Stéphane Lesimple
11cbf63be8
chore: deprecate the use of -f and -l in selfListIngressKeys
3 weeks ago
jon4hz
2b75792318
feat: accept -l as user option
3 weeks ago
Stéphane Lesimple
b0868c1f29
enh: better interaction between systemd units and /home encryption
3 weeks ago
Stephane Lesimple
44488e8300
fix: add accountGidMin to avoid stealing an account's GID
...
Between account system groups (bearing the same GID number
than the UID they pertain to) and bastion groups, there
might be collisions on bastions with a very high amount
of both accounts and groups.
This is only of importance if you're using fixed UIDs
to create accounts, and can't let the system pick the
UIDs itself (for example because these UIDs are referenced
in some other system of your company).
This fix applies a GID shifting to all the bastion groups
to ensure they can never take a GID that would pertain to
a later-to-be-created account with a fixed GID.
This shift amount is configurable in bastion.conf as
``accountGidMin``, 500000 by default.
Use the updated bin/admin/fix-group-gid.sh script to shift any
preexisting group GID that would be out of the new groupGidMin range.
3 weeks ago
Mathieu MD
7b3240e47a
Fix missing `-regex` following @cdbd6c7 from #550
1 month ago
Stéphane Lesimple
7275605565
release v3.23.00 ( #605 )
...
* release v3.23.00
* Update doc/release-notes/v3.23.00.md
---------
Co-authored-by: Adrien Barreau <adrien.barreau@live.fr>
2 months ago
Jonah
41bcbe3cd0
fix: stop banner service, not restart ( #603 )
2 months ago
Stéphane Lesimple
7457f3db0d
feat: add admin script apply-ingress-keys-from-globally.pl ( #604 )
2 months ago
Stéphane Lesimple
98336fdafe
feat: httpproxy: add support for more HTTP methods ( #601 )
...
By default this stays as before (GET and POST),
but more methods can be allowed through the
HTTP Proxy configuration.
2 months ago
Stéphane Lesimple
38d883c654
scp: more robust parsing for remote users with special chars ( #600 )
2 months ago
Jonah
bd9ba6fc4d
fix: return accountInfo if grace period is set ( #594 )
...
Signed-off-by: Jonah Zürcher <jonah.zuercher@adfinis.com>
2 months ago
toutoen
d558552c55
fix: hide mfa info msg in quiet mode ( #598 )
...
fixes #596
Co-authored-by: Antoine Guerrée <antoine.guerree+github@corp.ovh.com>
2 months ago
Jonah
bdc360b421
fix: debian 13 uses lastlog2 ( #590 )
...
* fix: debian 13 uses lastlog2
* fix: also make sure libpam-lastlog2 is installed
* fix: handle lastlog for ubuntu correctly
Co-authored-by: Stéphane Lesimple <speed47_github@speed47.net>
4 months ago
jon4hz
9daf0007e1
feat: switch banner if node is sealed
5 months ago
Stoiko Ivanov
9bc85ec3f4
fix: sign files when encrypting
...
This commit should address the issue reported as GHSA-h66q-g57p-rgg6
via github security reporting.
the missing command-line switch seems like a omission.
adding it caused the files to be signed and verifiable in my tests.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
5 months ago
Stéphane Lesimple
c8b86b718a
fix: httpproxy: duplicate X-Bastion-Local-Status headers in some cases
5 months ago
Stéphane Lesimple
c1f0789aee
feat: httpproxy: craft the Host header on the egress request ( #564 )
...
And also return X-Bastion-Remote-Host in addition to X-Bastion-Remote-IP
to our caller.
5 months ago
jon4hz
53ee50f9ca
fix: check if first admin is already in adminAccounts
5 months ago
Jonah
71cf11a707
fix: use mountpoint to check if /home is mounted
...
Co-authored-by: Stéphane Lesimple <speed47_github@speed47.net>
6 months ago
jon4hz
848fdbd1bf
fix: check if /home is actually mounted before exiting the script early
6 months ago
jon4hz
939cc2bcac
fix: execute systemctl daemon-reload after /etc/fstab changes
6 months ago
jon4hz
73f3d85309
fix: dont return status code 1 if unlock-home.sh is already linked
6 months ago
Stéphane Lesimple
a7814db804
fix: osh-lingering-session-reaper.sh: make 'ps' usage FreeBSD compatible
...
Closes #550
6 months ago
Stéphane Lesimple
9473e5437b
fix: scp/sftp: handle case where TMPDIR is mounted in noexec ( #569 )
...
* fix: scp/sftp: handle case where TMPDIR is mounted in noexec
* review: fix copy/paste
Co-authored-by: Adrien Barreau <adrien.barreau@live.fr>
---------
Co-authored-by: Adrien Barreau <adrien.barreau@live.fr>
6 months ago
Stéphane Lesimple
9779d68cc8
fix: recent versions of sshd have a separate sshd-session $0
6 months ago
Stéphane Lesimple
7cac4dc911
chore: remove references to NetBSD/OpenBSD in the code
6 months ago
Stéphane Lesimple
579e5d0617
chore: tests: bump FreeBSD from 14.2 to 14.3
6 months ago
Stéphane Lesimple
c4112994f4
chg: drop Debian 10, preliminary support for Debian 13
6 months ago
Stéphane Lesimple
cdbd6c701e
fix: FreeBSD compat for 2 cron scripts ( #550 )
8 months ago
Stéphane Lesimple
ed6ea14fb6
fix: ping max deadline is 3600 on FreeBSD ( close #547 )
8 months ago
Stéphane Lesimple
d37e20cd0c
fix: FreeBSD: add missing package for interactive mode ( close #548 )
8 months ago
Stéphane Lesimple
395243f665
fix: sftp wrapper: handle -P properly ( close #553 )
8 months ago
Stéphane Lesimple
763ae8e9a7
enh: scp: add more scp options, update doc
8 months ago
Stéphane Lesimple
d2c8f46f56
enh: httpproxy: use List::Util first & pairkeys
11 months ago
Stéphane Lesimple
f09a370d97
chg: deprecate Ubuntu 18.04, up required perl version to v5.26
11 months ago
Stéphane Lesimple
74447f58a7
fix: httpproxy: allow binary data to be passed through unmodified
11 months ago
Nabil
fcc3044903
Fix: typos
11 months ago
Stéphane Lesimple
f04ddd26fc
chore: fix yubico-piv-checker package name since 1.0.2
11 months ago
Stéphane Lesimple
f79b186727
chore: github actions: replace ubuntu 20.04 by 24.04 (EOL)
12 months ago
Stéphane Lesimple
11cb6ce351
feat: httpproxy: optional support for plain http on egress
12 months ago
Stéphane Lesimple
02bacede06
fix: selfPlaySession: warn in syslog properly
12 months ago
Stéphane Lesimple
a2f1d4f4f1
enh: ssh autologin: allow TERM env passthrough
12 months ago
vt1t1
ff5931e9d7
[fix] Add comment to groupSetServers and test
12 months ago
Roy van Baekel
c9503f50e7
Implement ssh --forward-agent | -x functionality
1 year ago
Stéphane Lesimple
19390986fa
feat: add undocumented rename-account.sh and modify osh-orphaned-homedir.sh accordingly
1 year ago
Stéphane Lesimple
fdb6c292a8
chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
...
To avoid confusion, we now use 'subnet' to talk about a subnet
represented with the CIDR notation, such as 10.0.0.0/8.
In in that case:
- 10.0.0.0/8 is a 'subnet'
- 10.0.0.0 is the 'prefix'
- 8 is the 'prefix length', or by extension the 'subnet length'
Use these words everywhere in the code and documentation for clarity.
1 year ago
Stéphane Lesimple
8d33197061
feat: IPv6 support
1 year ago
Stéphane Lesimple
58354cc305
chore: factorize user@host:port display in machine_display()
1 year ago
Stéphane Lesimple
9e357333db
chg: groupInfo: remove deprecated JSON fields
...
Remove 'partial_members' and 'full_members' from JSON output,
which were replaced by 'members' and 'guests' since pre-v3.00.00
1 year ago
Stéphane Lesimple
26932258be
enh: accountInfo: add osh-only information for accounts
1 year ago