 keys instead of using your preexisting RSA keys, you may proceed +to the :ref:`Ed25519 section below `. + +Otherwise, on the first run, GnuPG 2.x should transparently import the 1.x keyring. +To verify that it worked correctly, you may want to try: + +.. code-block:: shell + + /opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test + +If you see *Config test passed*, and you're okay using your preexisting 4K RSA key, then you may stop here. + +If the test fails, and you know that before upgrading, this script worked correctly, then you might need to +manually import the GnuPG 1.x public keys: + +.. code-block:: shell + + gpg1 --armor --export | gpg --import + +Then, try again: + +.. code-block:: shell + + /opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test + +If you don't see any errors here, you're done. + +If you still see errors, then you might need to manually import the private key: + +.. code-block:: shell + + gpg1 --armor --export-secret-keys | gpg --import + +You may get asked for a password for the bastion secret key, which should be found in +``/etc/bastion/osh-encrypt-rsync.conf.d/50-gpg-bastion-key.conf`` if you previously used the script to generate it. + +A last config test should now work: + +.. code-block:: shell + + /opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test + +If you prefer to generate Ed25519 keys instead, then you can proceed to the next section. + +.. _upgrading_ed25519: + +Ed25519 +------- + +If you want to replace your RSA key by an Ed25519 one (which is optional), then you don't need to import the +GnuPG 1.x keys as outlined above but you may run instead: + +.. code-block:: shell + + /opt/bastion/bin/admin/setup-gpg.sh generate --overwrite + +Once the key has been generated, you may also want to generate a new admin key, by following this +:ref:`section ` of the Advanced Installation documentation. +Note that you'll need to use the ``--overwrite`` parameter when importing: + +.. code-block:: shell + + /opt/bastion/bin/admin/setup-gpg.sh import --overwrite + +Once done, a config test should work: + +.. code-block:: shell + + /opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test + v3.07.00 - 2021/12/13 ********************* diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index 6143561..8f52970 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.07.00'; +our $VERSION = '3.08.00'; BEGIN { # only used by the handler below