From 4adfb642c4158df58faf8bf893edfd285eb9f662 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 10 Apr 2024 09:19:52 +0000 Subject: [PATCH] release 3.16.00 --- bin/plugin/restricted/groupCreate | 1 + doc/CHANGELOG.md | 28 +++++++++++-------- doc/sphinx/installation/upgrading.rst | 20 +++++++++++++ doc/sphinx/plugins/restricted/groupCreate.rst | 1 + lib/perl/OVH/Bastion.pm | 2 +- 5 files changed, 40 insertions(+), 12 deletions(-) diff --git a/bin/plugin/restricted/groupCreate b/bin/plugin/restricted/groupCreate index 7e4dffa2f..8e66561ac 100755 --- a/bin/plugin/restricted/groupCreate +++ b/bin/plugin/restricted/groupCreate @@ -45,6 +45,7 @@ Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE For ED25519, size is always 256. --no-key Don't generate an egress SSH key at all for this group + EOF OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0); return 0; diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index d8b01d4e8..abf477a3e 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,9 @@ +## v3.16.00 - 2024/04/10 +- feat: support hardware-based Secure Keys (FIDO2) for ingress authentication +- enh: remove netcat dependency by using perl builtins +- enh: --wait now checks whether the TCP port is open instead of just pinging the host +- fix: logic error in etc/pam.d/sshd.rhel breaking MFA handling if enabled + ## v3.15.00 - 2024/03/22 - feat: add ``dnsSupportLevel`` option for systems with broken DNS (fixes #397) - enh: allow ``@`` as a valid remote user char (fixes #437) @@ -6,17 +12,17 @@ - fix: avoid a warning when an non-resolvable host is specified with ``scp`` or ``sftp`` ## v3.14.16 - 2024/02/20 -feat: add ``ttyrecStealthStdoutPattern`` config -enh: ``batch``: openhandle() is overkill and doesn't work on EOF -enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins -enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock`` -enh: plugins: better signal handling to avoid dangling children processes -fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts -fix: don't exit with ``fping`` when host is unreachable -fix: ``fixrights.sh``: add +x ``run-tool.sh`` -fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433) -fix: install: generation of the MFA secret under FreeBSD -fix: install: silence ``tr`` message on secret generation +- feat: add ``ttyrecStealthStdoutPattern`` config +- enh: ``batch``: openhandle() is overkill and doesn't work on EOF +- enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins +- enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock`` +- enh: plugins: better signal handling to avoid dangling children processes +- fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts +- fix: don't exit with ``fping`` when host is unreachable +- fix: ``fixrights.sh``: add +x ``run-tool.sh`` +- fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433) +- fix: install: generation of the MFA secret under FreeBSD +- fix: install: silence ``tr`` message on secret generation ## v3.14.15 - 2023/11/08 - feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140) diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index a92aa3569..cb123b18b 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,26 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.16.00 - 2024/04/10 +********************* + +This version adds support for Secure Keys (FIDO2) for ingress authentication. It requires at least OpenSSH 8.2 +installed on the server hosting The Bastion, as support for FIDO2 was added in this version. +Of the currently supported OS versions, the following are known to have a recent-enough version: + +- Debian 11 +- Debian 12 +- Ubuntu 20.04 +- Ubuntu 22.04 +- OpenSUSE Leap 15.5 +- Rocky Linux 9 + +Note that if you are upgrading, you'll need to enable the new ingress algorithms in the ``/etc/bastion/bastion.conf`` +file, under the ``allowedIngressSshAlgorithms`` option. You may want to add ``ecdsa-sk`` and ``ed25519-sk`` to the list +if you want to support the FIDO2-backed versions of these two algorithms. +You may also refer to the distributed default configuration file in ``etc/bastion/bastion.conf.dist``, +which enables them by default. + v3.15.00 - 2024/03/22 ********************* diff --git a/doc/sphinx/plugins/restricted/groupCreate.rst b/doc/sphinx/plugins/restricted/groupCreate.rst index 7d4f05fb6..f7625d060 100644 --- a/doc/sphinx/plugins/restricted/groupCreate.rst +++ b/doc/sphinx/plugins/restricted/groupCreate.rst @@ -47,6 +47,7 @@ Create a group Don't generate an egress SSH key at all for this group + A quick overview of the different algorithms: .. code-block:: none diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index f41ed7a07..f5b12fc83 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.15.00'; +our $VERSION = '3.16.00'; BEGIN { # only used by the handler below