v3.17.01

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

No specific highlight, as this release addresses a few issues and minor enhancements.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• enh: interactive: handle CTRL+C nicely (fix #497)
• fix: osh.pl: remove a warning on interactive mode timeout
• fix: allow ssh-as in connect.pl
• chore: fix bad scpup/scpupload scp/scpdownload references in help and doc (thanks @TomRicci!)

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.17.01

v3.17.00

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This releases updates the supported OS list as follows:

• drop support for Ubuntu 16.04 and CentOS 7
• add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6

Appart from the supported OS list, this release has a lot of changes, the most important ones are summarized below.

Add support of rsync (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new --protocol option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the documentation has been updated to only reference --protocol.

Add support of wildcards (also called "shell-style globbing characters"), namely ? and *,
when using the --user option for plugins such as groupAddServer, groupDelServer, groupAddGuestAccess,
groupDelGuestAccess, accountAddPersonalAccess, accountDelPersonalAccess, selfAddPersonalAccess,
selfDelPersonalAccess. This implements #461.

Add a new per-account option: egress session multiplexing (usage of the ControlPath and ControlMaster ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the accountModify documentation.

Worth noting is also a new plugin: groupSetServers, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several groupAddServer and groupDelServer calls.

We also enable the sntrup761x25519-sha512@openssh.com KEX algorithm by default on shipped versions
of sshd_config and ssh_config, read the specific upgrades instructions linked below if you're interested and this is not a new installation.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: support wildcards in --user (fix #461)
• feat: add rsync support through the --protocol rsync option in all plugins
• feat: add --egress-session-multiplexing option to accountModify
• feat: add groupSetServers to entirely change a group ACL in one shot
• feat: accountFreeze: terminate running sessions if any
• enh: add lock for group ACL change to avoid race conditions on busy bastions
• enh: selfPlaySession: remove sqliteLog.ttyrecfile dependency
• enh: autologin: set term to raw noecho when --no-tty is used
• chg: add Ubuntu 24.04 LTS
• chg: bump OpenSUSE Leap from 15.5 to 15.6
• chg: Debian12, Ubuntu20+: enable sntrup KEX by default
• chg: remove support for EOL CentOS 7
• fix: stealth_stdout/stderr was ignored for plugins (fix #482)
• fix: ignore transient errors during global destruction
• fix: install under FreeBSD 13.2

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.17.00

v3.16.99-rc3

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Please read the rc2 changes that are also included in this pre-release.

This release, the rc3, expected to be the last release candidate, fixes a regression introduced in the rc1.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• fix: regression introduced by 932e72e for stealth stdout in ssh

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.16.99-rc3

v3.16.99-rc2

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

Please read the rc1 changes that are also included in this pre-release.

The rc2 add support of rsync (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new --protocol option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the documentation has been updated to only reference --protocol.

We also add a new per-account option: egress session multiplexing (usage of the ControlPath and ControlMaster ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the accountModify documentation.

Worth noting is also a new plugin: groupSetServers, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several groupAddServer and groupDelServer calls.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: add rsync support through the --protocol rsync option in all plugins
• feat: add --egress-session-multiplexing option to accountModify
• feat: add groupSetServers to entirely change a group ACL in one shot
• enh: add lock for group ACL change to avoid race conditions on busy bastions
• enh: selfPlaySession: remove sqliteLog.ttyrecfile dependency
• chore: FreeBSD: ignore OS version mismatch with packages
• chore: selfMFASetupPassword: clearer message

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.16.99-rc2

v3.16.99-rc1

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This is a pre-release, so that the #461 change can be thoroughly tested before being promoted to a release.

This releases updates the supported OS list as follows:

• drop support for Ubuntu 16.04 and CentOS 7
• add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6

This release adds support of wildcards (also called "shell-style globbing characters"), namely ? and *,
when using the --user option for plugins such as groupAddServer, groupDelServer, groupAddGuestAccess,
groupDelGuestAccess, accountAddPersonalAccess, accountDelPersonalAccess, selfAddPersonalAccess,
selfDelPersonalAccess. This implements #461.

We also enable the sntrup761x25519-sha512@openssh.com KEX algorithm by default on shipped versions
of sshd_config and ssh_config, read the specific upgrades instructions linked below if you're interested and this is not a new installation.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: accountFreeze: terminate running sessions if any
• feat: support wildcards in --user (fix #461)
• enh: autologin: set term to raw noecho when --no-tty is used
• fix: stealth_stdout/stderr was ignored for plugins (fix #482)
• fix: ignore transient errors during global destruction
• fix: install under FreeBSD 13.2
• fix: selfGenerateProxyPassword: help message was incorrect
• chg: add Ubuntu 24.04 LTS
• chg: bump OpenSUSE Leap from 15.5 to 15.6
• chg: Debian12, Ubuntu20+: enable sntrup KEX by default
• chg: remove support for EOL CentOS 7
• chore: adapt help messages for wildcard --user support
• chore: install-ttyrec: bump latest known version fallback

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.16.99-rc1

v3.16.01

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This release only has minor changes. It has been tagged back in April but the formal GitHub Release was missing!

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• enh: info plugin: removed uname dependency, added configuration
• chg: bastion-sync-helper.sh: use sh instead of bash
• fix: alive plugin: don't mask signals

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.16.01

v3.16.00

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

The main noteworthy change in this release is the support for so-called Secure Keys 🔑 (FIDO2) for ingress connection. If you're upgrading from a previous version, you'll have to enable support in the configuration file, refer to the specific upgrade instructions below. This is enabled on new installations by default.

How to generate and use a Secure Key from your hardware token to secure SSH access is usually detailed in the documentation of your hardware key vendor (For example Yubico).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: support hardware-based Secure Keys (FIDO2) for ingress authentication
• enh: remove netcat dependency by using perl bultins
• enh: --wait now checks whether the TCP port is open instead of just pinging the host
• fix: logic error in etc/pam.d/sshd.rhel breaking MFA handling if enabled

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.16.00

v3.15.00

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This release introduces two notable changes, apart from the usual fixes and enhancements:
A new global configuration option, dnsSupportLevel for systems with non-working DNS (fixes #397).
Support of the @ character when referencing the name of a remote account in a personal or group-based access (fixes #437).

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: add dnsSupportLevel for systems with broken DNS (fixes #397)
• enh: allow @ as a valid remote user char
• fix: connect.pl: don't look for error messages when sysret==0
• fix: avoid a warn() when an non-resolvable host is specified with scp or sftp

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.15.00

v3.14.16

⚡ Security

• No security fixes since previous release
• Oldest release with no known security issue is v3.14.15 (2023-11-08)

💡 Highlights

This release introduces a new global configuration option, ttyrecStealthStdoutPattern, to handle corner-cases where recording stdout of some specific commands would take up gigabytes. If you use rsync through the bastion, and noticed that some ttyrec files take up a gigantic amount of space, this might help salvaging your hard-drives!

Another noteworthy change is for users using pre-v3.14.15 scp or sftp helpers: this release introduces a compatibility logic to avoid requiring them to upgrade their helpers when JIT MFA is not required for their use case. Of course, when JIT MFA is required by policy, the connection will still fail and the only way to go through is to use the new wrappers that can support properly asking MFA to the users.

Otherwise, this release is mainly a bugfix / tiny enhancements release.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: add ttyrecStealthStdoutPattern config
• enh: osh-lingering-sessions-reaper.sh: handle dangling plugins
• enh: osh-orphaned-homedir.sh: also cleanup /run/faillock
• enh: plugins: better signal handling to avoid dangling children processes
• fix: scp/sftp: when using pre-v3.14.15 helpers, the JIT MFA logic now behaves as before, so that these old helpers still work when JIT MFA is not needed
• fix: accountInfo: return always_active=1 for globally-always-active accounts
• fix: ping: don't exit with fping when host is unreachable
• fix: osh-sync-watcher: default to a valid rshcmd (fixes #433)
• fix: install: generation of the MFA secret under FreeBSD

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.14.16

v3.14.15

⚡ Security

• Fixed CVE-2023-45140 with severity 4.8 (CVSS 3.0)

💡 Highlights

This release fixes a security issue where JIT MFA on sftp and scp plugins was not honored. Please refer to CVE-2023-45140 for impact and mitigation details.
Upgrading to this version is sufficient to fix the issue, but please read through the specific upgrading instructions of this version.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: support JIT MFA through plugins, including sftp and scp (fixes CVE-2023-45140)
• feat: add configuration option for plugins to override the global lock/kill timeout
• enh: setup-gpg.sh: allow importing multiple public keys at once
• enh: connect.pl: report empty ttyrec as ttyrec_empty instead of ttyrec_error
• enh: orphaned homedirs: adjust behavior on master instances
• fix: check_collisions: don't report orphan uids on slave, just use their name
• fix: scp: adapt wrapper and tests to new scp versions requiring -O
• meta: dev: add devenv docker, pre-commit info, and documentation on how to use them, along with how to write integration tests

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.14.15