Version 18.2 uses TLS encryption for the initial handshake between the Bareos Director and the clients. The Director or the console login respectively now supports PAM authentication. We've also worked on the code itself and modernized some important bits.
Encryption Right From The Start
For some time now, Bareos has supported TLS/SSL encryption. So far we've used certificates for authentication. Since every client should have its own cert, the administrator needs to distribute and manage a lot of different files. Apart from that, there is a brief unencrypted exchange between the Bareos Director and the client(s) (challenge/response). The new Bareos version uses the existing passwords to encrypt the connection via pre-shared key (PSK).
Since Bareos 18.2 still supports SSL certificates, it's not necessary for the admin to change an existing configuration. Bareos 18.2 is backwards compatible. There is no need to update all clients straight away or modify the firewall settings. Bareos 18.2 supports TLS and plain text at the same time and doesn't block clients with an older version of the software.
PAM Authentication for the Director
For the new 18.2 we've improved the security of the Bareos Director. Password authentication now happens via PAM (pluggable authentication modules), so it's no longer necessary to include plain text passwords in the configuration file. This feature is optional – it's not mandatory to adjust the configuration.
For some time now we've been modernizing the Bareos legacy code. We've replaced GNU Autoconf with CMake. As a result the source code is much easier to maintain. Instead of 70,000 lines of Autoconf scripts we now have about 5,000 lines of CMake to look after – a pretty good result.
We've also reorganized our GitHub repositories. All Bareos components are now available in one folder and organized in subdirectories. Synchronizing the files for new releases should now be a lot easier.
You can find more information in our presentation on Bareos 18.2 RC from the OSBConf 2018.