ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 23:15:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
the-bastion/doc/CHANGELOG.md
Stéphane Lesimple b5c5d9d5ee release v3.05.01
2021-09-22 10:43:40 +02:00

9.1 KiB
Raw Blame History

v3.05.01 - 2021/09/22

  • feat: add --proactive-mfa and mfa/nofa interactive commands
  • feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209)
  • doc: add help about the interactive builtin commands (#227)

v3.05.00 - 2021/09/13

  • feat: support pam_faillock for Debian 11 (#163)
  • feat: add --fallback-password-delay (3) for ssh password autologin
  • enh: add max_inactive_days to account configuration (#230)
  • enh: accountInfo: add --list-groups
  • enh: max account length is now 28 chars up from 18
  • enh: better error message when unknown option is used
  • enh: better use of account creation metadata
  • enh: config reading: add rootonly parameter
  • fix: accountCreate: --uid-auto: rare case where a free UID couldn't be found
  • doc: generate scripts doc reference for satellite scripts
  • doc: add faq about session locking (#226)
  • misc: a few other unimportant fixes

v3.04.00 - 2021/07/02

No changes since rc2.

v3.03.99-rc2 - 2021/06/30

  • OS support: /!\ drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
  • feat: add admin and super owner accounts list in info plugin (#206)
  • enh: replace bool 'allowUTF8' (introduced in rc1) by 'fanciness' enum
  • enh: tests: refactor the framework for more maintainability
  • fix: setup-first-admin-account.sh: support to add several admins (#202)
  • fix: use local $\_ before while(<>) loops
  • doc: added a lot of new content
  • doc: clush: document --user and --port
  • doc: several other fixes here and there

v3.03.99-rc1 - 2021/06/03

  • enh: osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs
  • enh: install.inc: try harder to hit GitHub API in CI
  • fix: fixrights.sh: 'chmod --' not supported under FreeBSD
  • fix: packages-check.sh: centos: ensure cache is up to date before trying to install packages
  • fix: groupDelServer: missing autocompletion in interactive mode
  • fix: install-yubico-piv-checker: ppc64le installation was broken
  • fix: scp: abort early if host is not found to avoid a warn()
  • fix: osh-backup-acl-keys: detect file removed transient error
  • fix: add a case to the ignored perl panic race condition
  • chore: mkdir -p doesn't fail if dir already exists
  • chore: tests: support multiple unit-test files

v3.03.01 - 2021/03/25

  • enh: osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs
  • enh: install.inc: try harder to hit GitHub API in CI
  • fix: fixrights.sh: 'chmod --' not supported under FreeBSD
  • fix: packages-check.sh: centos: ensure cache is up to date before trying to install packages
  • fix: groupDelServer: missing autocompletion in interactive mode
  • fix: install-yubico-piv-checker: ppc64le installation was broken
  • fix: scp: abort early if host is not found to avoid a warn()
  • fix: osh-backup-acl-keys: detect file removed transient error
  • fix: add a case to the ignored perl panic race condition
  • chore: mkdir -p doesn't fail if dir already exists
  • chore: tests: support multiple unit-test files

v3.03.00 - 2021/02/22

  • feat: transmit PIV enforcement status to remote realms, so that the remote policy can be enforced (#33)
  • feat: add groupGenerateEgressKey and groupDelEgressKey (#135)
  • feat: auto-add hostname as comment in groupAddServer and selfAddPersonalAccesss (side-note in #60)
  • enh: groupAddGuestAccess now supports setting a comment (#17, #18)
  • enh: groupAddServer: augment the returned JSON with the added server details
  • enh: move unexpected-sudo messages from security to code-warning type
  • enh: egress ssh key: compute an ID so that keys can be pointed to and deleted
  • fix: groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups
  • fix: groupSetRole(): pass sudo param to subfuncs to avoid a security warning
  • fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
  • fix: groupModify: deny early if user is not an owner of the group
  • enh: groupInfo: nicer message when no egress key exists
  • enh: install: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the --no-wait parameter now does nothing)
  • fix: interactive: omit inactivity message warning when set to 0 seconds
  • a few other internal fixes here and there

v3.02.00 - 2021/02/01

  • no functional change since rc4, this version ends the rc cycle and is considered stable

v3.01.99-rc4 - 2021/01/25

  • fix: admins no longer inherited superowner powers (since rc1)

v3.01.99-rc3 - 2021/01/21

  • feat: rootListIngressKeys: look for all well-known authkeys files
  • feat: add --(in|ex)clude filters to groupList and accountList
  • enh: groupList: use cache to speedup calls
  • enh: config: detect warnBefore/idleTimeout misconfiguration (#125)
  • fix: scripts: (( )) returns 1 if evaluated to zero, hence failing under set -e
  • fix: config: be more permissive for documentationURL regex
  • fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
  • fix: confusing error messages in groupDelServer
  • chore: tests: also update totalerrors while tests are running

v3.01.99-rc2 - 2021/01/12

  • fix: re-introduce the ttyrecfile field (fixes #114)
  • fix: logs: sql dbname was not properly passed through the update logs func (fixes #114)
  • doc: upgrade: add a note about config normalization
  • chore: fix: documentation build was missing a prereq

v3.01.99-rc1 - 2021/01/12

  • feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
  • feat: revamp logs (see the UPGRADING section of the documentation)
  • feat: realms: use remote bastion MFA validation information for local policy enforcement
  • feat: add LC_BASTION_DETAILS envvar so that remote hosts can gather more information about the connection
  • feat: accountModify: add --osh-only policy (closes #97)
  • enh: satellite scripts: better error handling
  • enh: config: better parsing and normalization
  • fix: groupList: remove 9K group limit
  • fix: realmDelete: bad sudoers configuration
  • fix: global-log: directly set proper perms on file creation
  • fix: remove useless warning when there is no guest access
  • fix: proper sqlite log location for invalid realm accounts
  • fix: tests: syslog-logged errors were not counted towards the total
  • chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
  • chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.

v3.01.03 - 2020/12/15

  • fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86)
  • fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket)
  • fix: osh.pl: plugin_config 'disabled' key is a boolean
  • chore: speedup tests by ~20%
  • chore: osh-accountDelete: fix typo

v3.01.02 - 2020/12/08

  • fix: is_valid_remote_user: extend allowed size from 32 to 128
  • feat: add support for CentOS 8.3
  • doc: bastion.conf.dist: accountMFAPolicy wrong options values in comment
  • chore: tests: now test the 3 more recent minor versions of CentOS 7 and CentOS 8

v3.01.01 - 2020/12/04

  • fix: interactive mode: mark non-printable chars as such to avoid readline quirks
  • fix: osh-encrypt-rsync: remove 'logfile' as mandatory parameter
  • fix: typo in MFAPasswordWarnDays parameter in bastion.conf.dist
  • enh: interactive mode: better autocompletion for accountCreate and adminSudo
  • enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly
  • doc: add information about puppet-thebastion and yubico-piv-checker + some adjustments
  • chore: tests: fail the tests when code is not tidy

v3.01.00 - 2020/11/20

  • feat: add FreeBSD 12.1 to automated tests, and multiple fixes to get back proper FreeBSD compatibility/experience
  • feat: partial MFA support for FreeBSD
  • feat: add interactiveModeByDefault option (#54)
  • feat: install: add SELinux module for TOTP MFA (#26)
  • enh: httpproxy: add informational headers to the egress side request
  • fix: osh.pl: validate remote user and host format to fail early if invalid
  • fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind
  • fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we miss /root/.gnupg/secring.gpg
  • fix: selfListSessions: bad sorting of the list
  • misc: a few other fixes here and there

v3.00.02 - 2020/11/16

  • feat: add more archs to dockerhub sandbox
  • fix: adminSudo: allow called plugins to read from stdin (#43)
  • fix: add missing echo in the entrypoint of the sandbox
  • chore: install-ttyrec.sh: adapt for multiarch

v3.00.01 - 2020/11/06

  • feat: add OpenSUSE 15.2 to the officially supported distros
  • enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
  • enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
  • enh: provide a separated Dockerfile for the sandbox, squashing useless layers
  • doc: a lot of fixes here and there
  • chore: remove spurious config files
  • chore: a few GitHub actions workflow fixes

v3.00.00 - 2020/10/30

  • First public release \o/