Authentication, authorization, traceability and auditability for SSH accesses.
This is a release-candidate.
As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released. This rc (rc3) is expected to be the last before the release.
The following changes have been done since the previous rc:
rootListIngressKeys
: look for all well-known authkeys files--(in|ex)clude
filters to groupList
and accountList
groupList
: use cache to speedup callswarnBefore
/idleTimeout
misconfiguration (#125)(( ))
returns 1 if evaluated to zero, hence failing under set -e
documentationURL
regexgroupDelServer
This is a release-candidate.
As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.
The following changes have been done since the previous rc:
This is a release-candidate.
As several important pull-requests have been merged, we're starting with a rc, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.
LC_BASTION_DETAILS
envvaraccountModify
: add --osh-only
(closes #97)Changelog:
bastions.conf.dist
: wrong options values in accountMFAPolicy
commentsNow we're supporting (and automatically testing) the last 3 point releases of CentOS 7 and CentOS 8, to allow for a smoother upgrade path. Previously, we would only test the latest point release.
Changelog:
logfile
as a mandatory parameterMFAPasswordWarnDays
parameter in bastion.conf.dist
accountCreate
and adminSudo
puppet-thebastion
and yubico-piv-checker
+ some adjustmentsChangelog:
interactiveModeByDefault
option (#54)/root/.gnupg/secring.gpg
Specific upgrade instructions:
A new bastion.conf
option was introduced: interactiveModeByDefault. If not present in your config file, its value defaults to 1 (true), which changes the behavior of The Bastion when a user connects without specifying any command. When this happens, it'll now display the help then drop the user into interactive mode (if this mode is enabled), instead of displaying the help and aborting with an error message. Set it to 0 (false) if you want to keep the previous behavior.
An SELinux module has been added in this version, to ensure TOTP MFA works correctly under systems where SELinux is on enforcing mode. This module will be installed automatically whenever SELinux is detected on the system. If you don't want to use this module, specify --no-install-selinux-module
on your /opt/bastion/bin/admin/install
upgrade call (please refer to the generic upgrade instructions for more details).
linux/386
, linux/amd64
, linux/arm/v6
, linux/arm/v7
, linux/arm64
, linux/ppc64le
and linux/s390x
.adminSudo
: allow called plugins to read from stdinecho
in the entrypoint of the sandboxinstall-ttyrec.sh
: adapt for multiarchThis is the first public release!