Skip to content

Releases: xxvcc/linux-temp-admin

v2.2.4

Choose a tag to compare

@github-actions github-actions released this 10 Jul 17:10

Automated CI build for v2.2.4. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.

v2.2.3

Choose a tag to compare

@github-actions github-actions released this 10 Jul 14:00

Automated CI build for v2.2.3. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.

v2.2.2

Choose a tag to compare

@github-actions github-actions released this 09 Jul 13:21

Automated CI build for v2.2.2. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.

v2.2.1

Choose a tag to compare

@github-actions github-actions released this 09 Jul 08:49

Automated CI build for v2.2.1. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.

v2.2.0

Choose a tag to compare

@github-actions github-actions released this 09 Jul 07:54

Automated CI build for v2.2.0. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.

v2.1.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 09:43

linux-temp-admin v2.1.0

Adds an operation audit log and deprecates the legacy v1 bash tool. Recommended upgrade; no breaking changes.

New: operation audit log

Every privileged operation the tool performs is now recorded as one JSON line in a root-owned, append-only log at /var/log/linux-temp-admin/audit.log (mode 0600):

  • account create / delete (and stale-entry cleanup), and install / uninstall / upgrade
  • each entry records the time (UTC), the operator (the user behind sudo, plus the effective uid), the pid, the action, the target account, the result, and key parameters (host, sudo, auto-revoke, fingerprint, …)
{"time":"2026-07-08T09:35:18Z","pid":1234,"actor":"alice","uid":0,"action":"account.create","target":"xxvcc-a1b2c3","result":"ok","fields":{"host":"203.0.113.5","sudo":"yes","auto":"yes","registered":"yes"}}

Logging is best-effort — a write failure is reported but never blocks or fails the operation itself (so a full disk can't stop you revoking a compromised account). Note: an on-host log can be altered by root; forward it to a remote collector if you need tamper-evidence.

v1 (bash) tool deprecated

temp-admin.sh is no longer maintained. It still runs, but now prints a deprecation notice at startup pointing to the v2 Go tool. Suppress it with LTA_SUPPRESS_DEPRECATION=1. No further features or fixes will land in v1.

Upgrade an existing install

sudo linux-temp-admin upgrade

Verifies the detached ed25519 signature against the embedded release key before installing (fail-closed).

Fresh install

curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo sh

Verify manually (optional)

sha256sum -c SHA256SUMS

Full changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md

v2.0.2

Choose a tag to compare

@github-actions github-actions released this 08 Jul 08:58

linux-temp-admin v2.0.2

A small hardening patch following up on the v2.0.1 audit. No new features, no command/flag changes, and no behavior change for normal use — recommended, not urgent.

What changed

  • upgrade is more resistant to a hostile release host. If an upgrade HTTPS download is redirected, the redirect target is now rejected when it resolves to a private / reserved / loopback / link-local address — so a compromised host can't bounce the root-run fetch toward an internal endpoint (e.g. cloud metadata). Your own --url is unaffected, so an internal mirror still works.
  • revoke no longer leaves stray systemd files. A manual revoke run from inside a systemd-managed shell used to leave an orphaned .service unit behind; it now detects the firing auto-revoke service precisely (via the process cgroup) and cleans up correctly.
  • Consistent SSH port detection. When sshd_config lists more than one Port, the port shown in an invite is now chosen consistently with sshd -T (the first configured port) instead of the last.

Upgrade an existing install

sudo linux-temp-admin upgrade

upgrade downloads the new binary over HTTPS and verifies its detached ed25519 signature against the release key embedded in the tool, failing closed on any mismatch.

Fresh install

curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo sh

Verify manually (optional)

sha256sum -c SHA256SUMS

Each binary also ships a detached .sig (raw 64-byte ed25519 signature), verified automatically during upgrade.

Full changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md

v2.0.1

Choose a tag to compare

@github-actions github-actions released this 08 Jul 08:26

linux-temp-admin v2.0.1

A security & correctness patch for the v2 Go tool, from a multi-pass audit of the rewrite. No new features, and no command or flag changes — behavior is identical except for one stricter safety check in revoke (below). Upgrading is recommended.

What changed

  • Safer revocation. revoke no longer deletes a real (non-managed) account just because a leftover registry entry happens to share its name. Deleting a normal-UID (≥1000) account now requires the tool's own per-account marker, so a reused username can never cause a real user — and its home directory — to be removed. The "is this a managed account" check is now an exact match instead of a substring.
  • No lingering sudo after a failed grant. If a NOPASSWD sudo grant during invite fails its verification step, the sudoers drop-in is always removed — a failed grant can never leave an untracked NOPASSWD entry behind.
  • Correct pre-release upgrade ordering. upgrade now compares pre-release versions numerically (rc10 is newer than rc9), closing a gap that could otherwise accept a signed older pre-release or skip a genuine pre-release upgrade. (Stable X.Y.Z releases were always compared correctly.)
  • Stricter public-IP auto-detection. The external "what's my IP" fallback now rejects private / reserved / loopback addresses, so it can't put a bogus non-public address into an invite.
  • Fail-closed hardening. The SSH-key write is refused if the target home directory's owner can't be determined; install refuses to replace an existing binary it can't read back unless --force is passed.

Install

curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo sh

The installer downloads the release binary for your architecture over HTTPS and checks its SHA-256 against the published SHA256SUMS before installing.

Upgrade an existing install

sudo linux-temp-admin upgrade

upgrade downloads the new binary over HTTPS and verifies its detached ed25519 signature against the release key embedded in the tool, failing closed on any mismatch — so it will only install this signed release.

Verify manually (optional)

sha256sum -c SHA256SUMS                    # checksums of the assets below

Each binary also ships a detached .sig (raw 64-byte ed25519 signature over the binary), which the tool verifies automatically during upgrade.

Assets

file notes
linux-temp-admin-linux-amd64 x86-64 static binary
linux-temp-admin-linux-arm64 arm64 static binary
*.sig detached ed25519 signatures
SHA256SUMS checksums for all of the above

Full changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md

v2.0.0 — Go rewrite

Choose a tag to compare

@xxvcc xxvcc released this 08 Jul 04:31

linux-temp-admin v2.0.0 — a full rewrite in Go, shipped as a signed static binary.

What's new

  • Rewritten in Go. A single static binary (linux/amd64, linux/arm64) with near-zero runtime dependencies, at feature parity with the v1.2.x bash tool.
  • Native crypto & I/O. ed25519 SSH keys are generated in-process (no ssh-keygen); HTTP download, the account registry, and file locking are all native (no curl/wget/flock/getent).
  • Signed self-upgrade. sudo linux-temp-admin upgrade downloads over HTTPS and verifies a detached ed25519 signature against a public key embedded in the binary before installing — it fails closed on any mismatch.
  • Clean break from v1. v2 keeps its own state under /var/lib/linux-temp-admin/v2/ and does not adopt v1 state. The bash tool remains available as v1.x maintenance.

Install

curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo sh

The bootstrap downloads over HTTPS and verifies the SHA-256 checksum before installing. Later upgrades (sudo linux-temp-admin upgrade) are ed25519-signature-verified in-process.

Verify the download

sha256sum -c SHA256SUMS

Both binaries are statically linked and ship a detached .sig (raw 64-byte ed25519) that chains to the public key embedded in the binary.

Assets

  • linux-temp-admin-linux-amd64 (+ .sig)
  • linux-temp-admin-linux-arm64 (+ .sig)
  • SHA256SUMS

v1.2.3

Choose a tag to compare

@xxvcc xxvcc released this 07 Jul 14:06

v1.2.3 - 2026-07-07

  • Fixed the wget upgrade download and public-IP autodetection failing on BusyBox/musl (Alpine): the GNU-only --timeout/--tries/--dns-timeout/--connect-timeout options are now probed, and on BusyBox wget the fetch is bounded with timeout(1) instead (BusyBox -T segfaults on some builds).
  • Made the /proc kill fallback and the getent->/etc/passwd helpers errexit-safe, so an empty /proc status read (process vanished mid-scan) or a non-zero getent can no longer abort a revoke/rollback or status under set -e.
  • Added install(1) to the dependency check, doctor, and the package map (coreutils), so a BusyBox build without the install applet is reported and auto-installable instead of failing cryptically mid-invite.
  • Made the BusyBox wget path fail fast when it cannot be time-bounded (no --timeout support and no timeout(1)) instead of running an unbounded fetch that could hang for minutes on a stalled connect.
  • Aligned the future-date capability probe with the compound date expression actually used for expiry, so a date that supports simple but not compound offsets can no longer report OK and then fail mid-invite.
  • Hardened the /proc kill fallback to no-op for an empty or root (0) UID, and tightened the at-job cleanup to match the exact queued revoke command rather than a loose substring.
  • Reworked account expiry to a timezone-aware date (first midnight after now + hours) that is never set before the requested window on any creation time, replacing the day-rounding that could lock a --no-auto-revoke account early (or, on scheduling failure, keep it loginable ~1 day too long).
  • Made cancel_auto_revoke clean up both the systemd units and any matching at job, so reusing a username can no longer leave a stale auto-delete task that later removes a freshly created account.
  • Cancelled the pre-created auto-delete task when the registry write fails, so a partly-created account is not left with a task that could never delete an unregistered user.
  • Made cleanup-expired --compact prune under a single held lock (re-checking existence inside it) so a concurrent invite cannot lose its fresh registry entry.
  • Documented --lang, version, upgrade --force/--url, and expiry-status --compact in help/usage; aligned valid_installed_version with the 3-component version comparator; matched real-or-effective UID in the pkill fallback; and hardened the getent fallback against duplicate rows.

v1.2.2 - 2026-07-07

  • Fixed upgrade silently refusing to replace an existing older install (reported installed=none and no-op'd): installed_revoke_version shadowed the caller's variable, so the version comparison never saw the installed version.
  • Added a getent->/etc/passwd fallback so invite/status/revoke work on musl/BusyBox systems (Alpine) where getent is absent, instead of failing mid-creation and rolling back.
  • Added a /proc-scanning fallback for forcing off a user's sessions when pkill is unavailable (BusyBox/Alpine), so revoke no longer deletes an account while leaving its processes running.
  • Hardened the managed-account check to require the full GECOS tag rather than a bare substring.
  • Avoided running sshd -T twice per doctor (a bilingual message double-evaluated the port probe).
  • Fixed the auto-delete unit name being corrupted by the "stable command installed" banner, which had let stdout from the install step leak into the recorded systemd/at unit and broke later revoke cleanup and status lookups.
  • Tightened --no-auto-revoke account expiry: the extra day-granular safety buffer is now added only when an auto-delete timer will remove the account first, so expiry-only accounts no longer stay loginable up to a day past the requested window.
  • Bounded wget upgrade downloads to the configured size limit during transfer instead of only after writing the whole file.
  • Blocked HTTP-downgrade redirects on the wget upgrade fallback (--max-redirect=0 where supported), matching curl's HTTPS-only redirect policy.
  • Added unit coverage for install stdout cleanliness, buffered vs. unbuffered expiry dates, and the wget redirect guard.