github ovh/the-bastion v3.23.99-rc3

pre-release4 hours ago

⚠️ This is a release candidate

Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs.
Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for,
which may outweigh the potential drawbacks of using a release candidate.

As rc2 didn't seem to have any issue, this version should go stable in a few days if no regression is found.

Changes since rc2:

  • enh: perf: speedup groupCreate on big bastions
  • fix: plugins help: better explanations in ACL management plugins
  • chore: doc: adjust the generation script to get proper indentation in generated files
  • doc: add documentation about realms (finally)
  • fix: (rc1): use HEXIT() in 3 helpers instead of main_exit()
  • fix: per-plugin lock time config was ignored
  • fix: connect.pl: spurious 'security violation error' on potential race condition

⚡ Security

  • No security fixes since previous release
  • Oldest release with no known security issue is v3.22.00 (2025-09-17)

💡 Highlights

The main feature of this pre-release is the long-awaited support for egress ProxyJump.
Thanks to both @jon4hz for the extensive work, and @deathiop for the extensive review! (#592).

You can now reach a target host through an intermediate SSH proxy, using the familiar OpenSSH
syntax (ssh mybastion -- -J myproxyuser@myproxyhost myremoteuser@mytarget). Accordingly, proxy parameters
(--proxy-host, --proxy-port, --proxy-user) have been used to access-management plugins.
Sessions established through a proxy are recorded as usual, with their own configurable ttyrec path layout.
The feature is disabled by default and enabled through the new egressProxyJumpAllowed option in bastion.conf.
In addition to SSH, SCP is also supported through a ProxyJump.

Another important highlight of this pre-release is performance on large bastions.

On bastions with thousands of accounts and/or groups, some of the plugins were painfully slow. They've been
optimized from a algorithm complexity standpoint, and are now way faster. If you have gigantic bastions with
10k+ accounts and/or groups, some of these plugins, with a specific set of arguments, could take minutes to
complete: they now complete within seconds.
To further speed up all plugins, we now generate sharded and deduplicated sudoers files instead of one file
per account/group, reducing the filesystem I/O from O(nbgroups+nbaccounts) to O(1). On a test bastion with 1500
accounts and 1500 groups, this speeds up sudo execution time by 400%. This also speeds up the sudoers
regeneration time on install/upgrade on such an environment by 900%.

The other notable change is around the HTTPS Proxy, which now supports a graceful, zero-downtime reload:
on SIGHUP, the daemon re-execs in place while keeping the listening socket open, so in-flight requests
drain instead of being killed and no connection is refused. This reload is now triggered automatically on
upgrade (only if the proxy is already running).

We also now officially support FreeBSD 14.4, 15.0 and 15.1. They're part of the routine regression test suite.

This pre-release also carries the usual round of fixes, of which a list can be found below.
for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

  • feat: implement proxy jump for egress connections (#592)
  • enh: perf: speedup groupList by resolving our roles in a single pass
  • enh: perf: speedup groupCreate on big bastions
  • enh: perf: add optional cache to is_account_active()
  • enh: perf: avoid O(accounts x groups) scans with a user->groups reverse index
  • enh: perf: sudoers sharding for a sudo performance boost on big bastions
  • enh: perf: disable the admin_flag option of sudo, where supported
  • enh: http proxy: graceful zero-downtime reload + pass body via STDIN
  • enh: harden osh-encrypt-rsync.pl against symlink attacks
  • enh: harden syslogFormatted() to proactively drop control characters
  • enh: get_from_for_user_key: use the canonicalized versions of IPs when building from=''
  • enh: packages-check.sh: install with --no-install-recommends on Debian/Ubuntu
  • enh: fix-group-gid.sh: also fix the group's corresponding user uid if applicable
  • fix: accountModifyCommand: granting/revoking accountGrantCommand now correctly requires admin
  • fix: realmCreate: re-check the from='' IP list validity in the helper
  • fix: http proxy: validate the user properly
  • fix: allow password authentication for egress if passwordAllowed is configured
  • fix: when using -P, ensure we go through JIT MFA
  • fix: account expiration & accountUnexpire usage for realm/user accounts
  • fix: groupCreate: specify the UID of the group's corresponding user
  • fix: defensive: refuse to proceed when using --bind shall get_bastion_ips() fail
  • fix: early check for port validity to avoid warnings later on
  • fix: per-plugin lock time config was ignored
  • fix: connect.pl: spurious 'security violation error' on potential race condition
  • chg: test all FreeBSD upstream-supported versions, and drop the HardenedBSD mention

⏩ Upgrading

Don't miss a new the-bastion release

NewReleases is sending notifications on new releases.