the-bastion v3.09.02 releases: securely connect to devices
Bastions are a cluster of machines used as the unique entry point by operational teams (such as sysadmins, developers, database admins, …) to securely connect to devices (servers, virtual machines, cloud instances, network equipment, …), usually using ssh.
Bastions provides mechanisms for authentication, authorization, traceability, and auditability for the whole infrastructure.
- Personal and group access schemes with group roles delegation to ensure teams autonomy without security trade-offs
- SSH protocol break between the ingress and egress connections (see other security measures)
- Self-reliance achieved through virtually no external dependencies (see other security measures)
- Interactive session recording (in standard ttyrec files)
- Non-interactive session recording (stdout and stderr through ttyrec)
- Extensive logging support through syslog for easy SIEM consumption
- Supports MOSH on the ingress connection side
- Supports scp passthrough, to upload and/or download files from/to remote servers
- Supports netconf SSH subsystem passthrough
- Supports Yubico PIV keys attestation checking and enforcement on the ingress connection side
- Supports realms, to create a trust between two bastions of possibly two different companies, splitting the authentication and authorization phases while still enforcing local policies
- Supports SSH password autologin on the egress side for legacy devices not supporting pubkey authentication, while still forcing proper pubkey authentication on the ingress side
- Supports telnet password autologin on the egress side for ancient devices not supporting SSH, while still forcing proper SSH pubkey authentication on the ingress side
- Supports HTTPS proxying with man-in-the-middle authentication and authorization handling, for ingress and egress password decoupling (mainly useful for network device APIs)
- No security fixes since previous release
- Oldest release with no known security issues:
v3.00.00(first public version)
Previous version (v3.09.01) was tagged but not released, main change since last released version is a speedup of the internal
execute() function, speeding up several portions of the code.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
- fix: basic mitigation for
scp‘s CVE-2020-15778 (upstream doesn’t consider it a bug)
batch: don’t attempt to read if STDIN is closed
- enh: make
execute()way WAY faster
© Copyright 2021, OVHcloud