For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush`` or ``batch``, and interactive mode.
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
Before, an inconsistency in the configuration settings of the warnBefore(Lock|Kill)Seconds
and idle(Lock|Kill)Timeout could break any new connection (ttyrec refuses to launch).
Now we detect this case properly, and fallback to a sane setting for
warnBefore(Lock|Kill)Seconds (zero) if those were set without enabling the corresponding
idle(Lock|Kill)Timeout setting. We also log an error to syslog when it happens,
so that the sysadmin can fix their configuration.
Added hints about how these configuration options work together in the bastion.conf.dist file.
Fixes#125
We now warn (to syslog) for invalid values where
we have to fallback to defaults, and for boolean
options, actual true/false JSON values are now
properly recognized. 0 and 1 will still always
be parsed correctly, to not break compatibility.
