Authentication, authorization, traceability and auditability for SSH accesses.
v3.00.00 (first public version)Main changes from the previous version are:
SFTP passthrough is now supported, all the commands manipulating accesses have been modified accordingly, to add the --sftp option. More information can be found in the documentation.groupInfo and accountInfo commands have been augmented with a new --all option, reserved for bastion auditors, to dump detailed data about all the groups or accounts, respectively. The amount of information to be dumped can be controlled with a series of --with-* and --without-* options, more information can be found in each command's own documentation (groupInfo and accountInfo. Prefer the use of accountInfo --all instead of accountList --audit, as the latter will be deprecated soon.Another change that should be noted is the removal of the implicit --port-any and --user-any to the self(Add|Del)PersonalAccess and account(Add|Del)PersonalAccess commands, when either --user or --port are omitted, to be consistent with group(Add|Del)Server which never had this behaviour. This always emitted a deprecation warning since the first publicly released version, encouraging the explicit use of --user-any and/or --port-any when this was desired. Now, omitting these options will simply return an error, as this has always been the case with group(Add|Del)Server.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
sftp supportgroupInfo and all accounts with accountInfo,
using --all, along with filtering additional data with --with-* and without-* new optionssetup-encryption.sh: don't require install to be called before us--(user|port)-any if omitted when using (self|account)(Add|Del)PersonalAccess commands--uid-auto optionv3.00.00 (first public version)Main changes from the previous version are:
accountFreeze and accountUnfreeze, to temporarily disable an account, in a reversible way.accountInfo commands: --no-password-info and --no-output, to get a speed boost when those informations are not needed by the callerA more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
accountFreeze/accountUnfreeze commandsaccountInfo: add --no-password-info and --no-output options
v3.00.00 (first public version)Previous version (v3.09.01) was tagged but not released, main change since last released version is a speedup of the internal execute() function, speeding up several portions of the code.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
scp's CVE-2020-15778 (upstream doesn't consider it a bug)batch: don't attempt to read if STDIN is closedexecute() way WAY fasterv3.00.00 (first public version)This version has quite a lot of commits. This includes a standardization of satellite scripts configuration format and standard parameters, hence some configuration review might need to be done after upgrading (detailed in the specific upgrades instructions below).
The 3 main changes of this version are:
The osh-encrypt-rsync.pl script functionalities have been extended to not only cover the encryption/rotation/exporting of ttyrec files, but now also each user's local access logs and sql logs, where applicable. Previously, these logs where handled by the compress-old-logs.sh script, which was just compressing these files in-place. The latter script has now been removed in favor of the new features of osh-encrypt-rsync.pl, which not only handles compression/encryption, but also export of these files to the same remote escrow filer than you may have configured for your ttyrec files.
The NRPE probes we use to monitor our bastion clusters have been added to the contrib/ folder, if you're using Nagios, Icinga or any other NRPE-compatible monitoring system, you might want to have a look to said folder.
Ubuntu 22.04 LTS is now supported and part of the automated tests. CentOS 8 has been removed, as this distribution has been EOL for some time. The software might still work for the meantime, but any potential future incompatibility might go undetected, and is not guaranteed to be fixed. Note that however, RockyLinux 8 is supported and tested.
As a side note, an overhaul of the left menu of the documentation has been done, in an effort to enhance documentation navigation as the documentation book thickens.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
osh-encrypt-rsync.pl: handle sqlite and user logs along with ttyrec filescompress-old-logs.sh script, as osh-encrypt-rsync.pl does the job nowosh-cleanup-guest-key-access.pl scriptcontrib/
osh-lingering-sessions-reaper.pl: make it configurableosh-piv-grace-reaper.pl: run only on master, standardize config readingaccountDelete
ping: force a deadline, and restore default sighandlersaccountInfo: missing creation date on non-json outputosh-remove-empty-folders.pl: fix folders counting (logging only)osh-encrypt-rsync.pl: delete +a source files properlyosh-encrypt-rsync.pl: ensure $verbose is always set & make it configurableinstall: ensure that the healthcheck user can always connect from 127.0.0.1install: avoid cases of sigpipe on tr
{group,account}Delete: move() would sometimes fail, replace by mvgetpw/getgr funcsNote that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
v3.00.00 (first public version)Please refer to the rc1 changelog.
since rc2:
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
v3.00.00 (first public version)Please refer to the rc2 changelog.
since rc2:
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
v3.00.00 (first public version)Please refer to the rc1 changelog.
since rc1:
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
v3.00.00 (first public version)This version has quite a lot of commits. This includes a standardization of satellite scripts configuration format and standard parameters, hence some configuration review might need to be done after upgrading (detailed in the specific upgrades instructions below).
The 3 main changes of this version are:
The osh-encrypt-rsync.pl script functionalities have been extended to not only cover the encryption/rotation/exporting of ttyrec files, but now also each user's local access logs and sql logs, where applicable. Previously, these logs where handled by the compress-old-logs.sh script, which was just compressing these files in-place. The latter script has now been removed in favor of the new features of osh-encrypt-rsync.pl, which not only handles compression/encryption, but also export of these files to the same remote escrow filer than you may have configured for your ttyrec files.
The NRPE probes we use to monitor our bastion clusters have been added to the contrib/ folder, if you're using Nagios, Icinga or any other NRPE-compatible monitoring system, you might want to have a look to said folder.
Ubuntu 22.04 LTS is now supported and part of the automated tests. CentOS 8 has been removed, as this distribution has been EOL for some time. The software might still work for the meantime, but any potential future incompatibility might go undetected, and is not guaranteed to be fixed. Note that however, RockyLinux 8 is supported and tested.
As a side note, an overhaul of the left menu of the documentation has been done, in an effort to enhance documentation navigation as the documentation book thickens.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
osh-encrypt-rsync.pl: handle sqlite and user logs along with ttyrec filescompress-old-logs.sh script, as osh-encrypt-rsync.pl does the job nowosh-cleanup-guest-key-access.pl scriptcontrib/
osh-lingering-sessions-reaper.pl: make it configurableosh-piv-grace-reaper.pl: run only on master, standardize config readingaccountDelete
ping: force a deadline, and restore default sighandlersaccountInfo: missing creation date on non-json outputosh-remove-empty-folders.pl: fix folders counting (logging only)osh-encrypt-rsync.pl: delete +a source files properlyosh-encrypt-rsync.pl: ensure $verbose is always set & make it configurableinstall: ensure that the healthcheck user can always connect from 127.0.0.1install: avoid cases of sigpipe on tr
{group,account}Delete: move() would sometimes fail, replace by mvgetpw/getgr funcsv3.00.00 (first public version)The main change of this version is:
ttyrec/ directory of users homes, which may contain a high amount of empty folders for busy users tonnecting to a lot of different servers, as we create one folder per destination IP.An exhaustive list of changes can be found below.
osh-remove-empty-folders.sh scriptaccountDelete & groupDelete
v3.00.00 (first public version)The 2 main changes of this version are:
System scripts are now using GnuPG 2.x instead of GnuPG 1.x. All supported OSes do support GnuPG 2.x. The 2.x series of GnuPG support more key algorithms (such as ECDSA and Ed25519), for both higher security and speed. Please refer to the specific upgrade instructions for more information.
New restricted plugin accountUnlock, to unlock accounts locked by either pam_tally, pam_tally2 or pam_faillock
Additionally, the supported list of operating systems has changed:
Also note that since v3.03.99-rc2, the FreeBSD integration tests were not running properly, this has been fixed and the few non-passing tests since this version have also been resolved.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
accountUnlock restricted pluginbatch: detect when asked to start a plugin requiring MFApackages-check.sh, perl-tidy.sh and shell-check.sh with more features and deprecated code removedcode-info syslog type in addition to code-warn
--module can now be specified multiple timesThe two main features of this version are:
--force-password, which is similar to --force-key, but to be used when a specific egress password is required instead of a specific SSH key for a given host. Note that this doesn't work for guest group accesses yet, which will be implemented in a future version. More information can be found in #256.A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
--force-password <HASH>, to only try one specific egress password (#256, thanks @madchrist)--self-password was missing as a -P synonym (#257, thanks @madchrist)