⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This release introduces a new global configuration option, ttyrecStealthStdoutPattern, to handle corner-cases where recording stdout of some specific commands would take up gigabytes. If you use rsync through the bastion, and noticed that some ttyrec files take up a gigantic amount of space, this might help salvaging your hard-drives!

Another noteworthy change is for users using pre-v3.14.15 scp or sftp helpers: this release introduces a compatibility logic to avoid requiring them to upgrade their helpers when JIT MFA is not required for their use case. Of course, when JIT MFA is required by policy, the connection will still fail and the only way to go through is to use the new wrappers that can support properly asking MFA to the users.

Otherwise, this release is mainly a bugfix / tiny enhancements release.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: add ttyrecStealthStdoutPattern config
• enh: osh-lingering-sessions-reaper.sh: handle dangling plugins
• enh: osh-orphaned-homedir.sh: also cleanup /run/faillock
• enh: plugins: better signal handling to avoid dangling children processes
• fix: scp/sftp: when using pre-v3.14.15 helpers, the JIT MFA logic now behaves as before, so that these old helpers still work when JIT MFA is not needed
• fix: accountInfo: return always_active=1 for globally-always-active accounts
• fix: ping: don't exit with fping when host is unreachable
• fix: osh-sync-watcher: default to a valid rshcmd (fixes #433)
• fix: install: generation of the MFA secret under FreeBSD

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.14.16