mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-04 06:27:11 +08:00
167 lines
9.1 KiB
Markdown
167 lines
9.1 KiB
Markdown
## v3.05.01 - 2021/09/22
|
|
- feat: add ``--proactive-mfa`` and ``mfa``/``nofa`` interactive commands
|
|
- feat: ``osh-backup-acl-keys``: add the possibility to sign encrypted backups (#209)
|
|
- doc: add help about the interactive builtin commands (#227)
|
|
|
|
## v3.05.00 - 2021/09/13
|
|
- feat: support ``pam_faillock`` for Debian 11 (#163)
|
|
- feat: add ``--fallback-password-delay`` (3) for ssh password autologin
|
|
- enh: add ``max_inactive_days`` to account configuration (#230)
|
|
- enh: accountInfo: add ``--list-groups``
|
|
- enh: max account length is now 28 chars up from 18
|
|
- enh: better error message when unknown option is used
|
|
- enh: better use of account creation metadata
|
|
- enh: config reading: add rootonly parameter
|
|
- fix: ``accountCreate``: ``--uid-auto``: rare case where a free UID couldn't be found
|
|
- doc: generate scripts doc reference for satellite scripts
|
|
- doc: add faq about session locking (#226)
|
|
- misc: a few other unimportant fixes
|
|
|
|
## v3.04.00 - 2021/07/02
|
|
No changes since rc2.
|
|
|
|
## v3.03.99-rc2 - 2021/06/30
|
|
- OS support: /!\ drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
|
|
- feat: add admin and super owner accounts list in `info` plugin (#206)
|
|
- enh: replace bool 'allowUTF8' (introduced in rc1) by 'fanciness' enum
|
|
- enh: tests: refactor the framework for more maintainability
|
|
- fix: `setup-first-admin-account.sh`: support to add several admins (#202)
|
|
- fix: use local `$\_` before `while(<>)` loops
|
|
- doc: added a lot of new content
|
|
- doc: `clush`: document `--user` and `--port`
|
|
- doc: several other fixes here and there
|
|
|
|
## v3.03.99-rc1 - 2021/06/03
|
|
- enh: `osh-orphaned-homedir.sh`: add more security checks to ensure we don't archive still-used home dirs
|
|
- enh: install.inc: try harder to hit GitHub API in CI
|
|
- fix: `fixrights.sh`: 'chmod --' not supported under FreeBSD
|
|
- fix: `packages-check.sh`: centos: ensure cache is up to date before trying to install packages
|
|
- fix: `groupDelServer`: missing autocompletion in interactive mode
|
|
- fix: `install-yubico-piv-checker`: ppc64le installation was broken
|
|
- fix: `scp`: abort early if host is not found to avoid a warn()
|
|
- fix: `osh-backup-acl-keys`: detect file removed transient error
|
|
- fix: add a case to the ignored perl panic race condition
|
|
- chore: `mkdir -p` doesn't fail if dir already exists
|
|
- chore: tests: support multiple unit-test files
|
|
|
|
## v3.03.01 - 2021/03/25
|
|
- enh: osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs
|
|
- enh: install.inc: try harder to hit GitHub API in CI
|
|
- fix: fixrights.sh: 'chmod --' not supported under FreeBSD
|
|
- fix: packages-check.sh: centos: ensure cache is up to date before trying to install packages
|
|
- fix: groupDelServer: missing autocompletion in interactive mode
|
|
- fix: install-yubico-piv-checker: ppc64le installation was broken
|
|
- fix: scp: abort early if host is not found to avoid a warn()
|
|
- fix: osh-backup-acl-keys: detect file removed transient error
|
|
- fix: add a case to the ignored perl panic race condition
|
|
- chore: mkdir -p doesn't fail if dir already exists
|
|
- chore: tests: support multiple unit-test files
|
|
|
|
## v3.03.00 - 2021/02/22
|
|
- feat: transmit PIV enforcement status to remote realms, so that the remote policy can be enforced (#33)
|
|
- feat: add `groupGenerateEgressKey` and `groupDelEgressKey` (#135)
|
|
- feat: auto-add hostname as comment in `groupAddServer` and `selfAddPersonalAccesss` (side-note in #60)
|
|
- enh: `groupAddGuestAccess` now supports setting a comment (#17, #18)
|
|
- enh: `groupAddServer`: augment the returned JSON with the added server details
|
|
- enh: move unexpected-sudo messages from `security` to `code-warning` type
|
|
- enh: egress ssh key: compute an ID so that keys can be pointed to and deleted
|
|
- fix: `groupDelGuestAccess`: deleting a guest access returned an error on TTL-forced groups
|
|
- fix: groupSetRole(): pass sudo param to subfuncs to avoid a security warning
|
|
- fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
|
|
- fix: `groupModify`: deny early if user is not an owner of the group
|
|
- enh: `groupInfo`: nicer message when no egress key exists
|
|
- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the `--no-wait` parameter now does nothing)
|
|
- fix: `interactive`: omit inactivity message warning when set to 0 seconds
|
|
- a few other internal fixes here and there
|
|
|
|
## v3.02.00 - 2021/02/01
|
|
- no functional change since rc4, this version ends the rc cycle and is considered stable
|
|
|
|
## v3.01.99-rc4 - 2021/01/25
|
|
- fix: admins no longer inherited superowner powers (since rc1)
|
|
|
|
## v3.01.99-rc3 - 2021/01/21
|
|
- feat: `rootListIngressKeys`: look for all well-known authkeys files
|
|
- feat: add `--(in|ex)clude` filters to `groupList` and `accountList`
|
|
- enh: groupList: use cache to speedup calls
|
|
- enh: config: detect `warnBefore`/`idleTimeout` misconfiguration (#125)
|
|
- fix: scripts: `(( ))` returns 1 if evaluated to zero, hence failing under `set -e`
|
|
- fix: config: be more permissive for `documentationURL` regex
|
|
- fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
|
|
- fix: confusing error messages in `groupDelServer`
|
|
- chore: tests: also update totalerrors while tests are running
|
|
|
|
## v3.01.99-rc2 - 2021/01/12
|
|
- fix: re-introduce the ttyrecfile field (fixes #114)
|
|
- fix: logs: sql dbname was not properly passed through the update logs func (fixes #114)
|
|
- doc: upgrade: add a note about config normalization
|
|
- chore: fix: documentation build was missing a prereq
|
|
|
|
## v3.01.99-rc1 - 2021/01/12
|
|
- feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
|
|
- feat: revamp logs (see the UPGRADING section of the documentation)
|
|
- feat: realms: use remote bastion MFA validation information for local policy enforcement
|
|
- feat: add `LC_BASTION_DETAILS` envvar so that remote hosts can gather more information about the connection
|
|
- feat: `accountModify`: add --osh-only policy (closes #97)
|
|
- enh: satellite scripts: better error handling
|
|
- enh: config: better parsing and normalization
|
|
- fix: groupList: remove 9K group limit
|
|
- fix: realmDelete: bad sudoers configuration
|
|
- fix: global-log: directly set proper perms on file creation
|
|
- fix: remove useless warning when there is no guest access
|
|
- fix: proper sqlite log location for invalid realm accounts
|
|
- fix: tests: syslog-logged errors were not counted towards the total
|
|
- chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
|
|
- chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.
|
|
|
|
## v3.01.03 - 2020/12/15
|
|
- fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86)
|
|
- fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket)
|
|
- fix: osh.pl: plugin_config 'disabled' key is a boolean
|
|
- chore: speedup tests by ~20%
|
|
- chore: osh-accountDelete: fix typo
|
|
|
|
## v3.01.02 - 2020/12/08
|
|
- fix: is_valid_remote_user: extend allowed size from 32 to 128
|
|
- feat: add support for CentOS 8.3
|
|
- doc: bastion.conf.dist: accountMFAPolicy wrong options values in comment
|
|
- chore: tests: now test the 3 more recent minor versions of CentOS 7 and CentOS 8
|
|
|
|
## v3.01.01 - 2020/12/04
|
|
- fix: interactive mode: mark non-printable chars as such to avoid readline quirks
|
|
- fix: osh-encrypt-rsync: remove 'logfile' as mandatory parameter
|
|
- fix: typo in MFAPasswordWarnDays parameter in bastion.conf.dist
|
|
- enh: interactive mode: better autocompletion for accountCreate and adminSudo
|
|
- enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly
|
|
- doc: add information about puppet-thebastion and yubico-piv-checker + some adjustments
|
|
- chore: tests: fail the tests when code is not tidy
|
|
|
|
## v3.01.00 - 2020/11/20
|
|
- feat: add FreeBSD 12.1 to automated tests, and multiple fixes to get back proper FreeBSD compatibility/experience
|
|
- feat: partial MFA support for FreeBSD
|
|
- feat: add interactiveModeByDefault option (#54)
|
|
- feat: install: add SELinux module for TOTP MFA (#26)
|
|
- enh: httpproxy: add informational headers to the egress side request
|
|
- fix: osh.pl: validate remote user and host format to fail early if invalid
|
|
- fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind
|
|
- fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we miss /root/.gnupg/secring.gpg
|
|
- fix: selfListSessions: bad sorting of the list
|
|
- misc: a few other fixes here and there
|
|
|
|
## v3.00.02 - 2020/11/16
|
|
- feat: add more archs to dockerhub sandbox
|
|
- fix: adminSudo: allow called plugins to read from stdin (#43)
|
|
- fix: add missing `echo` in the entrypoint of the sandbox
|
|
- chore: install-ttyrec.sh: adapt for multiarch
|
|
|
|
## v3.00.01 - 2020/11/06
|
|
- feat: add OpenSUSE 15.2 to the officially supported distros
|
|
- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
|
|
- enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
|
|
- enh: provide a separated Dockerfile for the sandbox, squashing useless layers
|
|
- doc: a lot of fixes here and there
|
|
- chore: remove spurious config files
|
|
- chore: a few GitHub actions workflow fixes
|
|
|
|
## v3.00.00 - 2020/10/30
|
|
- First public release \o/
|