github ovh/the-bastion v3.23.99-rc1
on GitHub

pre-release4 hours ago

⚠️ This is a release candidate

Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs.
Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.

An rc2 is already planned before this goes GA.

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.22.00 (2025-09-17)

💡 Highlights

An important highlight of this pre-release is performance on large bastions.
On bastions with thousands of accounts and/or groups, some of the plugins were painfully slow. They've been optimized from a algorithm complexity standpoint, and are now way faster. If you have gigantic bastions with 10k+ accounts and/or groups, some of these plugins, with a specific set of arguments, could take minutes to complete: they now complete within seconds.
To further speed up all plugins, we now generate sharded and deduplicated sudoers files instead of one file per account/group, reducing the filesystem I/O from O(nbgroups+nbaccounts) to O(1). On a test bastion with 1500 accounts and 1500 groups, this speeds up sudo execution time by 400%. This also speeds up the sudoers regeneration time on install/upgrade on such an environment by 900%.
Note that part of this work will only be in the upcoming rc2.

The other notable change is around the HTTPS Proxy, which now supports a graceful, zero-downtime reload: on SIGHUP, the daemon re-execs in place while keeping the listening socket open, so in-flight requests drain instead of being killed and no connection is refused. This reload is now triggered automatically on upgrade (only if the proxy is already running).

We also now officially support FreeBSD 14.4, 15.0 and 15.1. They're part of the routine regression test suite.

This pre-release also carries the usual round of fixes, of which a list can be found below.
For an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • enh: perf: sudoers sharding for a sudo performance boost on big bastions
  • enh: perf: disable the admin_flag option of sudo, where supported
  • enh: http proxy: graceful zero-downtime reload + pass body via STDIN
  • enh: harden osh-encrypt-rsync.pl against symlink attacks
  • enh: harden syslogFormatted() to proactively drop control characters
  • enh: get_from_for_user_key: use the canonicalized versions of IPs when building from=''
  • enh: packages-check.sh: install with --no-install-recommends on Debian/Ubuntu
  • enh: fix-group-gid.sh: also fix the group's corresponding user uid if applicable
  • fix: accountModifyCommand: granting/revoking accountGrantCommand now correctly requires admin
  • fix: realmCreate: re-check the from='' IP list validity in the helper
  • fix: http proxy: validate the user properly
  • fix: allow password authentication for egress if passwordAllowed is configured
  • fix: when using -P, ensure we go through JIT MFA
  • fix: account expiration & accountUnexpire usage for realm/user accounts
  • fix: groupCreate: specify the UID of the group's corresponding user
  • fix: defensive: refuse to proceed when using --bind shall get_bastion_ips() fail
  • fix: early check for port validity to avoid warnings later on
  • chg: test all FreeBSD upstream-supported versions, and drop the HardenedBSD mention

⏩ Upgrading

Check out latest releases or
releases around ovh/the-bastion v3.23.99-rc1

Don't miss a new the-bastion release

NewReleases is sending notifications on new releases.

Get notifications