ovh / the-bastion Goto Github PK

View Code? Open in Web Editor NEW

1.4K 39.0 89.0 5.51 MB

Authentication, authorization, traceability and auditability for SSH accesses.

Home Page: https://ovh.github.io/the-bastion/

License: Other

Shell 29.93% Perl 70.03% Dockerfile 0.04%

ssh bastion security

the-bastion's Introduction

🔒 The Bastion

Bastions are a cluster of machines used as the unique entry point by operational teams (such as sysadmins, developers, database admins, ...) to securely connect to devices (servers, virtual machines, cloud instances, network equipment, ...), usually using ssh.

Bastions provides mechanisms for authentication, authorization, traceability and auditability for the whole infrastructure.

Learn more by reading the blog post series that announced the release:

🎥 Quick connection and replay example

🔧 Installing, upgrading, using The Bastion

Please see the online documentation, or the corresponding text-based version found in the doc/ folder.

⚡ TL;DR: disposable sandbox using Docker

This is a good way to test The Bastion within seconds, but read the FAQ if you're serious about using containerization in production.

The sandbox image is available for the following architectures: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/ppc64le, linux/s390x.

Let's run the docker image:

docker run -d -p 22 --name bastiontest ovhcom/the-bastion:sandbox

Get your public SSH key at hand, then configure the first administrator account:

docker exec -it bastiontest /opt/bastion/bin/admin/setup-first-admin-account.sh poweruser auto

We're now up and running with the default configuration! Let's setup a handy bastion alias, and test the info command:

PORT=$(docker port bastiontest | cut -d: -f2)
alias bastion="ssh [email protected] -tp $PORT -- "
bastion --osh info

It should greet you as being a bastion admin, which means you have access to all commands. Let's enter interactive mode:

bastion -i

This is useful to call several --osh plugins in a row. Now we can ask for help to see all plugins:

$> help

If you have a remote machine you want to try to connect to through the bastion, fetch your egress key:

$> selfListEgressKeys

Copy this public key to the remote machine's authorized_keys under the .ssh/ folder of the account you want to connect to, then:

$> selfAddPersonalAccess --host <remote_host> --user <remote_account_name> --port-any
$> ssh <remote_account_name>@<remote_host>

Note that you can connect directly without using interactive mode, with:

bastion <remote_account_name>@<remote_machine_host_or_ip>

That's it! Of course, there is a lot more to it, documentation is available under the doc/ folder and online. Be sure to check the help of the bastion (bastion --help) and the help of each osh plugin (bastion --osh command --help). Also don't forget to customize your bastion.conf file, which can be found in /etc/bastion/bastion.conf (for Linux).

🔀 Compatibility

Supported OS for installation

Linux distros below are tested with each release, but as this is a security product, you are warmly advised to run it on the latest up-to-date stable version of your favorite OS:

Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
CentOS 7.x
RockyLinux 8.x, 9.x
Ubuntu LTS 22.04, 20.04, 18.04, 16.04
OpenSUSE Leap 15.5*

*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of pamtester, pam-google-authenticator, or both. Of course, you may compile those yourself. Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments.

The following OS are also tested with each release:

FreeBSD/HardenedBSD 13.0**

**: Note that these have partial MFA support, due to their reduced set of available pam plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0.

Other BSD variants, such as OpenBSD and NetBSD, are unsupported as they have a severe limitation over the maximum number of supplementary groups, causing problems for group membership and restricted commands checks, as well as no filesystem-level ACL support and missing PAM support (hence no MFA).

Zero assumption on your environment

Nothing fancy is needed either on the ingress or the egress side of The Bastion to make it work.

In other words, only your good old ssh client is needed to connect through it, and on the other side, any standard sshd server will do the trick. This includes, for example, network devices on which you may not have the possibility to install any custom software.

➰ Reliability

The KISS principle is used where possible for design and code: less complicated code means more auditability and less bugs
Only a few well-known libraries are used, less third party code means a tinier attack surface
The bastion is engineered to be self-sufficient: no dependencies such as databases, other daemons, other machines, or third-party cloud services, statistically means less downtime
High availability can be setup so that multiple bastion instances form a cluster of several instances, with any instance usable at all times (active/active scheme)

🆗 Code quality

The code is ran under perltidy
The code is also ran under perlcritic
Functional tests are used before every release

🛂 Security at the core

Even with the most conservative, precautionous and paranoid coding process, code has bugs, so it shouldn't be trusted blindly. Hence the bastion doesn't trust its own code. It leverages the operating system security primitives to get additional security, as seen below.

Uses the well-known and trusted UNIX Discretionary Access Control:
- Bastion users are mapped to actual system users
- Bastion groups are mapped to actual system groups
- All the code is constantly checking rights before allowing any action
- UNIX DAC is used as a safety belt to prevent an action from succeeding even if the code is tricked into allowing it
The bastion main script is declared as the bastion user's system shell:
- No user has real (bash-like) shell access on the system
- All code is ran under the unprivileged user's system account rights
- Even if a user could escape to a real shell, they wouldn't be able to connect to machines they don't have access to, because they don't have filesystem-level read access to the SSH keys
The code is modular
- The main code mainly checks rights, logs actions, and enable ssh access to other machines
- All side commands, called plugins, are in modules separated from the main code
- The modules can either be open or restricted
  - Only accounts that have been specifically granted on a need-to-use basis can run a specific restricted plugin
  - This is checked by the code, and also enforced by UNIX DAC (the plugin is only readable and executable by the system group specific to the plugin)
All the code needing extended system privileges is separated from the main code, in modules called helpers
- Helpers are run exclusively under sudo
- The sudoers configuration is attached to a system group specific to the command, which is granted to accounts on a need-to-use basis
- The helpers are only readable and executable by the system group specific to the command
- The helpers path and some of their immutable parameters are hardcoded in the sudoers configuration
- Perl tainted mode (-T) is used for all code running under sudo, preventing any user-input to interfere with the logic, by halting execution immediately
- Code running under sudo doesn't trust its caller and re-checks every input
- Communication between unprivileged and privileged-code are done using JSON
A protocol break is operated between the ingress and the egress side, rendering most protocol-based vulnerabilities ineffective

🔍 Auditability

Bastion administrators must use the bastion's logic to connect to itself to administer it (or better, use another bastion to do so), this ensures auditability in all cases

Every access and action (whether allowed or denied) is logged with:
- syslog, which should also be sent to a remote syslog server to ensure even bastion administrators can't tamper their tracks, and/or
- local sqlite3 databases for easy searching
Every session is recorded with ttyrec, helper scripts are provided to encrypt and push these records on a remote escrow filer
This code is used in production in several PCI-DSS, ISO 27001, SOC1 and SOC2 certified environments

🔗 Related

Dependencies

ovh-ttyrec - an enhanced but compatible version of ttyrec, a terminal (tty) recorder

Optional tools

yubico-piv-checker - a self-contained go binary to check the validity of PIV keys and certificates. Optional, to enable The Bastion PIV-aware functionalities
puppet-thebastion (GitHub) - a Puppet module to automate and maintain the configuration of The Bastion machines
the-bastion-ansible-wrapper - a wrapper to make it possible to run Ansible playbooks through The Bastion
debian-cis - a script to apply and monitor the hardening of Debian hosts as per the CIS recommendations

📝 License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

the-bastion's People

Contributors

Stargazers

Watchers

Forkers

phd59fr yo1frenchtoast trrunde emhaye nimeshgit kg7qin callmehalpha entropyworks alainw68 art-ko bhardwajrahul firstvenue tank0226 kafkamorph procmonk rbeuque74 alkivi-sas vmalguy speed47 snk33 alkorin pmmarq thibaultdewailly axl89 pgotsis ernestvoon maniacs-ops arstercz sraaronrock ericdelasecu david-sebastien iguanesolutions jlecour janus57 romainl972 syllogy davidpuziol zha0 gh0st0ne securityanalysts 5l1v3r1 duy8208427 1ndevelopment coimbrap alssi-consulting bsonetwork henyxia brandstettermichael adarrous yuces dallasdunaway cyberflamego mrqip tatudevs yaoisss amezioud rusbomber franklinharry juangarcia4ks johnnynator pkuhner bwanaverbecq southhost nadihighlander sneak71 gg-big-org c-roussel disaster pinaraf flegastelois devnicoloko nxg-7 leorolland apersonintech toutoen harrykodden docwalter l1kw1d p-eb jamestiotio signatalchristasm fabplx perrze dwydler louislaporte codyro devopsninja254

the-bastion's Issues

Question on master - slave in DR scenario

Imagine that you have your master bastion in region1 and your slave bastion in region2. Could I make the slave a master in case region1 goes offline for a longer period of time? Is there a way to rollback in case region1 comes online again?

I would like to avoid hosting a multiple masters as that adds a burden on administration of users and keys.

Password authentication for egress connections

Hallo everyone,
we have some old switches in our network, which do not support public key authentication. So any it admin had a own account with a custom password.

I study the docs and found in /etc/bastion/bastion.conf a parameter passwordAllowed. According to the description exactly what i am looking for.

I change the value from 0 to 1. After that i connected to a fresh bastion session and try different commands to get a prompt for password authentication.

Is the parameter even suitable for my requirements?
If so, which parameters do I have to use with the command ssh admin@host: 22?

Regards,
Daniel

Two hyphen to much on autocompletion

Hello,
i typed adminSudo and press that two times the key. The first parameter is displayed with four hyphen.

---bs-server----------------------------------------------the-bastion-3.01.00---
----------------------------------------------------------------------</help>---
administrator@bastionhost01(master)> adminSudo -- --sudo-as

Ansible with the bastion

Firstly, thank you for having opened the code of the bastion! This is such a great tool :)

Provided the fact that the bastion is not a proxy jump, how could we use solutions like Ansible to run playbooks over our infrastructure?

Duplicated MFAPasswordMaxDays entry in bastion.conf

While doing a Chef cookbook to manage this awesome software, I found out that the MFAPasswordMaxDays entry is duplicated in the bastion.conf.dist file in v3.01.00:

# MFAPasswordMaxDays (int >= 0)
#    DESC: For the PAM UNIX password MFA, sets the maximum amount of days after which the password must be changed (see `chage -M')
# DEFAULT: 90
"MFAPasswordMaxDays": 90,
#
# MFAPasswordMaxDays (int >= 0)
#    DESC: For the PAM UNIX password MFA, sets the number of days before expiration on which the user will be warned to change his password (see `chage -W')
# DEFAULT: 15
"MFAPasswordMaxDays": 15,

I'm not sure which one you'd like to keep, so I can't make a PR, but I hope this issue is useful! 😄

Add admin account seem doesn't work on my bastion

Hello,

When i added a admin account thanks to the script : setup-first-admin-account.sh, i create an account but i need to put his name on the bastion.conf to setup him in admin.

But I have trouble understanding how to setup an admin account, because when I created the first admin account, each time a group was created, it had all the rights to it, if I want my other admin accounts to have all the rights to the groups already created, I have to do everything manually?

moreover when I put an account in "superowner" in the bastion.conf, it does not work (contrary to the addition in admin which works)

Excuse me for these questions which can be found their answers in the documentation: /
I may have misread or misinterpreted some explanation,

Thank you for your help,

[SELinux] TOTP don't seems to work

I set TOTP on my account.

But after the sucessfull registration, all my verification are refused.

Is there any way to get my account back?
With the scratch code?

BUG: !scpupload / !scpdownload not accepted for IP ranges

Bug: It seems like the bastion does not accept ip ranges for !scpup and !scpdownload:

Bastion group view:

admin@z1(master)> groupListServers --group example-infra

---bastion-a.eu-central-1a.infra.example.net---------------the-bastion-3.02.00---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP               PORT                 USER                      ACCESS-BY   ADDED-BY      ADDED-AT                                       EXPIRY?                                  COMMENT FORCED-KEY?
~ 10.15.0.0/19       22               admin      example-infra(group)  admin    2021-02-18                                             -                                        - -
~ 10.15.0.0/19    (any)           !scpupload      example-infra(group)  admin    2021-02-23                                             -                                        - -
~ 10.15.0.0/19    (any)         !scpdownload      example-infra(group)  admin    2021-02-23                                             -                                        - -
~ 3 accesses listed
----------------------------------------------------------</groupListServers>---

Result using ansible:

TASK [install_gitlab : Copy GitLab configuration file.] ********************************************************************************************************
fatal: [gitlab.eu-central-1a.infra.example.net]: FAILED! => {"msg": "failed to transfer file to /home/admin/.ansible/tmp/ansible-local-97208bouj9_e6/tmppti5h9zm/gitlab.rb.j2 \u001b[?47l/home/admin/.ansible/tmp/ansible-tmp-1614071537.5889418-97310-161362758918463/source:\n\n>>>Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for scp\n\\033[31;1m~ Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for scp\\033[0m\n"}

Expectation:

TASK [install_gitlab : Copy GitLab configuration file.] ********************************************************************************************************
ok: [gitlab.eu-central-1a.infra.example.net]

Interestingly !scpupload and !scpdownload works fine when using single hosts instead of ip blocks.

Post connect expect script

Hi,

Is there a way to run a script after connection, and before giving the interactive shell to the user ? Typical scenario is an equipment that provides a restricted command line, and needs to enter a command then an administrator password to give full access.

An expect script might be ideal for that, but any other language could be used, provided it can wait for prompt strings, and write the needed commands/passwords in the connection.

Thanks.

PIV verification status communicated to remote realms

In a multi-realm deployment infra, remote realm should send PIV informations to the local bastion.
This could be use to enforce local Multi-Factor Authentication policies even for realm users.

Force interactive session on empty command

Hello,

I'm trying to use The Bastion through a iOS SSH client but I'm unable to make it work as the bastion needs some command on connection :

Bad or empty command

The app can send command on connect but I've tried many things without success :

-i
-- -i
ssh root@someserver
info
-i info

An option to allow to force session to be interactive if there's no command would be nice, even though I'm not sure it would work without option "-t" support on the given SSH client (doesn't work on my Terminal MacOS app).

The obvious goal is to have a better compatibility with any kind of SSH client app, not everyone uses Linux/MacOS/Unix terminal ;)

docker: failed to register layer: Error processing tar file(exit status 1): Container ID 99999 cannot be mapped to a host ID.

This happens when trying the sandbox image on a system with UID shifting globally enabled.

We might want to avoid UIDs/GIDs > 64K at least on the sandbox image for this reason.

Add comment parameter on groupAddGuestAccess

Idea suggestion

add a comment while granting a guest access (groupAddGuestAccess) to keep track why the user got this specific guest access

Comments on servers are not visible to users added via group-guest on selfListAccesses

I have a group, with 4 servers, some of them have userComment on it:

poweruser@zbst-rbeuque(master)> groupListServers --group foo
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP               PORT                 USER                      ACCESS-BY   ADDED-BY      ADDED-AT                                       EXPIRY?                                  COMMENT FORCED-KEY?                                                                                                                                                            
~ 127.0.0.1          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 127.0.0.2          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                             test comment -                                                                                                                                                                      
~ 127.0.0.3          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                        test foo comment -                                                                                                                                                                      
~ 127.0.0.4          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 4 accesses listed

When I add another user as a guest of my foo group, user can't see the userComment that has been set by the person who add the server.

user@zbst-rbeuque(master)> selfListAccesses
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> your access list
--------------------------------------------------------------------------------
~ Dear robot-framework, you have access to the following servers:
~ IP               PORT                 USER                      ACCESS-BY   ADDED-BY      ADDED-AT                                       EXPIRY?                                  COMMENT FORCED-KEY?                                                                                                                                                            
~ 127.0.0.1          22                  ovh               foo(group-guest)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 127.0.0.4          22                  ovh               foo(group-guest)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 3 accesses listed
----------------------------------------------------------</selfListAccesses>---

I guess the issue is around:

groupSetRole calls OVH::Bastion::is_access_way_granted then osh-accountAddGroupServer.
OVH::Bastion::is_access_way_granted retrieve the current ACL, which contains the comment, but doesn't retrieve it completely, and more specifically, doesn't forward it to osh-accountAddGroupServer
This comment could be used as a parameter in osh-accountAddGroupServer while calling OVH::Bastion::access_modify.

Doesn't seem to be a valid bastion group

Good morning Guys,
i ad several groups which i want to delete on my bastion host. Every time i delete a group, it output follow error:
*** Deleting group 'keysbw-rs-servers' sudoers file `-> [ERR.] keysbw-rs-servers doesn't seem to be a valid bastion group

Below the complete output from console:

---bastion02----------------------------------------------the-bastion-3.01.01---
=> delete an existing bastion group
--------------------------------------------------------------------------------
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~
~ You are about to DELETE a bastion group, to be sure you're not drunk, ~ please type the name of the group you want to delete (won't be echoed):
~
~ Removing /home/allowkeeper/surname.givename/allowed.ip.sbw-rs-servers...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-owner ~ Deleting group keysbw-rs-servers-owner...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-aclkeeper ~ Deleting group keysbw-rs-servers-aclkeeper...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-gatekeeper ~ Deleting group keysbw-rs-servers-gatekeeper...
~ Found 2 members, removing them from the group ~ ... removing allowkeeper from group keysbw-rs-servers ~ ... removing surname.givename from group keysbw-rs-servers ~ Deleting main user of group keysbw-rs-servers...
*** Deleting group 'keysbw-rs-servers' sudoers file `-> [ERR.] keysbw-rs-servers doesn't seem to be a valid bastion group

If i try to delete the same group again, it display that the group do not exist.
~ Group 'keysbw-rs-servers' doesn't exist

What am I doing wrong? Is it a possibly an error?

Regards,
Daniel

Deploy docker images to Docker Hub

On release, deploy docker images to OVHcloud's docker hub repository

logo

Overview of help incomplete

Hi @speed47,
in the current release the output of the command help ins incomplete.
For example the command groupDelEgressKey is not display to me.
My user account is owner of the groups.

Regards,
Daniel

Change key of a group

Hi Guys,
we used different groups for our environment. Mostly it uses ED25519-256. For reasons of compatibility, I would like to switch individual groups from ED25519 to RSA. Delete and re-create the affected groups is no options. Because with that we must also add all servers again.

Can someone describe how i can replace an ED25519 with a RSA key?

/Daniel

Sync ttyrec files

Hi,

It seems that ttyrec files stored in /home/<user>/ttyrec/* are not synced between slaves and master. So in a HA setup, when a user reach a slave, his session is only recorded locally on the slave, and not available on every machines of the cluster.

Is this intended? What is the workflow to see all recorded sessions of a user?

Thanks,

If group name contains "key" in it, it is truncated in output

We created a group named keylogy on The Bastion and noted that in all outputs of commands like groupInfo --group keylogy, the group name is truncated to logy.

jonathanmarsaud@bssh(slave)> groupInfo --group keylogy
---<redacted>--------------------------------------------the-bastion-3.03.01---
=> group info
--------------------------------------------------------------------------------
~ Group logy's Owners are: <redacted>
~ Group logy's GateKeepers (managing the members/guests list) are: <redacted>
~ Group logy's ACLKeepers (managing the group servers list) are: <redacted>
~ Group logy's Members (with access to ALL the group servers) are: <redacted>
~ Group logy's Guests (with access to SOME of the group servers) are: -
~  
~ The public key of this group is:
~  
~ fingerprint: <redacted>
~ keyline follows, please copy the *whole* line:
from="<redacted>" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBQoSC81Q5s92Ysi/VTou2GFNyv0jmK5ctq9d427YzYN logy@bssh:1619685770

Add an --osh adminUpgrade script

To easily handle bastion software version upgrades, possibly upgrading to dev branches instead of released stable versions, also verifying the GPG signature.

accountModify works on slave nodes

tsoete@<REDACTED>(slave)> accountModify --account tsoete --pam-auth-bypass yes
---<REDACTED>------------------the-bastion-2.99.99-rc9.4-ovh1---
=> modify the configuration of an account
--------------------------------------------------------------------------------
~ Bypassing sshd PAM auth usage for this account...
~ ... done, this account will no longer use PAM for authentication

-------------------------------------------------------------</accountModify>---
~ IMPORTANT: You have been added to new groups since the session started.
~ You'll need to logout/login again from this interactive session to have
~ your new rights applied, or you'll get sudo errors if you try to use them.

Nerf Bastion

Happy Halloween

official IPv6 support

when I try to ssh through my bastion an IPv6, I receive:

~ Unable to resolve host '<ipv6_address>' (IP <ipv6_address> version is not allowed)

It works fine with the IPv4 address of the host. The groupAddServer works with IPv4 and IPv6
Did I made something bad?

Implement PIV support

By using ovh-yubico-piv-checker.
Parts of the support have already been open-sourced, namely:

The accountPIV plugin, to set the per-account policy
The cron/osh-piv-grace-reaper.pl script, to expire PIV grace periods
The accountInfo plugin, to report the status of the account PIV policy
a few internal helper functions

To get complete support we need to:

add PIV support to selfAddIngressKey/selfDelIngressKey
A global bastion-wide policy flag, if enforcing PIV for all accounts is desired

Server to Server SCP through the bastion

Hi,

We've been using The Bastion at our organization for some time and I noticed that it's not possible to use SCP to copy a file from one host on the bastion to another one also on the bastion. Is that a limitation of the software or is there some configuration needed ?

Thanks.

Allow group owners to delete their own groups

Right now it is a restricted command

Add automaticaly the port number when connecting to a host with a different ssh port

When connecting to a host with a different standard port, you have to specify the port number.
It would be more convenient if the port is added to the ssh command depending on the server you want to connect to.

Documentation on HTTP Proxy

Hi team,
Is there any hints you can provide regarding the current and intended functionality of the 'http proxy'?
Is it serving the same purpose of the SSH bastion, but for HTTPS <--> HTTPS connections? What authentication methods does it support on the ingress/egress side?

Make Docker sandbox arm64-compatible (Raspberry Pi 3+ & friends)

Prerequisite: having arm64 ovh-ttyrec prebuilt binaries and/or deb/rpm

better ways gpg import (paste public key not working)

I had trouble in importing the admin public key per the documentation, briefly pasting it into the terminal when requesting does not advance the script. So I took another approach:

Created the "adminkey.txt" and pasted the admin gpg public key into it.
Modified the /opt/bastion/bin/admin/setup-gpg.sh so that it accepts a second argument, the name of the file having the key.

Modified the lines

$gpgcmd --import "$1"

and

do_import "$2"; exit $?

so that the gpg --import is processed.

And only then the script worked.

Group name contains invalid characters

Hello,
i try to add a new user account with a dot in the name. I run it an error, that the group cound not create.

administrator@bastionhost01(master)> accountCreate --account test.test2 --uid-auto
---bs-server----------------------------------------------the-bastion-3.01.00---
=> create a new bastion account
--------------------------------------------------------------------------------
~ Please paste the SSH key you want to add. This bastion supports the following algorithms:
~ ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one
~ ECDSA  : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one
~ RSA    : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one
~
~ In any case, don't save it without a passphrase (your paste won't be echoed).
~ Creating group test.test2 with GID 99994...
~ Creating user test.test2 with UID 99994...
~ Creating tty group of account...

~ Group name contains invalid characters

Please add a filter for special characters for account names or allow it in der group names.

accountCreate help text doesn't seem to be correct

Trying to create an account to a recently deployed bastion, using only --account yields the following help message

~ Create a new bastion account
~
~ Usage: --osh accountCreate --account ACCOUNT [OPTIONS]
~
~   --account NAME          Account name to create, NAME must contain only valid UNIX account name characters
~   --uid UID               Account system UID, also see --uid-auto
~   --uid-auto              Auto-select an UID from the allowed range (the upper available one will be used)
~   --always-active         This account's activation won't be challenged on connection, even if the bastion is globally
~                             configured to check for account activation
~   --osh-only              This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
~   --immutable-key         Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
~   --comment '"STRING"'    An optional comment when creating the account. Quote it twice as shown if you're under a shell.
~   --public-key '"KEY"'    Account public SSH key to deposit on the bastion, if not present,
~                             you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
~   --no-key                Don't prompt for an SSH key, no ingress public key will be installed
~   --ttl SECONDS|DURATION  Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
~ Missing mandatory parameter 'account' or ('uid' or 'uid-auto')

According to it, I should be able to create an account using only the --account option, but using --uid-auto (or I assume manually passing an uid) was mandatory. Should the final line be 'account' and (...) instead of 'account' or (...)? If this were the case, the usage string should probably be updated too.

Bastion version: 3.03.00

Group members can connect under all target server users using the same group key

Hello,

I guess this isn't a bug but just how ssh works (or maybe I just don't use OVH Bastion well).

All group members can connect under every users who use the group key on the target server.

For example a server has 3 system users and each of these users authorize the public key of a Bastion group.
If one user want's to connect under one of the two other users, well, he can do it.

In the end, the connection to the servers can be traced by going back to the history from the bastion, but I still wonder about it because it's quite a suspicious behaviour.

selfListAccesses : add search filter

Hello,

On my bastion I've got a few groups and... hundred of servers, which can make it hard to find a specific access.
We've added a server name in comment + internal DNS to be able to connect easily to a server but searching one can be tricky.

I've managed to add some shell function to make it work by doing "grep" to the stdout but a filter implemented in the selfListAccesses command itself would be nice to make it work more directly (mostly on 3rd party SSH clients) :

function bls() {
    ssh -i ~/.ssh/key -t user@bastion -- --osh selfListAccesses | grep $1
}

Usage :
bls nameofserver

As the IP is always resolved when adding a server, I guess this search could only be on "comment" but if for some reason we're looking for servers in some network, filtering "ip/host" too could be nice aswell.

I guess it could be useful for many bastion's users, including OVH teams ? ;)

Support group names starting with the "key" prefix

For now, this prefix is reserved for internal reasons. It should be possible to lift this restriction after a few changes and thorough testing, see #178

osh_only property setting handling

Currently the osh_only property of an account is only set to true at account creation via the --osh-only parameter.
It should be possible to toggle this parameter with the accountModify plugin and get its status with the accountInfo plugin.
That would allow proper traceability of such manipulations through bastion code, avoiding manual changes on the bastion host itself as root.

cant ssh to any host.

not sure what's happened but now I can't ssh to any host:

 ssh bastion@xxxxxxxx
~ Welcome to bastion.xxxxx.xxxx , xxxx, your last login was 00:00:08 ago (Tue 2021-01-19 04:20:43 UTC) from xxxxxxx)

185.144.208.251:39982 => [email protected]:22 => [email protected]:22 ...
 allowed ... log on(/home/qxmips/ttyrec/xxxxxx/2021-01-19.04-20-51.656242.c4d5847cbfe2.qxmips.bastion.1xxxxxxx.ttyrec)

 will try the following accesses you have:
  - group-member of vyos_infra with RSA-4096 key SHA256:xxxxxxxxxxxxxxxxxxxxx
  - [2021/01/14]

Connecting...
Usage: ttyrec [options] -- <command> [command options]

Usage (legacy compatibility mode): ttyrec -e <command> [options] [ttyrec file name]

Options:
  -z, --uuid UUID           specify an UUID (can be any string) that will appear in the ttyrec output file names,
                              and kept with SIGUSR1 rotations (default: own PID)
  -f, --output FILE         full path of the first ttyrec file to write to (autogenerated if omitted)
  -d, --dir FOLDER          folder where to write the ttyrec files (taken from -f if omitted,
                              defaulting to working directory if both -f and -d are omitted)
  -F, --name-format FMT     custom strftime-compatible format string to qualify the full path of the output files,
                              including the SIGUSR1 rotated ones
  -a, --append              open the ttyrec output file in append mode instead of write-clobber mode
  -Z                        enable on-the-fly compression if available, silently fallback to no compression if not
      --zstd                force on-the-fly compression of output file using zstd,
                              the resulting file will have a '.ttyrec.zst' extension
      --max-flush-time S    specify the maximum number of seconds after which we'll force zstd to flush its output buffers
                              to ensure that even somewhat quiet sessions gets regularly written out to disk, default is 15
  -l, --level LEVEL         set compression level, must be between 1 and 19 for zstd, default is 3
  -n, --count-bytes         count the number of bytes out and print it on termination (experimental)
  -t, --lock-timeout S      lock session on input timeout after S seconds
      --warn-before-lock S  warn S seconds before locking (see --lock-timeout)
  -k, --kill-timeout S      kill session on input timeout after S seconds
      --warn-before-kill S  warn S seconds before killing (see --kill-timeout)
  -C, --no-cheatcodes       disable cheat-codes (see below), this is the default
  -c, --cheatcodes          enable cheat-codes (see below)
  -p, --no-openpty          don't use openpty() even when it's available
  -T, --term MODE           MODE can be either 'never' (never allocate a pseudotty, even if stdin is a tty, and use pipes to
                              handle stdout/stderr instead), 'always' (always allocate a pseudotty, even if stdin is not a tty)
                              or 'auto' (default, allocate a pseudotty if stdin is a tty, uses pipes otherwise)
  -v, --verbose             verbose (debug) mode, use twice for more verbosity
  -V, --version             show version information
  -e, --shell-cmd CMD       enables legacy compatibility mode and specifies the command to be run under the user's $SHELL -c

Examples:
  Run some shell commands in legacy mode: ttyrec -e 'for i in a b c; do echo $i; done' outfile.ttyrec
  Run some shell commands in normal mode: ttyrec -f /tmp/normal.ttyrec -- sh -c 'for i in a b c; do echo $i; done'
  Connect to a remote machine interactively: ttyrec -t 60 -k 300 -- ssh remoteserver
  Execute a local script remotely with the default remote shell: ttyrec -- ssh remoteserver < script.sh
  Record a screen session: ttyrec screen

Handled signals:
  SIGUSR1     close current ttyrec file and reopen a new one (log rotation)
  SIGURG      lock session
  SIGUSR2     unlock session

Cheat-codes (magic keystrokes combinations):
  ^L^L^L^L^L^L^L^L   lock your session (that's 8 CTRL+L's)
  ^K^I^L^L^K^I^L^L   kill your session

Remark about session lock and session kill:
  If we don't have a tty, we can't lock, so -t will be ignored,
  whereas -k will be applied without warning, as there's no tty to output a warning to.
You specified --warn-before-kill without enabling --timeout-kill, this doesn't make sense

seems like ttyrec doesn't like some param.
how i can check what parameters is ttyrec is called with?

Parameter to not work with autocompletion

Hello,
last days i created some accounts with accountCreate for our Proof of Concept (PoC). The mandatory parameter --uid-auto is not usably with the TAB Key. Everytime i got only the parameter --uid.

I tried two ways:
accountCreate --account test02 --uid -> Nothing happen else
accountCreate --account test02 --uid- -> Nothing happen else

I use the latest git tag of The Bastion.
Is it possible to extend the autocompletion?

Unlock /home on boot

Hi,

I've just installed The Bastion on a fresh Debian 10.
The /opt/bastion/bin/admin/setup-encryption.sh script has helped me change my /home partition to an encrypted one, but at the end it says :

/opt/bastion/bin/admin/unlock-home.sh: line 5: /etc/bastion/luks-config.sh: No such file or directory
Not configured or badly configured (check /etc/bastion/luks-config.sh), nothing to do.
`-> [ OK ]

After a reboot, there is no passphrase prompted and obviously the partition is not mounted.

My partitions (/home is vdb1) :

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 1024M  0 rom  
vda    254:0    0   20G  0 disk 
|-vda1 254:1    0  476M  0 part /boot
|-vda2 254:2    0  954M  0 part /
|-vda3 254:3    0  5.6G  0 part /usr
|-vda4 254:4    0  477M  0 part [SWAP]
|-vda5 254:5    0  477M  0 part [SWAP]
|-vda6 254:6    0  954M  0 part /tmp
`-vda7 254:7    0 11.2G  0 part /var
vdb    254:16   0   10G  0 disk 
|-vdb1 254:17   0  4.7G  0 part 
`-vdb2 254:18   0  5.4G  0 part /opt

The relevant part of my fstab :

/dev/disk/by-id/dm-name-home /home ext4 defaults,errors=remount-ro,noauto,nosuid,noexec,nodev 0 0

Did I do something wrong?

SFTP/SCP through Bastion

The Bastion works fine for managing SSH connections. But is there way to manage SFTP/SCP through the bastion ?

No matching key exchange method found

Hi guys,
today i have no bug report. It is more technical question. We want to manage access to CISCO switches with Bastion.

First i tried to connect from the bash with the command ssh:
ssh [email protected]

But i got follow error message:
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

With a look into the file /etc/sshd/sshd_config showed me, that with the installation of the bastion, some changes have been done.

I do some changes in the configuration file to find a solution for the error - without success.

Occurs the problem by hardening the ssh daemon or it's a default setting from the ssh daemon on Ubuntu 20.04 LTS?

Regards,
Daniel

Is it possible to remove a particular host key?

Hi Guys,
on the weeekend had to generate a new ssh key pair on Switch. By that all users get on connection attempt an error, that the fingerprint not anymore correct. Also in the output the exact command ssh-keygen is displayed for the user.

But the user can not execute the command on this shell (osh.pl). Is there a option in the configuration file of the bastion to allow this?

Regards,
Daniel

SSH Local Forward

Hello,

My goal is to access an http server listening only to localhost through the bastion.
kind of ssh -L 9090:localhost:9090 someuser@server42

I tried to :
ssh -L 9090:localhost:9090 -t admin@bastion -- someuser@server42
But without success.

I've found in (bastion) /etc/ssh/sshd_config there is
AllowTcpForwarding no

Setting to yes didn't help.

Is it a good idea to change the bastion' sshd_config ? Is there a better way ?

PS: the http server is https://cockpit-project.org

-osh selfPlaySession doesn't play saved sessions on CentOS

Thank you, guys, you're doing a fantastic job here.
There are small issues that are not working meanwhile:
I'm playing with a fresh CentOS 7 bastion installation (the-bastion-3.01.03), CentOS Linux release 7.9.2009.
The ttyrec-sessions are saved nicely and can be viewed locally through ttyplay but -osh selfPlaySession always returns "There were no terminal recording for this session" (the ids of the saved session on the disk system and returned via "selfListSessions" - are the same.

Add more features to groupCreate

groupCreate should allow to define the ACLKeepers and GateKeepers

Cannot impersonate a selfPlaySession command

Hello,

We're doing a PoC to see how The Bastion could work for us but we're having some issue using selfPlaySession via adminSudo.

Our goal is to be able to play some user's session to be able to check what has been done on a server, in case something went wrong.

Command is sent from an admin account with these settings :
adminSudo -- --sudo-as USER --sudo-cmd selfPlaySession -- --id ID

Example output (with admin/user replaced) :

---bastion--------------------------------------the-bastion-3.00.01---
=> launching a bastion command or connection, impersonating another user
--------------------------------------------------------------------------------
~ ADMIN SUDO: admin, you'll now impersonate user, this has been logged.
---bastion--------------------------------------the-bastion-3.00.01---
=> replay a past session
--------------------------------------------------------------------------------
~       ID: 3c5135b19531
~  Started: 2020/11/13 12:57:41
~    Ended: 2020/11/13 12:57:58
~ Duration: 0d+00:00:16.600744
~     Type: ssh
~     From: 10.254.254.103:50462 (10.254.254.103)
~      Via: [email protected]:22
~       To: [email protected]:22 (10.254.3.1)
~  RetCode: 0
~ 
~ Press '+' to play faster
~ Press '-' to play slower
~ Press '1' to restore normal playing speed
~ 
~ When you're ready to replay session 3c5135b19531, press ENTER.
~ Starting from the next line, the Total Recall begins. Press CTRL+C to jolt awake.

We cannot press ENTER to make the session plays :(

Is there another (undocumented) way to play a session from a specific account ?

If not, could you either fix this stdin issue or add some --autoplay option to selfPlaySession plugin to bypass this ?

Thanks !

Different password for each egress connection

Hi,

I'm experimenting The Bastion, and I have a large network with many equipments, which all already have different passwords configured.

Is there a way to use password authentication, and specify the login/password needed to use for each equipment to add in the bastion, without having to reconfigure them ?

Thanks.

Debian11: pam_tally2 is deprecated

It should be replaced by pam_faillock, hence we need to have a Debian 11+ specific template for etc/pam.d/sshd.debian

ovh / the-bastion Goto Github PK

the-bastion's Introduction

🔒 The Bastion

🎥 Quick connection and replay example

🔧 Installing, upgrading, using The Bastion

⚡ TL;DR: disposable sandbox using Docker

🔀 Compatibility

Supported OS for installation

Zero assumption on your environment

➰ Reliability

🆗 Code quality

🛂 Security at the core

🔍 Auditability

🔗 Related

Dependencies

Optional tools

📝 License

the-bastion's People

Contributors

Stargazers

Watchers

Forkers

the-bastion's Issues

Idea suggestion

Recommend Projects

Recommend Topics

Recommend Org