New features

Brute-force protection with IP blocking and user lockout #1630

_{by @mrmm}

Custom SSH banner #2125

The new parameter lets you set a custom banner to be displayed when users connect over SSH.

Global toggle for webSSH #2119

Added an option to disable WebSSH entirely

Option to disable password login #2128

Added an option to disable the password login form entirely, allowing only SSO authentication.

Changes

• Add configurable roles_claim for custom OIDC providers by @noammeltzer-ax in #2113
  • Lets you sync roles from OIDC providers that do not support custom claim names
• fixed #2112 - support receiving pre-expired cookies from upstream by @Eugeny in #2126
  • Upstream cookies that with an expiration date in the past are not passed through as-is
• fixed #2066 - offer hmac-sha1 when insecure algorithms are allowed by @Eugeny in #2127
  • Enabling "Insecure ciphers" for an SSH target now also enables the hmac-sha1 MAC algorithm, which was previously never enabled.
• ci(docker): sign and attest (SBOM, provenance) the published image by @mathieuHa in #2090
• Warn on unknown/misplaced config keys instead of silently dropping them by @ndreno in #2099

Fixes

• Terminate HTTP target WebSockets on logout by @snvtac in #2111
• fixed #2027 - case-insensitive username comparison for web approval by @Eugeny in #2117
• fixed #2103 - do not auto-advance login state to SSO on invalid password by @Eugeny in #2118

New Contributors

• @ndreno made their first contribution in #2099
• @snvtac made their first contribution in #2111
• @noammeltzer-ax made their first contribution in #2113

Full Changelog: v0.25.6...v0.26.0-beta.1