release 3.16.00

Author: speed47

bin/plugin/restricted/groupCreate

@@ -45,6 +45,7 @@ Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE
                   For ED25519, size is always 256.
 
   --no-key      Don't generate an egress SSH key at all for this group
+
 EOF
     OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
     return 0;

doc/CHANGELOG.md

@@ -1,3 +1,9 @@
+## v3.16.00 - 2024/04/10
+- feat: support hardware-based Secure Keys (FIDO2) for ingress authentication
+- enh: remove netcat dependency by using perl builtins
+- enh: --wait now checks whether the TCP port is open instead of just pinging the host
+- fix: logic error in etc/pam.d/sshd.rhel breaking MFA handling if enabled
+
 ## v3.15.00 - 2024/03/22
 - feat: add ``dnsSupportLevel`` option for systems with broken DNS (fixes #397)
 - enh: allow ``@`` as a valid remote user char (fixes #437)
@@ -6,17 +12,17 @@
 - fix: avoid a warning when an non-resolvable host is specified with ``scp`` or ``sftp``
 
 ## v3.14.16 - 2024/02/20
-feat: add ``ttyrecStealthStdoutPattern`` config
-enh: ``batch``: openhandle() is overkill and doesn't work on EOF
-enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
-enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
-enh: plugins: better signal handling to avoid dangling children processes
-fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
-fix: don't exit with ``fping`` when host is unreachable
-fix: ``fixrights.sh``: add +x ``run-tool.sh``
-fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
-fix: install: generation of the MFA secret under FreeBSD
-fix: install: silence ``tr`` message on secret generation
+- feat: add ``ttyrecStealthStdoutPattern`` config
+- enh: ``batch``: openhandle() is overkill and doesn't work on EOF
+- enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
+- enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
+- enh: plugins: better signal handling to avoid dangling children processes
+- fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
+- fix: don't exit with ``fping`` when host is unreachable
+- fix: ``fixrights.sh``: add +x ``run-tool.sh``
+- fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
+- fix: install: generation of the MFA secret under FreeBSD
+- fix: install: silence ``tr`` message on secret generation
 
 ## v3.14.15 - 2023/11/08
 - feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes CVE-2023-45140)

doc/sphinx/installation/upgrading.rst

@@ -27,6 +27,26 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================
 
+v3.16.00 - 2024/04/10
+*********************
+
+This version adds support for Secure Keys (FIDO2) for ingress authentication. It requires at least OpenSSH 8.2
+installed on the server hosting The Bastion, as support for FIDO2 was added in this version.
+Of the currently supported OS versions, the following are known to have a recent-enough version:
+
+- Debian 11
+- Debian 12
+- Ubuntu 20.04
+- Ubuntu 22.04
+- OpenSUSE Leap 15.5
+- Rocky Linux 9
+
+Note that if you are upgrading, you'll need to enable the new ingress algorithms in the ``/etc/bastion/bastion.conf``
+file, under the ``allowedIngressSshAlgorithms`` option. You may want to add ``ecdsa-sk`` and ``ed25519-sk`` to the list
+if you want to support the FIDO2-backed versions of these two algorithms.
+You may also refer to the distributed default configuration file in ``etc/bastion/bastion.conf.dist``,
+which enables them by default.
+
 v3.15.00 - 2024/03/22
 *********************
 

doc/sphinx/plugins/restricted/groupCreate.rst

@@ -47,6 +47,7 @@ Create a group
    Don't generate an egress SSH key at all for this group
 
 
+
 A quick overview of the different algorithms:
 
 .. code-block:: none

lib/perl/OVH/Bastion.pm

@@ -5,7 +5,7 @@ use common::sense;
 use Fcntl;
 use POSIX qw(strftime);
 
-our $VERSION = '3.15.00';
+our $VERSION = '3.16.00';
 
 BEGIN {
     # only used by the handler below