v3.01.02

Changelog:

• feat: support CentOS 8.3
• fix: is_valid_remote_user: extend allowed size from 32 to 128
• doc: bastions.conf.dist: wrong options values in accountMFAPolicy comments
• chore: packages-check: remove unused packages

Now we're supporting (and automatically testing) the last 3 point releases of CentOS 7 and CentOS 8, to allow for a smoother upgrade path. Previously, we would only test the latest point release.

How to upgrade

v3.01.01

Changelog:

• fix: interactive mode: mark non-printable chars as such to avoid readline quirks
• fix: osh-encrypt-rsync: remove logfile as a mandatory parameter
• fix: typo in MFAPasswordWarnDays parameter in bastion.conf.dist
• enh: interactive mode: better autocompletion for accountCreate and adminSudo
• enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly
• doc: add information about puppet-thebastion and yubico-piv-checker + some adjustments
• chore: tests: fail the tests when code is not tidy

How to upgrade

v3.01.00

Changelog:

• feat: add FreeBSD 12.1 to automated tests, and multiple fixes to get back proper FreeBSD compatibility/experience
• feat: partial MFA support for FreeBSD
• feat: add interactiveModeByDefault option (#54)
• feat: install: add SELinux module for TOTP MFA (#26)
• enh: httpproxy: add informational headers to the egress side request
• fix: osh.pl: validate remote user and host format to fail early if invalid
• fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind
• fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we miss /root/.gnupg/secring.gpg
• fix: selfListSessions: bad sorting of the list
• misc: a few other fixes here and there

How to upgrade

Specific upgrade instructions:

A new bastion.conf option was introduced: interactiveModeByDefault. If not present in your config file, its value defaults to 1 (true), which changes the behavior of The Bastion when a user connects without specifying any command. When this happens, it'll now display the help then drop the user into interactive mode (if this mode is enabled), instead of displaying the help and aborting with an error message. Set it to 0 (false) if you want to keep the previous behavior.

An SELinux module has been added in this version, to ensure TOTP MFA works correctly under systems where SELinux is on enforcing mode. This module will be installed automatically whenever SELinux is detected on the system. If you don't want to use this module, specify --no-install-selinux-module on your /opt/bastion/bin/admin/install upgrade call (please refer to the generic upgrade instructions for more details).

v3.00.02

• feat: add more archs to dockerhub sandbox, it is now available for linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/ppc64le and linux/s390x.
• fix: adminSudo: allow called plugins to read from stdin
• fix: add missing echo in the entrypoint of the sandbox
• chore: install-ttyrec.sh: adapt for multiarch

v3.00.01

• feat: add OpenSUSE 15.2 to the officially supported distros
• enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
• enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
• enh: provide a separated Dockerfile for the sandbox, squashing useless layers
• doc: a lot of fixes here and there
• chore: remove spurious config files
• chore: a few GitHub actions workflow fixes

v3.00.00

This is the first public release!