Comments (3)
speed47
commented on September 23, 2024
1
If you want to have a better traceability while keeping group access, you can use the LC_BASTION and LC_BASTION_DETAILS environment variables that are pushed to each remote server when the bastion connects.
LC_BASTIONbears the name of the account connecting (for legacy reasons)LC_BASTION_DETAILSis a json with a lot of information you can pick from, to build a log message on the remote server
We use this in a /etc/ssh/sshrc file, which is a script launched by ssh when a user connects, this scripts gathers the information and pushes a log message to syslog, similar to this one:
Mar 19 08:57:04 bastion.example.org sshd[1424732]: Remote session: shell on pts/0 for root from 198.51.100.124 port 53534 by bastion remote user jdoe session uniqid 5fd29468d13f
With the uniqid, you can find the corresponding ttyrec and any other logs related to the session.
Note that this message can only be trusted when the "from" IP is from a bastion (in our setups, you can't ssh from anything else than a bastion), as in this case you can trust the LC_BASTION_* envvars. Otherwise, a user might craft those vars themselves, if they come from a machine they have a shell access to, and can override envvars.
from the-bastion.
speed47
commented on September 23, 2024
Hello,
If there are several accounts on the remote server, and these accounts should potentially not be used by the same people, then they shouldn't share the same keys. This is not bastion specific, this is how SSH works.
Group accesses are made to share the same accesses between people, with rights delegation so that teams can be independent, but in your case it sounds like, for the remote server you're talking about, people should probably use personal accesses, instead of group accesses. Indeed, each bastion user has their own set of "egress keys", that can be pushed to remote servers. These keys are specific to each account and can't be shared, so this sounds more like what you might need.
You might want to have a look at this blog post, it explains the two ways you can manage accesses (personal vs groups), most of the time, both are useful, as they answer different use cases.
from the-bastion.
deepbluemussel
commented on September 23, 2024
Okay. I was just wondering if it was possible from the bastion to make the members of a group connect only with their respective login (option that could have been defined when creating the server in the group).
It was mainly to facilitate the traceability but since we can trace the original connection on the bastion it is not a blocking point.
Thank you
from the-bastion.
Related Issues (20)
- Connection to the Bastion takes many seconds HOT 2
- SCP Failure - Error 255
- master can't sync with slave HOT 1
- Arista - Add ssh key on a switch with "from" pattern HOT 1
- An alternative method to log into bastion.
- Synchronization between master and slave HOT 6
- Use a global folder for ttyrec sessions HOT 1
- SFTP plugin instead of SCP on recent OpenSSH versions HOT 2
- Login with user@domain HOT 2
- Accepting [email protected] for ingress key HOT 1
- Upgrade errors: [ERR.] <x> doesn't seem to be a valid bastion group HOT 1
- User suffix for device/network HOT 3
- pam-u2f in code or a configuration to do ? HOT 3
- Error when installing with ttyrec HOT 4
- Disable MFA verification when using an SK
- Feature Request: `*-sk` keys supporting PIV-like policies HOT 1
- [Question] disable ttyrec for SCP HOT 8
- SCP freezes wthen downloading large files: HOT 4
- Support for OIDC auth method
- Feature Request: auto accept keys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from the-bastion.