release v3.16.99-rc1

doc/CHANGELOG.md

@@ -1,3 +1,17 @@
+## v3.16.99-rc1 - 2024/07/04
+feat: support wildcards in --user for ACL management plugins (fix #461)
+feat: accountFreeze: terminate running sessions if any
+chg: support: add Ubuntu 24.04 LTS
+chg: support: bump OpenSUSE Leap from 15.5 to 15.6
+chg: support: remove CentOS 7 (EOL)
+chg: support: remove Ubuntu 16.04 LTS (EOL)
+enh: enable sntrup KEX by default for supported OpenSSH versions (Debian12, Ubuntu20+)
+enh: autologin: set term to ``raw noecho`` when --no-tty is used
+fix: stealth\_stdout/stderr was ignored for plugins (fix #482)
+fix: ignore transient errors during global destruction
+fix: install of ttyrec was failing under FreeBSD 13.2
+fix: selfGenerateProxyPassword: help message was incorrect
+
 ## v3.16.01 - 2024/04/17
 - enh: info: removed uname dependency, added configuration
 - chg: bastion-sync-helper.sh: use sh instead of bash

doc/sphinx/installation/upgrading.rst

@@ -27,6 +27,25 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================
 
+v3.16.99-rc1 - 2024/07/04
+*************************
+
+This release drops support for Ubuntu 16.04 and CentOS 7. If you're still using these EOL OS releases (which is
+obviously discouraged), proper functioning of The Bastion is no longer tested or guaranteed.
+
+This release adds official support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6, these were already working but
+are now part of the integration tests.
+
+This release adds support of wildcards (also called "shell-style globbing characters"), namely ``?`` and ``*``,
+when using the ``--user`` option for plugins such as ``groupAddServer``, ``groupDelServer``, ``groupAddGuestAccess``,
+``groupDelGuestAccess``, ``accountAddPersonalAccess``, ``accountDelPersonalAccess``, ``selfAddPersonalAccess``,
+``selfDelPersonalAccess``.
+
+This release adds support of the ``[email protected]`` KEX algorithm by default on shipped versions
+of ``sshd_config`` and ``ssh_config``. If you're upgrading, these files won't be touched, so if you want to add
+support, you'll need to modify them manually by prepending ``[email protected]`` to the
+``KexAlgorithms`` line. Verify that the OpenSSH version shipped by your OS does support it (run ``ssh -Q kex``).
+
 v3.16.01 - 2024/04/17
 *********************
 

etc/ssh/ssh_config.debian12

@@ -45,7 +45,8 @@ Ciphers [email protected],[email protected],aes128-gcm@openssh.
 MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256
 
 # List of allowed key exchange algorithms.
-# we prefer curve25519-sha256 which is considered the most modern/secure,
+# we prefer [email protected] which is believed to be quantum-resistant,
+# then curve25519-sha256 which is considered the modern and secure,
 # and still allow diffie hellman with group exchange using sha256 which is
 # the most secure dh-based kex.
 # we avoid algorithms based on the disputed NIST curves, and anything based
@@ -55,7 +56,7 @@ MACs [email protected],[email protected],hmac-sha2-512-etm@openssh.
 # - OmniOS 5.11 needs diffie-hellman-group1-sha1
 # - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
 # - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
-KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+KexAlgorithms [email protected],curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 
 # === AUTHENTICATION ===
 

lib/perl/OVH/Bastion.pm

@@ -5,7 +5,7 @@ use common::sense;
 use Fcntl;
 use POSIX qw(strftime);
 
-our $VERSION = '3.16.01';
+our $VERSION = '3.16.99-rc1';
 
 BEGIN {
     # only used by the handler below