💡 Highlights
Documentation about the following satellite configuration files is now automatically generated:
- The script responsible for encrypting and optionally moving the ttyrec files out of the server (osh-encrypt-rsync.conf)
- The script responsible for backing up everything needed to be able to restore a bastion from scratch (osh-backup-acl-keys.conf)
- The script responsible for the expiration of PIV grace periods (osh-piv-grace-reaper.conf)
- The script responsible for the HA synchronization between instances (osh-sync-watcher.conf)
Good news for people having a hard time coming up with creative account names: these can now be up to 28 characters long, up from the previous 18 characters limit.
accountInfo gets a speed boost by no longer listing the user's groups by default, you can still specify --list-groups to get them.
Individual accounts can now be configured to be immune to the global account expiration policy, see the --max-inactive-days option of both accountCreeate and accountModify commands.
We're also paving the way for Debian 11. All tests have been running fine since some time now, and starting from this release the pam template will now use pam_faillock under Debian 11 instead of the deprecated pam_tally2 module.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: support pam_faillock for Debian 11 (#163)
- feat: add
--fallback-password-delay(3) for ssh password autologin - enh: add
max_inactive_daysto account configuration (#230) - enh:
accountInfo: add--list-groups - enh: max account length is now 28 chars up from 18
- enh: better error message when unknown option is used
- enh: better use of account creation metadata
- enh: config reading: add rootonly parameter
- fix:
accountCreate:--uid-auto: rare case where a free UID couldn't be found - doc: generate scripts doc reference for satellite scripts
- doc: add faq about session locking (#226)
- misc: a few other unimportant fixes