Release v3.08.00

This commit is contained in:
Stéphane Lesimple 2021-12-29 17:23:01 +00:00 committed by Stéphane Lesimple
parent 1c8efa6590
commit d7a898a5fa
4 changed files with 109 additions and 6 deletions

View file

@ -1,3 +1,17 @@
## v3.08.00 - 2022/01/04
- feat: move scripts to GnuPG 2.x, add tests & doc
- feat: add new OSes (Debian "Bullseye" 11, RockyLinux 8.x) and deprecate
old ones (OpenSUSE Leap 15.2, older minor releases of CentOS 7.x and 8.x)
- feat: add the ``accountUnlock`` restricted plugin
- enh: detect silent password change failures
- enh: ``batch``: detect when asked to start a plugin requiring MFA
- enh: rewrite ``packages-check.sh``, ``perl-tidy.sh`` and ``shell-check.sh`` with
more features and deprecated code removed
- feat: add the ``code-info`` syslog type in addition to ``code-warn``
- enh: tests: ``--module`` can now be specified multiple times
- fix: FreeBSD tests & portions of code, regression since v3.03.99-rc2
- chore: install: remove obsolete upgrading sections for pre-v3.x versions
## v3.07.00 - 2021/12/13 ## v3.07.00 - 2021/12/13
- feat: add support for Duo PAM auth as MFA (#249) - feat: add support for Duo PAM auth as MFA (#249)
- feat: new access option: `--force-password <HASH>`, to only try one specific egress password (#256) - feat: new access option: `--force-password <HASH>`, to only try one specific egress password (#256)
@ -87,7 +101,8 @@ No changes since rc2.
- fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error - fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
- fix: `groupModify`: deny early if user is not an owner of the group - fix: `groupModify`: deny early if user is not an owner of the group
- enh: `groupInfo`: nicer message when no egress key exists - enh: `groupInfo`: nicer message when no egress key exists
- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the `--no-wait` parameter now does nothing) - enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed
(and the `--no-wait` parameter now does nothing)
- fix: `interactive`: omit inactivity message warning when set to 0 seconds - fix: `interactive`: omit inactivity message warning when set to 0 seconds
- a few other internal fixes here and there - a few other internal fixes here and there
@ -173,7 +188,8 @@ No changes since rc2.
## v3.00.01 - 2020/11/06 ## v3.00.01 - 2020/11/06
- feat: add OpenSUSE 15.2 to the officially supported distros - feat: add OpenSUSE 15.2 to the officially supported distros
- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise - enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb
and .rpm packages & falls back to precompiled static binaries otherwise
- enh: packages-check.sh: add qrencode-libs for RHEL/CentOS - enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
- enh: provide a separated Dockerfile for the sandbox, squashing useless layers - enh: provide a separated Dockerfile for the sandbox, squashing useless layers
- doc: a lot of fixes here and there - doc: a lot of fixes here and there

View file

@ -152,13 +152,13 @@ Once you are done with you configuration, you might want to test it by running:
.. code-block:: shell .. code-block:: shell
/opt/bastion/bin/admin/osh-encrypt-rsync.pl --config-test /opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
Or even go further by starting the script in dry-run mode: Or even go further by starting the script in dry-run mode:
.. code-block:: shell .. code-block:: shell
/opt/bastion/bin/admin/osh-encrypt-rsync.pl --dry-run /opt/bastion/bin/cron/osh-encrypt-rsync.pl --dry-run
Configuring keys, accounts & groups remote backup Configuring keys, accounts & groups remote backup
================================================= =================================================
@ -178,7 +178,7 @@ start the script manually:
.. code-block:: shell .. code-block:: shell
:emphasize-lines: 1 :emphasize-lines: 1
/opt/bastion/bin/admin/osh-backup-acl-keys.sh /opt/bastion/bin/cron/osh-backup-acl-keys.sh
Pushing backup file (/root/backups/backup-2020-05-25.tar.gz.gpg) remotely... Pushing backup file (/root/backups/backup-2020-05-25.tar.gz.gpg) remotely...
backup-2020-05-25.tar.gz.gpg backup-2020-05-25.tar.gz.gpg

View file

@ -27,6 +27,93 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
Version-specific upgrade instructions Version-specific upgrade instructions
===================================== =====================================
v3.08.00 - 2022/01/04
*********************
This version replaces usage of GnuPG 1.x by GnuPG 2.x for the backup/encrypt/rsync satellite scripts, namely:
- ``bin/cron/osh-backup-acl-keys.sh``
- ``bin/cron/osh-encrypt-rsync.pl``
These are optionally used to help you backup your system, and encrypt/move out ttyrec files.
If you don't use these scripts and never configured them as seen in the :doc:`/installation/advanced` section,
then you have nothing to do.
The script ``setup-gpg.sh`` will now create an Ed25519 key by default, instead of a 4K RSA key.
This type of key is usually seen as more secure (elliptic curve cryptography), and faster than RSA keys.
If you have already configured your system, then the above scripts will continue using the previously generated
RSA key, unless you generate a new key and reference it in the scripts configuration files.
If you want to generate new Ed25519 keys instead of using your preexisting RSA keys, you may proceed
to the :ref:`Ed25519 section below <upgrading_ed25519>`.
Otherwise, on the first run, GnuPG 2.x should transparently import the 1.x keyring.
To verify that it worked correctly, you may want to try:
.. code-block:: shell
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
If you see *Config test passed*, and you're okay using your preexisting 4K RSA key, then you may stop here.
If the test fails, and you know that before upgrading, this script worked correctly, then you might need to
manually import the GnuPG 1.x public keys:
.. code-block:: shell
gpg1 --armor --export | gpg --import
Then, try again:
.. code-block:: shell
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
If you don't see any errors here, you're done.
If you still see errors, then you might need to manually import the private key:
.. code-block:: shell
gpg1 --armor --export-secret-keys | gpg --import
You may get asked for a password for the bastion secret key, which should be found in
``/etc/bastion/osh-encrypt-rsync.conf.d/50-gpg-bastion-key.conf`` if you previously used the script to generate it.
A last config test should now work:
.. code-block:: shell
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
If you prefer to generate Ed25519 keys instead, then you can proceed to the next section.
.. _upgrading_ed25519:
Ed25519
-------
If you want to replace your RSA key by an Ed25519 one (which is optional), then you don't need to import the
GnuPG 1.x keys as outlined above but you may run instead:
.. code-block:: shell
/opt/bastion/bin/admin/setup-gpg.sh generate --overwrite
Once the key has been generated, you may also want to generate a new admin key, by following this
:ref:`section <installation/advanced:Generating and importing the admins GPG key>` of the Advanced Installation documentation.
Note that you'll need to use the ``--overwrite`` parameter when importing:
.. code-block:: shell
/opt/bastion/bin/admin/setup-gpg.sh import --overwrite
Once done, a config test should work:
.. code-block:: shell
/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test
v3.07.00 - 2021/12/13 v3.07.00 - 2021/12/13
********************* *********************

View file

@ -5,7 +5,7 @@ use common::sense;
use Fcntl; use Fcntl;
use POSIX qw(strftime); use POSIX qw(strftime);
our $VERSION = '3.07.00'; our $VERSION = '3.08.00';
BEGIN { BEGIN {
# only used by the handler below # only used by the handler below