v2.0.2
linux-temp-admin v2.0.2
A small hardening patch following up on the v2.0.1 audit. No new features, no command/flag changes, and no behavior change for normal use — recommended, not urgent.
What changed
upgradeis more resistant to a hostile release host. If anupgradeHTTPS download is redirected, the redirect target is now rejected when it resolves to a private / reserved / loopback / link-local address — so a compromised host can't bounce the root-run fetch toward an internal endpoint (e.g. cloud metadata). Your own--urlis unaffected, so an internal mirror still works.revokeno longer leaves stray systemd files. A manualrevokerun from inside a systemd-managed shell used to leave an orphaned.serviceunit behind; it now detects the firing auto-revoke service precisely (via the process cgroup) and cleans up correctly.- Consistent SSH port detection. When
sshd_configlists more than onePort, the port shown in an invite is now chosen consistently withsshd -T(the first configured port) instead of the last.
Upgrade an existing install
sudo linux-temp-admin upgradeupgrade downloads the new binary over HTTPS and verifies its detached ed25519 signature against the release key embedded in the tool, failing closed on any mismatch.
Fresh install
curl -fsSL https://raw.githubusercontent.com/xxvcc/linux-temp-admin/main/scripts/install.sh | sudo shVerify manually (optional)
sha256sum -c SHA256SUMSEach binary also ships a detached .sig (raw 64-byte ed25519 signature), verified automatically during upgrade.
Full changelog: https://github.com/xxvcc/linux-temp-admin/blob/main/CHANGELOG.md