github ovh/the-bastion v3.19.00
on GitHub

one day ago

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Will 2025 be the year of IPv6? Let's not try to answer this controversial question and just say that the main change of this release is drum roll the official support of IPv6!
Most of the code was already IPv6-aware, but in some places IPv4 was assumed so these all have been adjusted to work with both IP versions.
Note that by default, IPv6 support is disabled, we've introduced the IPv6Allowed boolean option in bastion.conf that you must set to true to allow egress connections in IPv6. We've also taken this opportunity to add an IPv4Allowed option, which is enabled by default, you can set it to false should you want to have a strictly IPv6-only bastion!

The characters dictionary used by selfGeneratePassword and groupGeneratePassword has been reduced to only contain special characters recognized by the TL1 protocol, as some network devices only allow these. As this functionaly (SSH password autologin) is mainly aimed at network devices that don't support SSH keys, this has been deemed as a sane default to ensure proper compatibility. Note that this reduces the entropy of generated passwords a bit, but adding one or two characters to the password length is enough to compensate, should it be a concern in your environment.

We've also taken this opportunity to make a few other changes, such as:

  • speeding up the is_valid_ip check (35% speedup, noticeable for groups with thousands of ACLs)
  • set ECDSA as the default algorithm for generated egress keys instead of RSA, for new installs only (defaultAccountEgressKeyAlgorithm)

Some work has also been done around the unit tests (using the more standard TAP::Harness) and functional tests (speeding them up).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: IPv6 support
  • feat: add agent forwarding support on egress side
  • chg: set ECDSA as default egress key algo for new installs
  • chg: groupInfo: remove deprecated JSON fields
  • chg: upgrade tests from FreeBSD 13.2 to 14.2
  • enh: 35% faster is_valid_ip() when fast=1
  • enh: accountInfo: add osh-only information for accounts
  • enh: tests: add --skip-functional-tests and --skip-unit-tests
  • enh: ssh autologin: allow TERM env passthrough
  • enh: use only TL1 special chars when generating passwords
  • fix: accountInfo: don't attempt (and fail) to display info non-auditors don't have access to
  • fix: groupInfo: don't attempt to (and fail) display the guest list when account doesn't have access to it
  • fix: deny subnets for nc, mtr, ping, alive plugins
  • fix: is_in_any_net: support matching subnets
  • fix: groupSetServers: don't ignore ACL comments
  • chore: faster tests by removing grant/revoke command dance
  • chore: tests: no longer run consistency check by default
  • chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
  • chore: use TAP::Harness for unit tests

⏩ Upgrading

Check out latest releases or
releases around ovh/the-bastion v3.19.00

Don't miss a new the-bastion release

NewReleases is sending notifications on new releases.

Get notifications