⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.22.00 (2025-09-17)

💡 Highlights

This minor release mainly fixes an issue where a preexisting bastion group would have reserved a GID that you expected to allow to a future account.
This is only of importance if you're using fixed UIDs to create accounts, and can't let the system pick the UIDs itself, for example because these UIDs are referenced in some other system of your company.

This change applies a GID shifting to all the bastion groups to ensure they can never take a GID that would pertain to a later-to-be-created account with a fixed UID/GID.

This shift amount is configurable in bastion.conf as groupGidMin (500000 by default).

Use the updated :file:bin/admin/fix-group-gid.sh script to shift any preexisting group GID that would be out of the new groupGidMin range.

We also get our usual round of fixes and enhancements, listed below.
for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: accept -l as an additional alias to specify the username (mimicking ssh's option)
• enh: better interaction between systemd units and /home encryption
• fix: add groupGidMin to avoid stealing an account's GID
• fix: missing -regex following @cdbd6c7 from #550
• chore: deprecate the use of -f and -l in selfListIngressKeys

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.23.01