Skip to content

pamsignal 0.6.0

Choose a tag to compare

View all tags
@anhtuank7c anhtuank7c released this 27 May 12:23
· 26 commits to main since this release
v0.6.0
1087e16

Highlights

Ubuntu 20.04 (Focal) is now a supported install target

A Focal-targeted .deb is built and smoke-tested in CI on every release and attached to this release page. Operators on 20.04 install with a one-line download + apt install:

```bash
VERSION=0.6.0
curl -fL -o pamsignal_focal.deb
"https://github.com/anhtuank7c/pamsignal/releases/download/v\${VERSION}/pamsignal_\${VERSION}-1_focal_amd64.deb"
sudo apt install ./pamsignal_focal.deb
```

No gh-pages apt pocket for Focal (rationale: ESM-only since 2025-04-30; per-distroseries repo infrastructure does not pay off for the audience size). Two systemd directives (`ProtectProc`, `ProcSubset`, both added in v247) are logged-and-ignored on Focal's systemd 245; everything else in the hardening unit is honored. See `docs/distros.md` for the full lifecycle picture (Focal exits ESM April 2030).

`pamsignal.conf(5)` man page

Operators now get `man pamsignal.conf` instead of grepping source comments or `docs/configuration.md`. Documents every config key, value range, mTLS and `webhook_auth_header` validation rules, reload semantics, and security notes. Installed to `/man5/` via meson.

Documentation refresh

  • README quickstart "Configure Alerts" surfaces `alert_cooldown_sec` and `enable_notification_type` with operator-facing semantics on day one.
  • Fail2ban integration guide (`examples/fail2ban/README.md`) rewritten from a 39-line stub into a complete walkthrough — install on Ubuntu/Debian and CentOS Stream 9 / AlmaLinux 9 / Rocky Linux 9 / Fedora, per-distro `banaction` selection, the critical whitelist-yourself-first step, verification flow, `bantime.increment` tuning, troubleshooting, and an architecture diagram.

Internal hygiene

RAII-style cleanup helpers (`include/ps_cleanup.h`) applied to the three fd-ladder-heavy security functions: `build_secrets_memfd` + `fire_curl` (memfd carrying webhook secrets to curl), `open_config_secure` + `ps_config_load` (O_NOFOLLOW config opener), and `validate_tls_path`. Defense in depth against future-edit fd leaks; zero runtime behaviour change.

Packaging compatibility

This release also fixes three pre-existing packaging-side bugs that surfaced when the new Focal job and new conf(5) man page first exercised the workflow: `debian/control` switched to the legacy `debhelper (>= 12~)` Build-Depends + `debian/compat` file (compatible with Focal's debhelper 12.10 AND Noble's 13.x); `debian/rules` uses `ninja` directly rather than the meson 0.54+ `compile`/`install` subcommands; `meson.build` uses `not fuzz_opt.disabled()` instead of meson 0.59's `.allowed()`; `pamsignal.spec` lists the new `%{_mandir}/man5/pamsignal.conf.5*` file. All four are backwards-compatible.

Install

Distribution Method
Ubuntu 24.04 / Debian 12 `apt install pamsignal` from the gh-pages repo
Ubuntu 20.04 LTS (Focal, ESM) Download `pamsignal_0.6.0-1_focal_amd64.deb` below + `apt install ./.deb`
Fedora / CentOS / RHEL 9 / AlmaLinux 9 / Rocky 9 `dnf install pamsignal` from the gh-pages repo

See the README install section for the full per-distro commands.

Full changelog

See CHANGELOG.md.

Assets 24
Loading