github ovh/the-bastion v3.23.99-rc2
on GitHub

pre-release4 hours ago

⚠️ This is a release candidate

Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs.
Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for,
which may outweigh the potential drawbacks of using a release candidate.

This version will go stable in a few days/weeks if no regression is found.

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.22.00 (2025-09-17)

💡 Highlights

The main feature of this pre-release is the long-awaited support for egress ProxyJump.
Thanks to both @jon4hz for the extensive work, and @deathiop for the extensive review! (#592).

You can now reach a target host through an intermediate SSH proxy, using the familiar OpenSSH
syntax (ssh mybastion -- -J myproxyuser@myproxyhost myremoteuser@mytarget). Accordingly, proxy parameters
(--proxy-host, --proxy-port, --proxy-user) have been used to access-management plugins.
Sessions established through a proxy are recorded as usual, with their own configurable ttyrec path layout.
The feature is disabled by default and enabled through the new egressProxyJumpAllowed option in bastion.conf.
In addition to SSH, SCP is also supported through a ProxyJump.

Another important highlight of this pre-release is performance on large bastions.

On bastions with thousands of accounts and/or groups, some of the plugins were painfully slow. They've been
optimized from a algorithm complexity standpoint, and are now way faster. If you have gigantic bastions with
10k+ accounts and/or groups, some of these plugins, with a specific set of arguments, could take minutes to
complete: they now complete within seconds.
To further speed up all plugins, we now generate sharded and deduplicated sudoers files instead of one file
per account/group, reducing the filesystem I/O from O(nbgroups+nbaccounts) to O(1). On a test bastion with 1500
accounts and 1500 groups, this speeds up sudo execution time by 400%. This also speeds up the sudoers
regeneration time on install/upgrade on such an environment by 900%.

The other notable change is around the HTTPS Proxy, which now supports a graceful, zero-downtime reload:
on SIGHUP, the daemon re-execs in place while keeping the listening socket open, so in-flight requests
drain instead of being killed and no connection is refused. This reload is now triggered automatically on
upgrade (only if the proxy is already running).

We also now officially support FreeBSD 14.4, 15.0 and 15.1. They're part of the routine regression test suite.

This pre-release also carries the usual round of fixes, of which a list can be found below.
for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: implement proxy jump for egress connections (#592)
  • enh: perf: speedup groupList by resolving our roles in a single pass
  • enh: perf: add optional cache to is_account_active()
  • enh: perf: avoid O(accounts x groups) scans with a user->groups reverse index
  • enh: perf: sudoers sharding for a sudo performance boost on big bastions
  • enh: perf: disable the admin_flag option of sudo, where supported
  • enh: http proxy: graceful zero-downtime reload + pass body via STDIN
  • enh: harden osh-encrypt-rsync.pl against symlink attacks
  • enh: harden syslogFormatted() to proactively drop control characters
  • enh: get_from_for_user_key: use the canonicalized versions of IPs when building from=''
  • enh: packages-check.sh: install with --no-install-recommends on Debian/Ubuntu
  • enh: fix-group-gid.sh: also fix the group's corresponding user uid if applicable
  • fix: accountModifyCommand: granting/revoking accountGrantCommand now correctly requires admin
  • fix: realmCreate: re-check the from='' IP list validity in the helper
  • fix: http proxy: validate the user properly
  • fix: allow password authentication for egress if passwordAllowed is configured
  • fix: when using -P, ensure we go through JIT MFA
  • fix: account expiration & accountUnexpire usage for realm/user accounts
  • fix: groupCreate: specify the UID of the group's corresponding user
  • fix: defensive: refuse to proceed when using --bind shall get_bastion_ips() fail
  • fix: early check for port validity to avoid warnings later on
  • chg: test all FreeBSD upstream-supported versions, and drop the HardenedBSD mention

⏩ Upgrading

Check out latest releases or
releases around ovh/the-bastion v3.23.99-rc2

Don't miss a new the-bastion release

NewReleases is sending notifications on new releases.

Get notifications