Releases: xxvcc/linux-temp-admin
Release list
v2.2.4
v2.2.3
Automated CI build for v2.2.3. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.
v2.2.2
Automated CI build for v2.2.2. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.
v2.2.1
Automated CI build for v2.2.1. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.
v2.2.0
Automated CI build for v2.2.0. Draft — detached ed25519 signatures (*.sig) are added by the maintainer offline via scripts/sign-release.sh, which then publishes this release. Do not rely on a draft's assets.
v2.1.0
linux-temp-admin v2.1.0
Adds an operation audit log and deprecates the legacy v1 bash tool. Recommended upgrade; no breaking changes.
New: operation audit log
Every privileged operation the tool performs is now recorded as one JSON line in a root-owned, append-only log at /var/log/linux-temp-admin/audit.log (mode 0600):
- account create / delete (and stale-entry cleanup), and install / uninstall / upgrade
- each entry records the time (UTC), the operator (the user behind
sudo, plus the effective uid), the pid, the action, the target account, the result, and key parameters (host, sudo, auto-revoke, fingerprint, …)
{"time":"2026-07-08T09:35:18Z","pid":1234,"actor":"alice","uid":0,"action":"account.create","target":"xxvcc-a1b2c3","result":"ok","fields":{"host":"203.0.113.5","sudo":"yes","auto":"yes","registered":"yes"}}Logging is best-effort — a write failure is reported but never blocks or fails the operation itself (so a full disk can't stop you revoking a compromised account). Note: an on-host log can be altered by root; forward it to a remote collector if you need tamper-evidence.
v1 (bash) tool deprecated
temp-admin.sh is no longer maintained. It still runs, but now prints a deprecation notice at startup pointing to the v2 Go tool. Suppress it with LTA_SUPPRESS_DEPRECATION=1. No further features or fixes will land in v1.
Upgrade an existing install
sudo linux-temp-admin upgradeVerifies the detached ed25519 signature against the embedded release key before installing (fail-closed).
Fresh install
curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo shVerify manually (optional)
sha256sum -c SHA256SUMSFull changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md
v2.0.2
linux-temp-admin v2.0.2
A small hardening patch following up on the v2.0.1 audit. No new features, no command/flag changes, and no behavior change for normal use — recommended, not urgent.
What changed
upgradeis more resistant to a hostile release host. If anupgradeHTTPS download is redirected, the redirect target is now rejected when it resolves to a private / reserved / loopback / link-local address — so a compromised host can't bounce the root-run fetch toward an internal endpoint (e.g. cloud metadata). Your own--urlis unaffected, so an internal mirror still works.revokeno longer leaves stray systemd files. A manualrevokerun from inside a systemd-managed shell used to leave an orphaned.serviceunit behind; it now detects the firing auto-revoke service precisely (via the process cgroup) and cleans up correctly.- Consistent SSH port detection. When
sshd_configlists more than onePort, the port shown in an invite is now chosen consistently withsshd -T(the first configured port) instead of the last.
Upgrade an existing install
sudo linux-temp-admin upgradeupgrade downloads the new binary over HTTPS and verifies its detached ed25519 signature against the release key embedded in the tool, failing closed on any mismatch.
Fresh install
curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo shVerify manually (optional)
sha256sum -c SHA256SUMSEach binary also ships a detached .sig (raw 64-byte ed25519 signature), verified automatically during upgrade.
Full changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md
v2.0.1
linux-temp-admin v2.0.1
A security & correctness patch for the v2 Go tool, from a multi-pass audit of the rewrite. No new features, and no command or flag changes — behavior is identical except for one stricter safety check in revoke (below). Upgrading is recommended.
What changed
- Safer revocation.
revokeno longer deletes a real (non-managed) account just because a leftover registry entry happens to share its name. Deleting a normal-UID (≥1000) account now requires the tool's own per-account marker, so a reused username can never cause a real user — and its home directory — to be removed. The "is this a managed account" check is now an exact match instead of a substring. - No lingering sudo after a failed grant. If a NOPASSWD sudo grant during
invitefails its verification step, the sudoers drop-in is always removed — a failed grant can never leave an untracked NOPASSWD entry behind. - Correct pre-release upgrade ordering.
upgradenow compares pre-release versions numerically (rc10is newer thanrc9), closing a gap that could otherwise accept a signed older pre-release or skip a genuine pre-release upgrade. (StableX.Y.Zreleases were always compared correctly.) - Stricter public-IP auto-detection. The external "what's my IP" fallback now rejects private / reserved / loopback addresses, so it can't put a bogus non-public address into an invite.
- Fail-closed hardening. The SSH-key write is refused if the target home directory's owner can't be determined;
installrefuses to replace an existing binary it can't read back unless--forceis passed.
Install
curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo shThe installer downloads the release binary for your architecture over HTTPS and checks its SHA-256 against the published SHA256SUMS before installing.
Upgrade an existing install
sudo linux-temp-admin upgradeupgrade downloads the new binary over HTTPS and verifies its detached ed25519 signature against the release key embedded in the tool, failing closed on any mismatch — so it will only install this signed release.
Verify manually (optional)
sha256sum -c SHA256SUMS # checksums of the assets belowEach binary also ships a detached .sig (raw 64-byte ed25519 signature over the binary), which the tool verifies automatically during upgrade.
Assets
| file | notes |
|---|---|
linux-temp-admin-linux-amd64 |
x86-64 static binary |
linux-temp-admin-linux-arm64 |
arm64 static binary |
*.sig |
detached ed25519 signatures |
SHA256SUMS |
checksums for all of the above |
Full changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md
v2.0.0 — Go rewrite
linux-temp-admin v2.0.0 — a full rewrite in Go, shipped as a signed static binary.
What's new
- Rewritten in Go. A single static binary (
linux/amd64,linux/arm64) with near-zero runtime dependencies, at feature parity with the v1.2.x bash tool. - Native crypto & I/O. ed25519 SSH keys are generated in-process (no
ssh-keygen); HTTP download, the account registry, and file locking are all native (nocurl/wget/flock/getent). - Signed self-upgrade.
sudo linux-temp-admin upgradedownloads over HTTPS and verifies a detached ed25519 signature against a public key embedded in the binary before installing — it fails closed on any mismatch. - Clean break from v1. v2 keeps its own state under
/var/lib/linux-temp-admin/v2/and does not adopt v1 state. The bash tool remains available asv1.xmaintenance.
Install
curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo shThe bootstrap downloads over HTTPS and verifies the SHA-256 checksum before installing. Later upgrades (sudo linux-temp-admin upgrade) are ed25519-signature-verified in-process.
Verify the download
sha256sum -c SHA256SUMSBoth binaries are statically linked and ship a detached .sig (raw 64-byte ed25519) that chains to the public key embedded in the binary.
Assets
linux-temp-admin-linux-amd64(+.sig)linux-temp-admin-linux-arm64(+.sig)SHA256SUMS
v1.2.3
v1.2.3 - 2026-07-07
- Fixed the
wgetupgrade download and public-IP autodetection failing on BusyBox/musl (Alpine): the GNU-only--timeout/--tries/--dns-timeout/--connect-timeoutoptions are now probed, and on BusyBox wget the fetch is bounded withtimeout(1)instead (BusyBox-Tsegfaults on some builds). - Made the
/prockill fallback and thegetent->/etc/passwd helpers errexit-safe, so an empty/procstatus read (process vanished mid-scan) or a non-zerogetentcan no longer abort a revoke/rollback orstatusunderset -e. - Added
install(1)to the dependency check,doctor, and the package map (coreutils), so a BusyBox build without theinstallapplet is reported and auto-installable instead of failing cryptically mid-invite. - Made the BusyBox
wgetpath fail fast when it cannot be time-bounded (no--timeoutsupport and notimeout(1)) instead of running an unbounded fetch that could hang for minutes on a stalled connect. - Aligned the future-date capability probe with the compound
dateexpression actually used for expiry, so adatethat supports simple but not compound offsets can no longer report OK and then fail mid-invite. - Hardened the
/prockill fallback to no-op for an empty or root (0) UID, and tightened theat-job cleanup to match the exact queued revoke command rather than a loose substring. - Reworked account expiry to a timezone-aware date (first midnight after
now + hours) that is never set before the requested window on any creation time, replacing the day-rounding that could lock a--no-auto-revokeaccount early (or, on scheduling failure, keep it loginable ~1 day too long). - Made
cancel_auto_revokeclean up both the systemd units and any matchingatjob, so reusing a username can no longer leave a stale auto-delete task that later removes a freshly created account. - Cancelled the pre-created auto-delete task when the registry write fails, so a partly-created account is not left with a task that could never delete an unregistered user.
- Made
cleanup-expired --compactprune under a single held lock (re-checking existence inside it) so a concurrent invite cannot lose its fresh registry entry. - Documented
--lang,version,upgrade --force/--url, andexpiry-status --compactinhelp/usage; alignedvalid_installed_versionwith the 3-component version comparator; matched real-or-effective UID in the pkill fallback; and hardened the getent fallback against duplicate rows.
v1.2.2 - 2026-07-07
- Fixed
upgradesilently refusing to replace an existing older install (reportedinstalled=noneand no-op'd):installed_revoke_versionshadowed the caller's variable, so the version comparison never saw the installed version. - Added a
getent->/etc/passwd fallback soinvite/status/revokework on musl/BusyBox systems (Alpine) wheregetentis absent, instead of failing mid-creation and rolling back. - Added a
/proc-scanning fallback for forcing off a user's sessions whenpkillis unavailable (BusyBox/Alpine), so revoke no longer deletes an account while leaving its processes running. - Hardened the managed-account check to require the full GECOS tag rather than a bare substring.
- Avoided running
sshd -Ttwice perdoctor(a bilingual message double-evaluated the port probe). - Fixed the auto-delete unit name being corrupted by the "stable command installed" banner, which had let stdout from the install step leak into the recorded systemd/at unit and broke later revoke cleanup and status lookups.
- Tightened
--no-auto-revokeaccount expiry: the extra day-granular safety buffer is now added only when an auto-delete timer will remove the account first, so expiry-only accounts no longer stay loginable up to a day past the requested window. - Bounded
wgetupgrade downloads to the configured size limit during transfer instead of only after writing the whole file. - Blocked HTTP-downgrade redirects on the
wgetupgrade fallback (--max-redirect=0where supported), matching curl's HTTPS-only redirect policy. - Added unit coverage for install stdout cleanliness, buffered vs. unbuffered expiry dates, and the wget redirect guard.