The Bastion Versions Save

This is a release-candidate.

As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released. This rc (rc3) is expected to be the last before the release.

The following changes have been done since the previous rc:

• feat: rootListIngressKeys: look for all well-known authkeys files
• feat: add --(in|ex)clude filters to groupList and accountList
• enh: groupList: use cache to speedup calls
• enh: config: detect warnBefore/idleTimeout misconfiguration (#125)
• fix: scripts: (( )) returns 1 if evaluated to zero, hence failing under set -e
• fix: config: be more permissive for documentationURL regex
• fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
• fix: confusing error messages in groupDelServer
• chore: tests: also update totalerrors while tests are running

This is a release-candidate.

As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.

The following changes have been done since the previous rc:

• fix: re-introduce the ttyrecfile field (fixes #114)
• fix: logs: sql dbname was not properly passed through the update logs func (fixes #114)
• doc: upgrade: add a note about config normalization

This is a release-candidate.

As several important pull-requests have been merged, we're starting with a rc, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.

• feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
• feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
• feat: realms: use remote bastion MFA validation information for local policy enforcement
• feat: add LC_BASTION_DETAILS envvar
• feat: accountModify: add --osh-only (closes #97)
• enh: satellite scripts: better error handling
• enh: config: better parsing and normalization
• fix: proper sqlite log location for invalid realm accounts
• fix: tests: syslog-logged errors were not counted towards the total
• fix: groupList: remove 9K group limit
• fix: global-log: directly set proper perms on file creation
• fix: realmDelete: bad sudoers configuration
• fix: remove useless warning when there is no guest access
• chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
• chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.

• fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86)
• fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket)
• fix: osh.pl: plugin_config 'disabled' key is a boolean
• chore: speedup tests by ~20%
• chore: osh-accountDelete: fix typo

Changelog:

• feat: support CentOS 8.3
• fix: is_valid_remote_user: extend allowed size from 32 to 128
• doc: bastions.conf.dist: wrong options values in accountMFAPolicy comments
• chore: packages-check: remove unused packages

Now we're supporting (and automatically testing) the last 3 point releases of CentOS 7 and CentOS 8, to allow for a smoother upgrade path. Previously, we would only test the latest point release.

How to upgrade

Changelog:

• fix: interactive mode: mark non-printable chars as such to avoid readline quirks
• fix: osh-encrypt-rsync: remove logfile as a mandatory parameter
• fix: typo in MFAPasswordWarnDays parameter in bastion.conf.dist
• enh: interactive mode: better autocompletion for accountCreate and adminSudo
• enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly
• doc: add information about puppet-thebastion and yubico-piv-checker + some adjustments
• chore: tests: fail the tests when code is not tidy

How to upgrade

Changelog:

• feat: add FreeBSD 12.1 to automated tests, and multiple fixes to get back proper FreeBSD compatibility/experience
• feat: partial MFA support for FreeBSD
• feat: add interactiveModeByDefault option (#54)
• feat: install: add SELinux module for TOTP MFA (#26)
• enh: httpproxy: add informational headers to the egress side request
• fix: osh.pl: validate remote user and host format to fail early if invalid
• fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind
• fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we miss /root/.gnupg/secring.gpg
• fix: selfListSessions: bad sorting of the list
• misc: a few other fixes here and there

How to upgrade

Specific upgrade instructions:

A new bastion.conf option was introduced: interactiveModeByDefault. If not present in your config file, its value defaults to 1 (true), which changes the behavior of The Bastion when a user connects without specifying any command. When this happens, it'll now display the help then drop the user into interactive mode (if this mode is enabled), instead of displaying the help and aborting with an error message. Set it to 0 (false) if you want to keep the previous behavior.

An SELinux module has been added in this version, to ensure TOTP MFA works correctly under systems where SELinux is on enforcing mode. This module will be installed automatically whenever SELinux is detected on the system. If you don't want to use this module, specify --no-install-selinux-module on your /opt/bastion/bin/admin/install upgrade call (please refer to the generic upgrade instructions for more details).

• feat: add more archs to dockerhub sandbox, it is now available for linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/ppc64le and linux/s390x.
• fix: adminSudo: allow called plugins to read from stdin
• fix: add missing echo in the entrypoint of the sandbox
• chore: install-ttyrec.sh: adapt for multiarch

• feat: add OpenSUSE 15.2 to the officially supported distros
• enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
• enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
• enh: provide a separated Dockerfile for the sandbox, squashing useless layers
• doc: a lot of fixes here and there
• chore: remove spurious config files
• chore: a few GitHub actions workflow fixes

This is the first public release!