Authentication, authorization, traceability and auditability for SSH accesses.
The main new feature of this version is the --pubkey-auth-optional
option to accountModify
, to tag some accounts so that they don't need a public key for the ingress connection, but only a password (and maybe a TOTP). Of course, as passwords are always less secure than public-key authentication, please only use it for specific use cases you may have. #237 for more details, along with the specific upgrade instructions (see below).
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
accountModify
: add --pubkey-auth-optional
(#237, thanks @madchrist)accountPIV
: fix bad autocompletion rulebastion.conf
: add superowner system group requirementA few minor features appear in this revision, if you don't need these you might skip this update.
It is now possible to sign the backups in addition to encryption
The interactive mode now supports an mfa
command, to proactively request an MFA challenge that will be valid for a configured amount of time. The --proactive-mfa
parameter is the equivalent for non-interactive mode, e.g. to be used along with --osh clush
or --osh batch
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
--proactive-mfa
and mfa
/nofa
interactive commandsDocumentation about the following satellite configuration files is now automatically generated:
Good news for people having a hard time coming up with creative account names: these can now be up to 28 characters long, up from the previous 18 characters limit.
accountInfo
gets a speed boost by no longer listing the user's groups by default, you can still specify --list-groups
to get them.
Individual accounts can now be configured to be immune to the global account expiration policy, see the --max-inactive-days
option of both accountCreeate
and accountModify
commands.
We're also paving the way for Debian 11. All tests have been running fine since some time now, and starting from this release the pam template will now use pam_faillock
under Debian 11 instead of the deprecated pam_tally2
module.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
--fallback-password-delay
(3) for ssh password autologinmax_inactive_days
to account configuration (#230)accountInfo
: add --list-groups
accountCreate
: --uid-auto
: rare case where a free UID couldn't be foundA lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.
The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
The following additional OSes major versions are now supported and part of the automated tests:
groupDestroy
command for group owners--include
and --exclude
to selfListAccesses
, accountListAccesses
, accountList
, groupList
, groupListServers
(#60)accountModify
: add a new accept-new
POLICY in egress-strict-host-key-checking
parameter (@jonathanmarsaud)fanciness
option)info
plugin (#206)selfListAccesses
, accountListAccesses
, groupListServers
and groupListAccesses
output more easily readablesetup-encryption.sh
: check that luks-config.sh
exists (#181)setup-gpg.sh
: clarify the use of ^D
with --import
(#179)setup-first-admin-account.sh
: support to add several admins (#202)$_
before while(<>)
loopsgroupCreate
: deny groups starting with 'key' (#178)+x
on group homesclush
: document --user
and --port
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
This version will go stable in a few days if no regression is found.
A lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.
The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
info
plugin (#206)setup-first-admin-account.sh
: support to add several admins (#202)$\_
before while(<>)
loopsclush
: document --user
and --port
allowUTF8
option in bastion.conf
has been renamed to fanciness
. This is no longer a bool, but an enum. Replace true
by full
and false
by none
.As several important pull-requests have been merged, we're starting a release candidate cycle. This pre-release which will be battle-tested in the field for a few days.
Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
Prerequisites before this version goes stable:
groupDestroy
command for owners--include
and --exclude
to selfListAccesses
, accountListAccesses
, accountList
, groupList
, groupListServers
(#60)accountModify
: add a new accept-new
POLICY in egress-strict-host-key-checking
parameter (@jonathanmarsaud)allowUTF8
option)selfListAccesses
, accountListAccesses
, groupListServers
and groupListAccesses
output more easily readablesetup-encryption.sh
: check that luks-config.sh
exists (#181)setup-gpg.sh
: clarify the use of ^D
with --import
(#179)groupCreate
: deny groups starting with 'key' (#178)+x
on group homesChanges:
osh-orphaned-homedir.sh
: add more security checks to ensure we don't archive still-used home dirsfixrights.sh
: 'chmod --' not supported under FreeBSDpackages-check.sh
: centos: ensure cache is up to date before trying to install packagesgroupDelServer
: missing autocompletion in interactive modeinstall-yubico-piv-checker
: ppc64le installation was brokenscp
: abort early if host is not found to avoid a warn()osh-backup-acl-keys
: detect file removed transient errormkdir -p
doesn't fail if dir already existsGeneral upgrade instructions: How to upgrade
Specific upgrade instructions: none
Changes:
groupGenerateEgressKey
and groupDelEgressKey
(#135)groupAddServer
and selfAddPersonalAccesss
(side-note in #60)groupAddGuestAccess
now supports setting a comment (#17, #18)groupAddServer
: augment the returned JSON with the added server detailssecurity
to code-warning
typegroupDelGuestAccess
: deleting a guest access returned an error on TTL-forced groupsgroupModify
: deny early if user is not an owner of the groupgroupInfo
: nicer message when no egress key existsinstall
: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the --no-wait
parameter is now a no-op)interactive
: omit inactivity message warning when set to 0 secondsGeneral upgrade instructions: How to upgrade
Specific upgrade instructions: none
Changes since v3.01.03:
LC_BASTION_DETAILS
envvaraccountModify
: add --osh-only
(closes #97)rootListIngressKeys
: report keys found in all well-known authkeys files, not just the one used by The Bastion--(in|ex)clude
filters to groupList
and accountList
groupList
: use cache to speedup callswarnBefore
/idleTimeout
misconfiguration (#125)documentationURL
validation regexTOCTTOU
fixes in ttyrec rotation script and lingering sessions reapergroupDelServer
groupList
: remove 9K group limitrealmDelete
: invalid sudoers configurationGeneral upgrade instructions: How to upgrade
Specific upgrade instructions: Please read through the details, in a nutshell:
This is a release-candidate.
As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released. This rc (rc4) is expected to be the last before the release.
The following changes have been done since the previous rc: