github ovh/the-bastion v3.17.00

latest release: v3.17.01
one month ago

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This releases updates the supported OS list as follows:

  • drop support for Ubuntu 16.04 and CentOS 7
  • add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6

Appart from the supported OS list, this release has a lot of changes, the most important ones are summarized below.

Add support of rsync (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new --protocol option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the documentation has been updated to only reference --protocol.

Add support of wildcards (also called "shell-style globbing characters"), namely ? and *,
when using the --user option for plugins such as groupAddServer, groupDelServer, groupAddGuestAccess,
groupDelGuestAccess, accountAddPersonalAccess, accountDelPersonalAccess, selfAddPersonalAccess,
selfDelPersonalAccess. This implements #461.

Add a new per-account option: egress session multiplexing (usage of the ControlPath and ControlMaster ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the accountModify documentation.

Worth noting is also a new plugin: groupSetServers, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several groupAddServer and groupDelServer calls.

We also enable the sntrup761x25519-sha512@openssh.com KEX algorithm by default on shipped versions
of sshd_config and ssh_config, read the specific upgrades instructions linked below if you're interested and this is not a new installation.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: support wildcards in --user (fix #461)
  • feat: add rsync support through the --protocol rsync option in all plugins
  • feat: add --egress-session-multiplexing option to accountModify
  • feat: add groupSetServers to entirely change a group ACL in one shot
  • feat: accountFreeze: terminate running sessions if any
  • enh: add lock for group ACL change to avoid race conditions on busy bastions
  • enh: selfPlaySession: remove sqliteLog.ttyrecfile dependency
  • enh: autologin: set term to raw noecho when --no-tty is used
  • chg: add Ubuntu 24.04 LTS
  • chg: bump OpenSUSE Leap from 15.5 to 15.6
  • chg: Debian12, Ubuntu20+: enable sntrup KEX by default
  • chg: remove support for EOL CentOS 7
  • fix: stealth_stdout/stderr was ignored for plugins (fix #482)
  • fix: ignore transient errors during global destruction
  • fix: install under FreeBSD 13.2

⏩ Upgrading

Don't miss a new the-bastion release

NewReleases is sending notifications on new releases.