Authentication, authorization, traceability and auditability for SSH accesses.
v3.14.15 (2023-11-08)This release introduces two notable changes, apart from the usual fixes and enhancements:
A new global configuration option, dnsSupportLevel for systems with non-working DNS (fixes #397).
Support of the @ character when referencing the name of a remote account in a personal or group-based access (fixes #437).
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
dnsSupportLevel for systems with broken DNS (fixes #397)@ as a valid remote user charconnect.pl: don't look for error messages when sysret==0
v3.14.15 (2023-11-08)This release introduces a new global configuration option, ttyrecStealthStdoutPattern, to handle corner-cases where recording stdout of some specific commands would take up gigabytes. If you use rsync through the bastion, and noticed that some ttyrec files take up a gigantic amount of space, this might help salvaging your hard-drives!
Another noteworthy change is for users using pre-v3.14.15 scp or sftp helpers: this release introduces a compatibility logic to avoid requiring them to upgrade their helpers when JIT MFA is not required for their use case. Of course, when JIT MFA is required by policy, the connection will still fail and the only way to go through is to use the new wrappers that can support properly asking MFA to the users.
Otherwise, this release is mainly a bugfix / tiny enhancements release.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
ttyrecStealthStdoutPattern configosh-lingering-sessions-reaper.sh: handle dangling pluginsosh-orphaned-homedir.sh: also cleanup /run/faillock
scp/sftp: when using pre-v3.14.15 helpers, the JIT MFA logic now behaves as before, so that these old helpers still work when JIT MFA is not neededaccountInfo: return always_active=1 for globally-always-active accountsping: don't exit with fping when host is unreachableosh-sync-watcher: default to a valid rshcmd (fixes #433)This release fixes a security issue where JIT MFA on sftp and scp plugins was not honored. Please refer to CVE-2023-45140 for impact and mitigation details.
Upgrading to this version is sufficient to fix the issue, but please read through the specific upgrading instructions of this version.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
sftp and scp (fixes CVE-2023-45140)setup-gpg.sh: allow importing multiple public keys at onceconnect.pl: report empty ttyrec as ttyrec_empty instead of ttyrec_error
scp: adapt wrapper and tests to new scp versions requiring -O
v3.00.00 (first public version)This release fixes a possibly problematic behavior introduced in v3.13.00 when replacing sqlite logging of plugins output by ttyrec where the scp and sftp plugins, when downloading a file (from the remote server to the local machine through the bastion) would save the binary stream as part of the ttyrec file, possibly taking a lot of space when these plugins are often used.
Another, somehow niche, new feature is the support of so-called type8 and type9 hash types for egress passwords, mainly used by network devices. More information is available in the specific upgrade instructions link below.
stealth_stderr/stdout ttyrec support, enable it for scp & sftp
v3.00.00 (first public version)This minor release has only a few changes, mainly on the documentation and setup sides. Two new important documentation sections have appeared:
The features documented above have been available since v3.00.00, so updating to this version is not required to use them.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
Thanks to @toutoen and @docwalter for their contribution to this release.
v3.00.00 (first public version)The change from the previous version is:
ttyrec, as the egress connections are, instead of being stored in sqlite format
within the home folder of the account. This helps avoiding the sqlite databases growing too much in size when
accounts are using --osh commands very intensively.A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
ttyrec instead of sqlite to record plugin outputselfMFASetupPassword: restore default sighandlers to avoid being zombifiedv3.00.00 (first public version)Main changes from the previous version are:
Debian "Stretch" 9 is no longer officially supported, as this version has been EOL upstream for a few months now. This doesn't mean that the future versions of The Bastion won't work under this distro, it means that this distro release is no longer part of the automated tests. As Debian Stretch is EOL, you should consider upgrading to a more recent version, as maintaining a secured underlying OS is paramount to the whole security of The Bastion (or of any other software).
Debian "Bookworm" 12 has been part of the automated tests for a while, but is now officially supported as this has been officially released upstream.
Two new configuration parameters have been added to the selfAddPersonalAccess and accountAddPersonalAccess commands.
Side note: tagged releases are now signed. This was a prerequisite to the upcoming integrated and secure adminUpgrade command.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
(self|account)AddPersonalAccess
accountList: crash in some casesv3.00.00 (first public version)Main changes from the previous version are:
bin/admin/check_uid_gid_collisions.pl has been added, to ease procedures such as HA setup and backup restoration. The documentation has been updated accordingly to reference the proper usage of this script at the right steps.A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
groupAddServer: --force-key wasn't working properly (#259)groupInfo: reintroduce group name in human-readable output (mistakenly removed in v3.11.00)openssh-blacklist logicUseRoaming option from ssh_config
v3.00.00 (first public version)This is a hotfix release, the only fixed issue is a display issue introduced in v3.11.00 in the groupInfo command, which would always display an empty list for the gatekeepers of a group, along with "?" instead of the number of accesses for each guest.
Note that the JSON output was correct, only the human-readable output of groupInfo was impacted.
v3.00.00 (first public version)Main changes from the previous version are:
SFTP passthrough is now supported, all the commands manipulating accesses have been modified accordingly, to add the --sftp option. More information can be found in the documentation.groupInfo and accountInfo commands have been augmented with a new --all option, reserved for bastion auditors, to dump detailed data about all the groups or accounts, respectively. The amount of information to be dumped can be controlled with a series of --with-* and --without-* options, more information can be found in each command's own documentation (groupInfo and accountInfo. Prefer the use of accountInfo --all instead of accountList --audit, as the latter will be deprecated soon.Another change that should be noted is the removal of the implicit --port-any and --user-any to the self(Add|Del)PersonalAccess and account(Add|Del)PersonalAccess commands, when either --user or --port are omitted, to be consistent with group(Add|Del)Server which never had this behaviour. This always emitted a deprecation warning since the first publicly released version, encouraging the explicit use of --user-any and/or --port-any when this was desired. Now, omitting these options will simply return an error, as this has always been the case with group(Add|Del)Server.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
sftp supportgroupInfo and all accounts with accountInfo,
using --all, along with filtering additional data with --with-* and without-* new optionssetup-encryption.sh: don't require install to be called before us--(user|port)-any if omitted when using (self|account)(Add|Del)PersonalAccess commands--uid-auto option