The Bastion Versions Save

Authentication, authorization, traceability and auditability for SSH accesses.

v3.06.00

2 years ago

:bulb: Highlights

The main new feature of this version is the --pubkey-auth-optional option to accountModify, to tag some accounts so that they don't need a public key for the ingress connection, but only a password (and maybe a TOTP). Of course, as passwords are always less secure than public-key authentication, please only use it for specific use cases you may have. #237 for more details, along with the specific upgrade instructions (see below).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

:pushpin: Changes

feat: accountModify: add --pubkey-auth-optional (#237, thanks @madchrist)
fix: accountPIV: fix bad autocompletion rule
fix: groupdel: false positive in lock contention detection
doc: bastion.conf: add superowner system group requirement

:fast_forward: Upgrading

v3.05.01

2 years ago

:bulb: Highlights

A few minor features appear in this revision, if you don't need these you might skip this update.

It is now possible to sign the backups in addition to encryption
The interactive mode now supports an mfa command, to proactively request an MFA challenge that will be valid for a configured amount of time. The --proactive-mfa parameter is the equivalent for non-interactive mode, e.g. to be used along with --osh clush or --osh batch

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

:pushpin: Changes

feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209)
feat: --proactive-mfa and mfa/nofa interactive commands
doc: add help about the interactive builtin commands (#227)

:fast_forward: Upgrading

v3.05.00

2 years ago

:bulb: Highlights

Documentation about the following satellite configuration files is now automatically generated:

The script responsible for encrypting and optionally moving the ttyrec files out of the server (osh-encrypt-rsync.conf)
The script responsible for backing up everything needed to be able to restore a bastion from scratch (osh-backup-acl-keys.conf)
The script responsible for the expiration of PIV grace periods (osh-piv-grace-reaper.conf)
The script responsible for the HA synchronization between instances (osh-sync-watcher.conf)

Good news for people having a hard time coming up with creative account names: these can now be up to 28 characters long, up from the previous 18 characters limit.

accountInfo gets a speed boost by no longer listing the user's groups by default, you can still specify --list-groups to get them.

Individual accounts can now be configured to be immune to the global account expiration policy, see the --max-inactive-days option of both accountCreeate and accountModify commands.

We're also paving the way for Debian 11. All tests have been running fine since some time now, and starting from this release the pam template will now use pam_faillock under Debian 11 instead of the deprecated pam_tally2 module.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

:pushpin: Changes

feat: support pam_faillock for Debian 11 (#163)
feat: add --fallback-password-delay (3) for ssh password autologin
enh: add max_inactive_days to account configuration (#230)
enh: accountInfo: add --list-groups
enh: max account length is now 28 chars up from 18
enh: better error message when unknown option is used
enh: better use of account creation metadata
enh: config reading: add rootonly parameter
fix: accountCreate: --uid-auto: rare case where a free UID couldn't be found
doc: generate scripts doc reference for satellite scripts
doc: add faq about session locking (#226)
misc: a few other unimportant fixes

:fast_forward: Upgrading

v3.04.00

2 years ago

:bulb: Highlights

A lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.

The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:

Debian 8
Ubuntu 14.04
OpenSUSE 15.0/15.1

The following additional OSes major versions are now supported and part of the automated tests:

OpenSUSE 15.3

:pushpin: Changes

OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
feat: add the groupDestroy command for group owners
feat: add filtering options to several commands: --include and --exclude to selfListAccesses, accountListAccesses, accountList, groupList, groupListServers (#60)
feat: http proxy: greatly optimize performance for large payload responses (x10 or more)
feat: accountModify: add a new accept-new POLICY in egress-strict-host-key-checking parameter (@jonathanmarsaud)
feat: add UTF-8 chars to output when supported and allowed (new fanciness option)
feat: add admin and super owner accounts list in info plugin (#206)
enh: tests: refactor the framework for more maintainability
enh: nicify the output of print_acls(), by omitting empty columns from output and properly aligning vertically, rendering selfListAccesses, accountListAccesses, groupListServers and groupListAccesses output more easily readable
enh: http proxy: add options to fine-tune logging
enh: clearer error message on non-existing group
enh: setup-encryption.sh: check that luks-config.sh exists (#181)
enh: setup-gpg.sh: clarify the use of ^D with --import (#179)
enh: http proxy: add functional tests framework for this feature, along with the first tests
fix: setup-first-admin-account.sh: support to add several admins (#202)
fix: localize $_ before while(<>) loops
fix: groupCreate: deny groups starting with 'key' (#178)
fix: superowners need to have +x on group homes
doc: added a lot of new content (see highlights)
doc: clush: document --user and --port
doc: several other fixes here and there

:fast_forward: Upgrading

v3.03.99-rc2

2 years ago

:warning: This is a release candidate

Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.

This version will go stable in a few days if no regression is found.

:bulb: Highlights

The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:

Debian 8
Ubuntu 14.04
OpenSUSE 15.0/15.1

:pushpin: Changes

OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
feat: add admin and super owner accounts list in info plugin (#206)
enh: replace bool 'allowUTF8' (introduced in rc1) by 'fanciness' enum
enh: tests: refactor the framework for more maintainability
fix: setup-first-admin-account.sh: support to add several admins (#202)
fix: use local $\_ before while(<>) loops
doc: added a lot of new content
doc: clush: document --user and --port
doc: several other fixes here and there

:fast_forward: Upgrading

General upgrade instructions: How to upgrade
Specific upgrade instructions: Only if you're upgrading from rc1: the allowUTF8 option in bastion.conf has been renamed to fanciness. This is no longer a bool, but an enum. Replace true by full and false by none.

v3.03.99-rc1

2 years ago

:warning: This is a release candidate

As several important pull-requests have been merged, we're starting a release candidate cycle. This pre-release which will be battle-tested in the field for a few days.

Prerequisites before this version goes stable:

No regression or blocking bug is found within ~2 weeks
A minimal documentation about the HTTP Proxy is published

:pushpin: Changes

feat: add the groupDestroy command for owners
feat: add filtering options to several commands: --include and --exclude to selfListAccesses, accountListAccesses, accountList, groupList, groupListServers (#60)
feat: http proxy: greatly optimize performance for large payload responses
feat: accountModify: add a new accept-new POLICY in egress-strict-host-key-checking parameter (@jonathanmarsaud)
feat: add UTF-8 chars to output when supported and allowed (new allowUTF8 option)
enh: nicify the output of print_acls(), by omitting empty columns from output and properly aligning vertically, rendering selfListAccesses, accountListAccesses, groupListServers and groupListAccesses output more easily readable
enh: http proxy: add options to fine-tune logging
enh: clearer error message on non-existing group
enh: setup-encryption.sh: check that luks-config.sh exists (#181)
enh: setup-gpg.sh: clarify the use of ^D with --import (#179)
enh: http proxy: add functional tests framework for this feature, along with the first tests
fix: groupCreate: deny groups starting with 'key' (#178)
fix: superowners need to have +x on group homes
doc: FreeBSD 13.0 is now tested instead of 12.1

:fast_forward: Upgrading

General upgrade instructions: How to upgrade
Specific upgrade instructions: none

v3.03.01

3 years ago

Changes:

enh: osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs
enh: install.inc: try harder to hit GitHub API in CI
fix: fixrights.sh: 'chmod --' not supported under FreeBSD
fix: packages-check.sh: centos: ensure cache is up to date before trying to install packages
fix: groupDelServer: missing autocompletion in interactive mode
fix: install-yubico-piv-checker: ppc64le installation was broken
fix: scp: abort early if host is not found to avoid a warn()
fix: osh-backup-acl-keys: detect file removed transient error
fix: add a case to the ignored perl panic race condition
chore: mkdir -p doesn't fail if dir already exists
chore: tests: support multiple unit-test files

General upgrade instructions: How to upgrade

Specific upgrade instructions: none

v3.03.00

3 years ago

Changes:

feat: transmit PIV enforcement status to remote realms, so that the remote policy can be enforced (#33)
feat: add groupGenerateEgressKey and groupDelEgressKey (#135)
feat: auto-add hostname as comment in groupAddServer and selfAddPersonalAccesss (side-note in #60)
enh: groupAddGuestAccess now supports setting a comment (#17, #18)
enh: groupAddServer: augment the returned JSON with the added server details
enh: move unexpected-sudo messages from security to code-warning type
enh: egress ssh key: compute an ID so that keys can be pointed to and deleted
fix: groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups
fix: groupSetRole(): pass sudo param to subfuncs to avoid a security warning
fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
fix: groupModify: deny early if user is not an owner of the group
enh: groupInfo: nicer message when no egress key exists
enh: install: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the --no-wait parameter is now a no-op)
fix: interactive: omit inactivity message warning when set to 0 seconds
a few other internal fixes here and there

General upgrade instructions: How to upgrade

Specific upgrade instructions: none

v3.02.00

3 years ago

Changes since v3.01.03:

feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
feat: realms: use remote bastion MFA validation information for local policy enforcement
feat: add LC_BASTION_DETAILS envvar
feat: accountModify: add --osh-only (closes #97)
feat: rootListIngressKeys: report keys found in all well-known authkeys files, not just the one used by The Bastion
feat: add --(in|ex)clude filters to groupList and accountList
enh: groupList: use cache to speedup calls
enh: satellite scripts: better error handling
enh: config: better parsing and normalization
enh: config: detect warnBefore/idleTimeout misconfiguration (#125)
fix: config: be more permissive for documentationURL validation regex
fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
fix: confusing error messages in groupDelServer
fix: proper sqlite log location for invalid realm accounts
fix: tests: syslog-logged errors were not counted towards the total
fix: groupList: remove 9K group limit
fix: global-log: directly set proper perms on file creation
fix: realmDelete: invalid sudoers configuration
fix: remove useless warning when there is no guest access
chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.

General upgrade instructions: How to upgrade

Specific upgrade instructions: Please read through the details, in a nutshell:

Logs have been enhanced
The main configuration file now supports proper booleans (in a backward compatible way)

v3.01.99-rc4

3 years ago

This is a release-candidate.

As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released. This rc (rc4) is expected to be the last before the release.

The following changes have been done since the previous rc:

fix: admins no longer inherited superowner powers