v3.03.99-rc2

⚠️ This is a release candidate

Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.

This version will go stable in a few days if no regression is found.

💡 Highlights

A lot of documentation landed in this version, such as details about the access management, PIV keys support, SCP support, the HTTPS Proxy module. The reference of the osh-http-proxy.conf file has also been published.

The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:

• Debian 8
• Ubuntu 14.04
• OpenSUSE 15.0/15.1

📌 Changes

• OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
• feat: add admin and super owner accounts list in info plugin (#206)
• enh: replace bool 'allowUTF8' (introduced in rc1) by 'fanciness' enum
• enh: tests: refactor the framework for more maintainability
• fix: setup-first-admin-account.sh: support to add several admins (#202)
• fix: use local $\_ before while(<>) loops
• doc: added a lot of new content
• doc: clush: document --user and --port
• doc: several other fixes here and there

⏩ Upgrading

• General upgrade instructions: How to upgrade
• Specific upgrade instructions: Only if you're upgrading from rc1: the allowUTF8 option in bastion.conf has been renamed to fanciness. This is no longer a bool, but an enum. Replace true by full and false by none.

v3.03.99-rc1

⚠️ This is a release candidate

As several important pull-requests have been merged, we're starting a release candidate cycle.
This pre-release which will be battle-tested in the field for a few days.

Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.

Prerequisites before this version goes stable:

• No regression or blocking bug is found within ~2 weeks
• A minimal documentation about the HTTP Proxy is published

📌 Changes

• feat: add the groupDestroy command for owners
• feat: add filtering options to several commands: --include and --exclude to selfListAccesses, accountListAccesses, accountList, groupList, groupListServers (#60)
• feat: http proxy: greatly optimize performance for large payload responses
• feat: accountModify: add a new accept-new POLICY in egress-strict-host-key-checking parameter (@jonathanmarsaud)
• feat: add UTF-8 chars to output when supported and allowed (new allowUTF8 option)
• enh: nicify the output of print_acls(), by omitting empty columns from output and properly aligning vertically, rendering selfListAccesses, accountListAccesses, groupListServers and groupListAccesses output more easily readable
• enh: http proxy: add options to fine-tune logging
• enh: clearer error message on non-existing group
• enh: setup-encryption.sh: check that luks-config.sh exists (#181)
• enh: setup-gpg.sh: clarify the use of ^D with --import (#179)
• enh: http proxy: add functional tests framework for this feature, along with the first tests
• fix: groupCreate: deny groups starting with 'key' (#178)
• fix: superowners need to have +x on group homes
• doc: FreeBSD 13.0 is now tested instead of 12.1

⏩ Upgrading

• General upgrade instructions: How to upgrade
• Specific upgrade instructions: none

v3.03.01

Changes:

• enh: osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs
• enh: install.inc: try harder to hit GitHub API in CI
• fix: fixrights.sh: 'chmod --' not supported under FreeBSD
• fix: packages-check.sh: centos: ensure cache is up to date before trying to install packages
• fix: groupDelServer: missing autocompletion in interactive mode
• fix: install-yubico-piv-checker: ppc64le installation was broken
• fix: scp: abort early if host is not found to avoid a warn()
• fix: osh-backup-acl-keys: detect file removed transient error
• fix: add a case to the ignored perl panic race condition
• chore: mkdir -p doesn't fail if dir already exists
• chore: tests: support multiple unit-test files

General upgrade instructions: How to upgrade

Specific upgrade instructions: none

v3.03.00

Changes:

• feat: transmit PIV enforcement status to remote realms, so that the remote policy can be enforced (#33)
• feat: add groupGenerateEgressKey and groupDelEgressKey (#135)
• feat: auto-add hostname as comment in groupAddServer and selfAddPersonalAccesss (side-note in #60)
• enh: groupAddGuestAccess now supports setting a comment (#17, #18)
• enh: groupAddServer: augment the returned JSON with the added server details
• enh: move unexpected-sudo messages from security to code-warning type
• enh: egress ssh key: compute an ID so that keys can be pointed to and deleted
• fix: groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups
• fix: groupSetRole(): pass sudo param to subfuncs to avoid a security warning
• fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
• fix: groupModify: deny early if user is not an owner of the group
• enh: groupInfo: nicer message when no egress key exists
• enh: install: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the --no-wait parameter is now a no-op)
• fix: interactive: omit inactivity message warning when set to 0 seconds
• a few other internal fixes here and there

General upgrade instructions: How to upgrade

Specific upgrade instructions: none

v3.02.00

Changes since v3.01.03:

• feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
• feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
• feat: realms: use remote bastion MFA validation information for local policy enforcement
• feat: add LC_BASTION_DETAILS envvar
• feat: accountModify: add --osh-only (closes #97)
• feat: rootListIngressKeys: report keys found in all well-known authkeys files, not just the one used by The Bastion
• feat: add --(in|ex)clude filters to groupList and accountList
• enh: groupList: use cache to speedup calls
• enh: satellite scripts: better error handling
• enh: config: better parsing and normalization
• enh: config: detect warnBefore/idleTimeout misconfiguration (#125)
• fix: config: be more permissive for documentationURL validation regex
• fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
• fix: confusing error messages in groupDelServer
• fix: proper sqlite log location for invalid realm accounts
• fix: tests: syslog-logged errors were not counted towards the total
• fix: groupList: remove 9K group limit
• fix: global-log: directly set proper perms on file creation
• fix: realmDelete: invalid sudoers configuration
• fix: remove useless warning when there is no guest access
• chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
• chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.

General upgrade instructions:
How to upgrade

Specific upgrade instructions:
Please read through the details, in a nutshell:

• Logs have been enhanced
• The main configuration file now supports proper booleans (in a backward compatible way)

v3.01.99-rc4

This is a release-candidate.

As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released.
This rc (rc4) is expected to be the last before the release.

The following changes have been done since the previous rc:

• fix: admins no longer inherited superowner powers

v3.01.99-rc3

This is a release-candidate.

As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released.
This rc (rc3) is expected to be the last before the release.

The following changes have been done since the previous rc:

• feat: rootListIngressKeys: look for all well-known authkeys files
• feat: add --(in|ex)clude filters to groupList and accountList
• enh: groupList: use cache to speedup calls
• enh: config: detect warnBefore/idleTimeout misconfiguration (#125)
• fix: scripts: (( )) returns 1 if evaluated to zero, hence failing under set -e
• fix: config: be more permissive for documentationURL regex
• fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
• fix: confusing error messages in groupDelServer
• chore: tests: also update totalerrors while tests are running

v3.01.99-rc2

This is a release-candidate.

As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.

The following changes have been done since the previous rc:

• fix: re-introduce the ttyrecfile field (fixes #114)
• fix: logs: sql dbname was not properly passed through the update logs func (fixes #114)
• doc: upgrade: add a note about config normalization

v3.01.99-rc1

This is a release-candidate.

As several important pull-requests have been merged, we're starting with a rc, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.

• feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
• feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
• feat: realms: use remote bastion MFA validation information for local policy enforcement
• feat: add LC_BASTION_DETAILS envvar
• feat: accountModify: add --osh-only (closes #97)
• enh: satellite scripts: better error handling
• enh: config: better parsing and normalization
• fix: proper sqlite log location for invalid realm accounts
• fix: tests: syslog-logged errors were not counted towards the total
• fix: groupList: remove 9K group limit
• fix: global-log: directly set proper perms on file creation
• fix: realmDelete: bad sudoers configuration
• fix: remove useless warning when there is no guest access
• chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
• chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.

v3.01.03

• fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86)
• fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket)
• fix: osh.pl: plugin_config 'disabled' key is a boolean
• chore: speedup tests by ~20%
• chore: osh-accountDelete: fix typo