Skip to content

Releases: ovh/the-bastion

v3.19.01

05 Mar 15:27
@speed47 speed47
v3.19.01
80b68d1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v3.19.01 Latest
Latest

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This release adds the possibility to allow plain HTTP on the egress side of the bastion HTTPS proxy.

Of course, this feature is disabled by default, and you must allow it explicitly if your business constraints force you to. To this effect, you may specify the allowed_egress_protocols option of the osh-http-proxy.conf file.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: httpproxy: optional support for plain http on egress
  • fix: selfPlaySession: warn in syslog properly
  • chore: github actions: replace ubuntu 20.04 by 24.04 (EOL)

⏩ Upgrading

Assets 2
Loading

v3.19.00

25 Feb 16:20
@speed47 speed47
v3.19.00
082b2f9
Compare
Choose a tag to compare
v3.19.00

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Will 2025 be the year of IPv6? Let's not try to answer this controversial question and just say that the main change of this release is drum roll the official support of IPv6!
Most of the code was already IPv6-aware, but in some places IPv4 was assumed so these all have been adjusted to work with both IP versions.
Note that by default, IPv6 support is disabled, we've introduced the IPv6Allowed boolean option in bastion.conf that you must set to true to allow egress connections in IPv6. We've also taken this opportunity to add an IPv4Allowed option, which is enabled by default, you can set it to false should you want to have a strictly IPv6-only bastion!

The characters dictionary used by selfGeneratePassword and groupGeneratePassword has been reduced to only contain special characters recognized by the TL1 protocol, as some network devices only allow these. As this functionaly (SSH password autologin) is mainly aimed at network devices that don't support SSH keys, this has been deemed as a sane default to ensure proper compatibility. Note that this reduces the entropy of generated passwords a bit, but adding one or two characters to the password length is enough to compensate, should it be a concern in your environment.

We've also taken this opportunity to make a few other changes, such as:

  • speeding up the is_valid_ip check (35% speedup, noticeable for groups with thousands of ACLs)
  • set ECDSA as the default algorithm for generated egress keys instead of RSA, for new installs only (defaultAccountEgressKeyAlgorithm)

Some work has also been done around the unit tests (using the more standard TAP::Harness) and functional tests (speeding them up).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: IPv6 support
  • feat: add agent forwarding support on egress side
  • chg: set ECDSA as default egress key algo for new installs
  • chg: groupInfo: remove deprecated JSON fields
  • chg: upgrade tests from FreeBSD 13.2 to 14.2
  • enh: 35% faster is_valid_ip() when fast=1
  • enh: accountInfo: add osh-only information for accounts
  • enh: tests: add --skip-functional-tests and --skip-unit-tests
  • enh: ssh autologin: allow TERM env passthrough
  • enh: use only TL1 special chars when generating passwords
  • fix: accountInfo: don't attempt (and fail) to display info non-auditors don't have access to
  • fix: groupInfo: don't attempt to (and fail) display the guest list when account doesn't have access to it
  • fix: deny subnets for nc, mtr, ping, alive plugins
  • fix: is_in_any_net: support matching subnets
  • fix: groupSetServers: don't ignore ACL comments
  • chore: faster tests by removing grant/revoke command dance
  • chore: tests: no longer run consistency check by default
  • chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
  • chore: use TAP::Harness for unit tests

⏩ Upgrading

Loading

v3.18.99-rc1

03 Jan 16:06
@speed47 speed47
v3.18.99-rc1
4dbc32e
Compare
Choose a tag to compare
v3.18.99-rc1 Pre-release
Pre-release

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Will 2025 be the year of IPv6? Let's not try to answer this controversial question and just say that the main change of this pre-release is drum roll the official support of IPv6!
Most of the code was already IPv6-aware, but in some places IPv4 was assumed so these all have been adjusted to work with both IP versions.
Note that by default, IPv6 support is disabled, we've introduced the IPv6Allowed boolean option in bastion.conf that you must set to true to allow egress connections in IPv6. We've also taken this opportunity to add an IPv4Allowed option, which is enabled by default, you can set it to false should you want to have a strictly IPv6-only bastion!
A lot of tests have been added to ensure everything works correctly with this change, but as this is still an important change, and only a few tests have been done in-the-field yet, this'll be a pre-release for a few weeks.

We've also taken this opportunity to make a few other changes, such as:

  • speeding up the is_valid_ip check (35% speedup, noticeable for groups with thousands of ACLs)
  • set ECDSA as the default algorithm for generated egress keys instead of RSA, for new installs only (defaultAccountEgressKeyAlgorithm)

Some work has also been done around the unit tests (using the more standard TAP::Harness) and functional tests (speeding them up).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: IPv6 support
  • chg: set ECDSA as default egress key algo for new installs
  • chg: groupInfo: remove deprecated JSON fields
  • enh: 35% faster is_valid_ip() when fast=1
  • enh: accountInfo: add osh-only information for accounts
  • enh: tests: add --skip-functional-tests and --skip-unit-tests
  • fix: accountInfo: don't attempt (and fail) to display info non-auditors don't have access to
  • fix: groupInfo: don't attempt to (and fail) display the guest list when account doesn't have access to it
  • fix: deny subnets for nc, mtr, ping, alive plugins
  • fix: is_in_any_net: support matching subnets
  • chore: faster tests by removing grant/revoke command dance
  • chore: tests: no longer run consistency check by default
  • chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
  • chore: use TAP::Harness for unit tests

⏩ Upgrading

Loading

v3.18.00

10 Dec 13:22
@speed47 speed47
v3.18.00
1859d6a
Compare
Choose a tag to compare
v3.18.00

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

A new restricted command has been added: assetForgetHostKey, which is the bastion-wide version of the selfForgetHostKey command. In other words, it removes a given asset's hostkey from all the bastion accounts' personal known_hosts file. This is particularely useful when a given asset is reinstalled or its IP is being reallocated, and you've left the bastion-wide default of StrictHostKeyChecking to 'ask': in that case, if this command is not used after the asset hostkeys have changed, each account will have to use selfForgetHostKey on their own, to tell the bastion that the previously known hostkey should be forgotten.

This new command makes it possible to sync the reinstallation of an asset with a bastion-wide reset of its hostkeys (e.g. using an automation account that will be granted the use of the assetForgetHostKey command), without requiring all the other accounts to do it on their own. On their next connection, the other accounts will just have to accept the new hostkey (if StrictHostKeyChecking is set to ask, which is the default), or the new hostkey will be auto-accepted in the absence of a known one (if StrictHostKeyChecking is set to accept-new).

A long-standing but has also been fixed with stalling downloads using scp (#486).

The list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: add assetForgetHostKey
  • fix: scp: downloads would sometimes stall (fix #486)

⏩ Upgrading

Loading

v3.17.01

23 Oct 12:15
@speed47 speed47
v3.17.01
55f276e
Compare
Choose a tag to compare
v3.17.01

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

No specific highlight, as this release addresses a few issues and minor enhancements.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • enh: interactive: handle CTRL+C nicely (fix #497)
  • fix: osh.pl: remove a warning on interactive mode timeout
  • fix: allow ssh-as in connect.pl
  • chore: fix bad scpup/scpupload scp/scpdownload references in help and doc (thanks @TomRicci!)

⏩ Upgrading

Contributors

TomRicci
Loading

v3.17.00

14 Oct 15:01
@speed47 speed47
v3.17.00
eb866bd
Compare
Choose a tag to compare
v3.17.00

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This releases updates the supported OS list as follows:

  • drop support for Ubuntu 16.04 and CentOS 7
  • add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6

Appart from the supported OS list, this release has a lot of changes, the most important ones are summarized below.

Add support of rsync (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new --protocol option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the documentation has been updated to only reference --protocol.

Add support of wildcards (also called "shell-style globbing characters"), namely ? and *,
when using the --user option for plugins such as groupAddServer, groupDelServer, groupAddGuestAccess,
groupDelGuestAccess, accountAddPersonalAccess, accountDelPersonalAccess, selfAddPersonalAccess,
selfDelPersonalAccess. This implements #461.

Add a new per-account option: egress session multiplexing (usage of the ControlPath and ControlMaster ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the accountModify documentation.

Worth noting is also a new plugin: groupSetServers, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several groupAddServer and groupDelServer calls.

We also enable the [email protected] KEX algorithm by default on shipped versions
of sshd_config and ssh_config, read the specific upgrades instructions linked below if you're interested and this is not a new installation.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: support wildcards in --user (fix #461)
  • feat: add rsync support through the --protocol rsync option in all plugins
  • feat: add --egress-session-multiplexing option to accountModify
  • feat: add groupSetServers to entirely change a group ACL in one shot
  • feat: accountFreeze: terminate running sessions if any
  • enh: add lock for group ACL change to avoid race conditions on busy bastions
  • enh: selfPlaySession: remove sqliteLog.ttyrecfile dependency
  • enh: autologin: set term to raw noecho when --no-tty is used
  • chg: add Ubuntu 24.04 LTS
  • chg: bump OpenSUSE Leap from 15.5 to 15.6
  • chg: Debian12, Ubuntu20+: enable sntrup KEX by default
  • chg: remove support for EOL CentOS 7
  • fix: stealth_stdout/stderr was ignored for plugins (fix #482)
  • fix: ignore transient errors during global destruction
  • fix: install under FreeBSD 13.2

⏩ Upgrading

Loading

v3.16.99-rc3

25 Sep 10:34
@speed47 speed47
v3.16.99-rc3
4196a5b
Compare
Choose a tag to compare
v3.16.99-rc3 Pre-release
Pre-release

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Please read the rc2 changes that are also included in this pre-release.

This release, the rc3, expected to be the last release candidate, fixes a regression introduced in the rc1.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • fix: regression introduced by 932e72e for stealth stdout in ssh

⏩ Upgrading

Loading

v3.16.99-rc2

17 Sep 13:07
@speed47 speed47
v3.16.99-rc2
a0ec3ff
Compare
Choose a tag to compare
v3.16.99-rc2 Pre-release
Pre-release

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Please read the rc1 changes that are also included in this pre-release.

The rc2 add support of rsync (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new --protocol option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the documentation has been updated to only reference --protocol.

We also add a new per-account option: egress session multiplexing (usage of the ControlPath and ControlMaster ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the accountModify documentation.

Worth noting is also a new plugin: groupSetServers, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several groupAddServer and groupDelServer calls.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: add rsync support through the --protocol rsync option in all plugins
  • feat: add --egress-session-multiplexing option to accountModify
  • feat: add groupSetServers to entirely change a group ACL in one shot
  • enh: add lock for group ACL change to avoid race conditions on busy bastions
  • enh: selfPlaySession: remove sqliteLog.ttyrecfile dependency
  • chore: FreeBSD: ignore OS version mismatch with packages
  • chore: selfMFASetupPassword: clearer message

⏩ Upgrading

Loading

v3.16.99-rc1

04 Jul 11:36
@speed47 speed47
v3.16.99-rc1
3d2cf21
Compare
Choose a tag to compare
v3.16.99-rc1 Pre-release
Pre-release

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This is a pre-release, so that the #461 change can be thoroughly tested before being promoted to a release.

This releases updates the supported OS list as follows:

  • drop support for Ubuntu 16.04 and CentOS 7
  • add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6

This release adds support of wildcards (also called "shell-style globbing characters"), namely ? and *,
when using the --user option for plugins such as groupAddServer, groupDelServer, groupAddGuestAccess,
groupDelGuestAccess, accountAddPersonalAccess, accountDelPersonalAccess, selfAddPersonalAccess,
selfDelPersonalAccess. This implements #461.

We also enable the [email protected] KEX algorithm by default on shipped versions
of sshd_config and ssh_config, read the specific upgrades instructions linked below if you're interested and this is not a new installation.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: accountFreeze: terminate running sessions if any
  • feat: support wildcards in --user (fix #461)
  • enh: autologin: set term to raw noecho when --no-tty is used
  • fix: stealth_stdout/stderr was ignored for plugins (fix #482)
  • fix: ignore transient errors during global destruction
  • fix: install under FreeBSD 13.2
  • fix: selfGenerateProxyPassword: help message was incorrect
  • chg: add Ubuntu 24.04 LTS
  • chg: bump OpenSUSE Leap from 15.5 to 15.6
  • chg: Debian12, Ubuntu20+: enable sntrup KEX by default
  • chg: remove support for EOL CentOS 7
  • chore: adapt help messages for wildcard --user support
  • chore: install-ttyrec: bump latest known version fallback

⏩ Upgrading

Loading

v3.16.01

27 Jun 15:01
@speed47 speed47
v3.16.01
4b781b8
Compare
Choose a tag to compare
v3.16.01

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This release only has minor changes. It has been tagged back in April but the formal GitHub Release was missing!

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • enh: info plugin: removed uname dependency, added configuration
  • chg: bastion-sync-helper.sh: use sh instead of bash
  • fix: alive plugin: don't mask signals

⏩ Upgrading

Loading