ovh / the-bastion Goto Github PK
View Code? Open in Web Editor NEWAuthentication, authorization, traceability and auditability for SSH accesses.
Home Page: https://ovh.github.io/the-bastion/
License: Other
the-bastion's Issues
Support group names starting with the "key" prefix
For now, this prefix is reserved for internal reasons. It should be possible to lift this restriction after a few changes and thorough testing, see #178
Group members can connect under all target server users using the same group key
Hello,
I guess this isn't a bug but just how ssh works (or maybe I just don't use OVH Bastion well).
All group members can connect under every users who use the group key on the target server.
For example a server has 3 system users and each of these users authorize the public key of a Bastion group.
If one user want's to connect under one of the two other users, well, he can do it.
In the end, the connection to the servers can be traced by going back to the history from the bastion, but I still wonder about it because it's quite a suspicious behaviour.
Overview of help incomplete
Hi @speed47,
in the current release the output of the command help ins incomplete.
For example the command groupDelEgressKey is not display to me.
My user account is owner of the groups.
Regards,
Daniel
Doesn't seem to be a valid bastion group
Good morning Guys,
i ad several groups which i want to delete on my bastion host. Every time i delete a group, it output follow error:
*** Deleting group 'keysbw-rs-servers' sudoers file `-> [ERR.] keysbw-rs-servers doesn't seem to be a valid bastion group
Below the complete output from console:
---bastion02----------------------------------------------the-bastion-3.01.01---
=> delete an existing bastion group
--------------------------------------------------------------------------------
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~
~ You are about to DELETE a bastion group, to be sure you're not drunk, ~ please type the name of the group you want to delete (won't be echoed):
~
~ Removing /home/allowkeeper/surname.givename/allowed.ip.sbw-rs-servers...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-owner ~ Deleting group keysbw-rs-servers-owner...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-aclkeeper ~ Deleting group keysbw-rs-servers-aclkeeper...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-gatekeeper ~ Deleting group keysbw-rs-servers-gatekeeper...
~ Found 2 members, removing them from the group ~ ... removing allowkeeper from group keysbw-rs-servers ~ ... removing surname.givename from group keysbw-rs-servers ~ Deleting main user of group keysbw-rs-servers...
*** Deleting group 'keysbw-rs-servers' sudoers file `-> [ERR.] keysbw-rs-servers doesn't seem to be a valid bastion group
If i try to delete the same group again, it display that the group do not exist.
~ Group 'keysbw-rs-servers' doesn't exist
What am I doing wrong? Is it a possibly an error?
Regards,
Daniel
selfListAccesses : add search filter
Hello,
On my bastion I've got a few groups and... hundred of servers, which can make it hard to find a specific access.
We've added a server name in comment + internal DNS to be able to connect easily to a server but searching one can be tricky.
I've managed to add some shell function to make it work by doing "grep" to the stdout but a filter implemented in the selfListAccesses command itself would be nice to make it work more directly (mostly on 3rd party SSH clients) :
function bls() {
ssh -i ~/.ssh/key -t user@bastion -- --osh selfListAccesses | grep $1
}
Usage :
bls nameofserver
As the IP is always resolved when adding a server, I guess this search could only be on "comment" but if for some reason we're looking for servers in some network, filtering "ip/host" too could be nice aswell.
I guess it could be useful for many bastion's users, including OVH teams ? ;)
Question on master - slave in DR scenario
Imagine that you have your master bastion in region1 and your slave bastion in region2. Could I make the slave a master in case region1 goes offline for a longer period of time? Is there a way to rollback in case region1 comes online again?
I would like to avoid hosting a multiple masters as that adds a burden on administration of users and keys.
Group name contains invalid characters
Hello,
i try to add a new user account with a dot in the name. I run it an error, that the group cound not create.
administrator@bastionhost01(master)> accountCreate --account test.test2 --uid-auto
---bs-server----------------------------------------------the-bastion-3.01.00---
=> create a new bastion account
--------------------------------------------------------------------------------
~ Please paste the SSH key you want to add. This bastion supports the following algorithms:
~ ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one
~ ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one
~ RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one
~
~ In any case, don't save it without a passphrase (your paste won't be echoed).
~ Creating group test.test2 with GID 99994...
~ Creating user test.test2 with UID 99994...
~ Creating tty group of account...
~ Group name contains invalid characters
Please add a filter for special characters for account names or allow it in der group names.
Duplicated MFAPasswordMaxDays entry in bastion.conf
While doing a Chef cookbook to manage this awesome software, I found out that the MFAPasswordMaxDays entry is duplicated in the bastion.conf.dist file in v3.01.00:
# MFAPasswordMaxDays (int >= 0)
# DESC: For the PAM UNIX password MFA, sets the maximum amount of days after which the password must be changed (see `chage -M')
# DEFAULT: 90
"MFAPasswordMaxDays": 90,
#
# MFAPasswordMaxDays (int >= 0)
# DESC: For the PAM UNIX password MFA, sets the number of days before expiration on which the user will be warned to change his password (see `chage -W')
# DEFAULT: 15
"MFAPasswordMaxDays": 15,
I'm not sure which one you'd like to keep, so I can't make a PR, but I hope this issue is useful! ๐
Documentation on HTTP Proxy
Hi team,
Is there any hints you can provide regarding the current and intended functionality of the 'http proxy'?
Is it serving the same purpose of the SSH bastion, but for HTTPS <--> HTTPS connections? What authentication methods does it support on the ingress/egress side?
If group name contains "key" in it, it is truncated in output
We created a group named keylogy on The Bastion and noted that in all outputs of commands like groupInfo --group keylogy, the group name is truncated to logy.
jonathanmarsaud@bssh(slave)> groupInfo --group keylogy
---<redacted>--------------------------------------------the-bastion-3.03.01---
=> group info
--------------------------------------------------------------------------------
~ Group logy's Owners are: <redacted>
~ Group logy's GateKeepers (managing the members/guests list) are: <redacted>
~ Group logy's ACLKeepers (managing the group servers list) are: <redacted>
~ Group logy's Members (with access to ALL the group servers) are: <redacted>
~ Group logy's Guests (with access to SOME of the group servers) are: -
~
~ The public key of this group is:
~
~ fingerprint: <redacted>
~ keyline follows, please copy the *whole* line:
from="<redacted>" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBQoSC81Q5s92Ysi/VTou2GFNyv0jmK5ctq9d427YzYN logy@bssh:1619685770
cant ssh to any host.
not sure what's happened but now I can't ssh to any host:
ssh bastion@xxxxxxxx
~ Welcome to bastion.xxxxx.xxxx , xxxx, your last login was 00:00:08 ago (Tue 2021-01-19 04:20:43 UTC) from xxxxxxx)
185.144.208.251:39982 => [email protected]:22 => [email protected]:22 ...
allowed ... log on(/home/qxmips/ttyrec/xxxxxx/2021-01-19.04-20-51.656242.c4d5847cbfe2.qxmips.bastion.1xxxxxxx.ttyrec)
will try the following accesses you have:
- group-member of vyos_infra with RSA-4096 key SHA256:xxxxxxxxxxxxxxxxxxxxx
- [2021/01/14]
Connecting...
Usage: ttyrec [options] -- <command> [command options]
Usage (legacy compatibility mode): ttyrec -e <command> [options] [ttyrec file name]
Options:
-z, --uuid UUID specify an UUID (can be any string) that will appear in the ttyrec output file names,
and kept with SIGUSR1 rotations (default: own PID)
-f, --output FILE full path of the first ttyrec file to write to (autogenerated if omitted)
-d, --dir FOLDER folder where to write the ttyrec files (taken from -f if omitted,
defaulting to working directory if both -f and -d are omitted)
-F, --name-format FMT custom strftime-compatible format string to qualify the full path of the output files,
including the SIGUSR1 rotated ones
-a, --append open the ttyrec output file in append mode instead of write-clobber mode
-Z enable on-the-fly compression if available, silently fallback to no compression if not
--zstd force on-the-fly compression of output file using zstd,
the resulting file will have a '.ttyrec.zst' extension
--max-flush-time S specify the maximum number of seconds after which we'll force zstd to flush its output buffers
to ensure that even somewhat quiet sessions gets regularly written out to disk, default is 15
-l, --level LEVEL set compression level, must be between 1 and 19 for zstd, default is 3
-n, --count-bytes count the number of bytes out and print it on termination (experimental)
-t, --lock-timeout S lock session on input timeout after S seconds
--warn-before-lock S warn S seconds before locking (see --lock-timeout)
-k, --kill-timeout S kill session on input timeout after S seconds
--warn-before-kill S warn S seconds before killing (see --kill-timeout)
-C, --no-cheatcodes disable cheat-codes (see below), this is the default
-c, --cheatcodes enable cheat-codes (see below)
-p, --no-openpty don't use openpty() even when it's available
-T, --term MODE MODE can be either 'never' (never allocate a pseudotty, even if stdin is a tty, and use pipes to
handle stdout/stderr instead), 'always' (always allocate a pseudotty, even if stdin is not a tty)
or 'auto' (default, allocate a pseudotty if stdin is a tty, uses pipes otherwise)
-v, --verbose verbose (debug) mode, use twice for more verbosity
-V, --version show version information
-e, --shell-cmd CMD enables legacy compatibility mode and specifies the command to be run under the user's $SHELL -c
Examples:
Run some shell commands in legacy mode: ttyrec -e 'for i in a b c; do echo $i; done' outfile.ttyrec
Run some shell commands in normal mode: ttyrec -f /tmp/normal.ttyrec -- sh -c 'for i in a b c; do echo $i; done'
Connect to a remote machine interactively: ttyrec -t 60 -k 300 -- ssh remoteserver
Execute a local script remotely with the default remote shell: ttyrec -- ssh remoteserver < script.sh
Record a screen session: ttyrec screen
Handled signals:
SIGUSR1 close current ttyrec file and reopen a new one (log rotation)
SIGURG lock session
SIGUSR2 unlock session
Cheat-codes (magic keystrokes combinations):
^L^L^L^L^L^L^L^L lock your session (that's 8 CTRL+L's)
^K^I^L^L^K^I^L^L kill your session
Remark about session lock and session kill:
If we don't have a tty, we can't lock, so -t will be ignored,
whereas -k will be applied without warning, as there's no tty to output a warning to.
You specified --warn-before-kill without enabling --timeout-kill, this doesn't make sense
seems like ttyrec doesn't like some param.
how i can check what parameters is ttyrec is called with?
Post connect expect script
Hi,
Is there a way to run a script after connection, and before giving the interactive shell to the user ? Typical scenario is an equipment that provides a restricted command line, and needs to enter a command then an administrator password to give full access.
An expect script might be ideal for that, but any other language could be used, provided it can wait for prompt strings, and write the needed commands/passwords in the connection.
Thanks.
SFTP/SCP through Bastion
The Bastion works fine for managing SSH connections. But is there way to manage SFTP/SCP through the bastion ?
Debian11: pam_tally2 is deprecated
It should be replaced by pam_faillock, hence we need to have a Debian 11+ specific template for etc/pam.d/sshd.debian
Force interactive session on empty command
Hello,
I'm trying to use The Bastion through a iOS SSH client but I'm unable to make it work as the bastion needs some command on connection :
Bad or empty command
The app can send command on connect but I've tried many things without success :
-i
-- -i
ssh root@someserver
info
-i info
An option to allow to force session to be interactive if there's no command would be nice, even though I'm not sure it would work without option "-t" support on the given SSH client (doesn't work on my Terminal MacOS app).
The obvious goal is to have a better compatibility with any kind of SSH client app, not everyone uses Linux/MacOS/Unix terminal ;)
Add admin account seem doesn't work on my bastion
Hello,
When i added a admin account thanks to the script : setup-first-admin-account.sh, i create an account but i need to put his name on the bastion.conf to setup him in admin.
But I have trouble understanding how to setup an admin account, because when I created the first admin account, each time a group was created, it had all the rights to it, if I want my other admin accounts to have all the rights to the groups already created, I have to do everything manually?
moreover when I put an account in "superowner" in the bastion.conf, it does not work (contrary to the addition in admin which works)
Excuse me for these questions which can be found their answers in the documentation: /
I may have misread or misinterpreted some explanation,
Thank you for your help,
official IPv6 support
when I try to ssh through my bastion an IPv6, I receive:
~ Unable to resolve host '<ipv6_address>' (IP <ipv6_address> version is not allowed)
It works fine with the IPv4 address of the host. The groupAddServer works with IPv4 and IPv6
Did I made something bad?
Allow group owners to delete their own groups
Right now it is a restricted command
Cannot impersonate a selfPlaySession command
Hello,
We're doing a PoC to see how The Bastion could work for us but we're having some issue using selfPlaySession via adminSudo.
Our goal is to be able to play some user's session to be able to check what has been done on a server, in case something went wrong.
Command is sent from an admin account with these settings :
adminSudo -- --sudo-as USER --sudo-cmd selfPlaySession -- --id ID
Example output (with admin/user replaced) :
---bastion--------------------------------------the-bastion-3.00.01---
=> launching a bastion command or connection, impersonating another user
--------------------------------------------------------------------------------
~ ADMIN SUDO: admin, you'll now impersonate user, this has been logged.
---bastion--------------------------------------the-bastion-3.00.01---
=> replay a past session
--------------------------------------------------------------------------------
~ ID: 3c5135b19531
~ Started: 2020/11/13 12:57:41
~ Ended: 2020/11/13 12:57:58
~ Duration: 0d+00:00:16.600744
~ Type: ssh
~ From: 10.254.254.103:50462 (10.254.254.103)
~ Via: [email protected]:22
~ To: [email protected]:22 (10.254.3.1)
~ RetCode: 0
~
~ Press '+' to play faster
~ Press '-' to play slower
~ Press '1' to restore normal playing speed
~
~ When you're ready to replay session 3c5135b19531, press ENTER.
~ Starting from the next line, the Total Recall begins. Press CTRL+C to jolt awake.
We cannot press ENTER to make the session plays :(
Is there another (undocumented) way to play a session from a specific account ?
If not, could you either fix this stdin issue or add some --autoplay option to selfPlaySession plugin to bypass this ?
Thanks !
Different password for each egress connection
Hi,
I'm experimenting The Bastion, and I have a large network with many equipments, which all already have different passwords configured.
Is there a way to use password authentication, and specify the login/password needed to use for each equipment to add in the bastion, without having to reconfigure them ?
Thanks.
Nerf Bastion
Happy Halloween
Unlock /home on boot
Hi,
I've just installed The Bastion on a fresh Debian 10.
The /opt/bastion/bin/admin/setup-encryption.sh script has helped me change my /home partition to an encrypted one, but at the end it says :
/opt/bastion/bin/admin/unlock-home.sh: line 5: /etc/bastion/luks-config.sh: No such file or directory
Not configured or badly configured (check /etc/bastion/luks-config.sh), nothing to do.
`-> [ OK ]
After a reboot, there is no passphrase prompted and obviously the partition is not mounted.
My partitions (/home is vdb1) :
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
|-vda1 254:1 0 476M 0 part /boot
|-vda2 254:2 0 954M 0 part /
|-vda3 254:3 0 5.6G 0 part /usr
|-vda4 254:4 0 477M 0 part [SWAP]
|-vda5 254:5 0 477M 0 part [SWAP]
|-vda6 254:6 0 954M 0 part /tmp
`-vda7 254:7 0 11.2G 0 part /var
vdb 254:16 0 10G 0 disk
|-vdb1 254:17 0 4.7G 0 part
`-vdb2 254:18 0 5.4G 0 part /opt
The relevant part of my fstab :
/dev/disk/by-id/dm-name-home /home ext4 defaults,errors=remount-ro,noauto,nosuid,noexec,nodev 0 0
Did I do something wrong?
BUG: !scpupload / !scpdownload not accepted for IP ranges
Bug: It seems like the bastion does not accept ip ranges for !scpup and !scpdownload:
Bastion group view:
admin@z1(master)> groupListServers --group example-infra
---bastion-a.eu-central-1a.infra.example.net---------------the-bastion-3.02.00---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY?
~ 10.15.0.0/19 22 admin example-infra(group) admin 2021-02-18 - - -
~ 10.15.0.0/19 (any) !scpupload example-infra(group) admin 2021-02-23 - - -
~ 10.15.0.0/19 (any) !scpdownload example-infra(group) admin 2021-02-23 - - -
~ 3 accesses listed
----------------------------------------------------------</groupListServers>---
Result using ansible:
TASK [install_gitlab : Copy GitLab configuration file.] ********************************************************************************************************
fatal: [gitlab.eu-central-1a.infra.example.net]: FAILED! => {"msg": "failed to transfer file to /home/admin/.ansible/tmp/ansible-local-97208bouj9_e6/tmppti5h9zm/gitlab.rb.j2 \u001b[?47l/home/admin/.ansible/tmp/ansible-tmp-1614071537.5889418-97310-161362758918463/source:\n\n>>>Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for scp\n\\033[31;1m~ Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for scp\\033[0m\n"}
Expectation:
TASK [install_gitlab : Copy GitLab configuration file.] ********************************************************************************************************
ok: [gitlab.eu-central-1a.infra.example.net]
Interestingly !scpupload and !scpdownload works fine when using single hosts instead of ip blocks.
Change key of a group
Hi Guys,
we used different groups for our environment. Mostly it uses ED25519-256. For reasons of compatibility, I would like to switch individual groups from ED25519 to RSA. Delete and re-create the affected groups is no options. Because with that we must also add all servers again.
Can someone describe how i can replace an ED25519 with a RSA key?
/Daniel
PIV verification status communicated to remote realms
In a multi-realm deployment infra, remote realm should send PIV informations to the local bastion.
This could be use to enforce local Multi-Factor Authentication policies even for realm users.
Ansible with the bastion
Firstly, thank you for having opened the code of the bastion! This is such a great tool :)
Provided the fact that the bastion is not a proxy jump, how could we use solutions like Ansible to run playbooks over our infrastructure?
SSH Local Forward
Hello,
My goal is to access an http server listening only to localhost through the bastion.
kind of ssh -L 9090:localhost:9090 someuser@server42
I tried to :
ssh -L 9090:localhost:9090 -t admin@bastion -- someuser@server42
But without success.
I've found in (bastion) /etc/ssh/sshd_config there is
AllowTcpForwarding no
Setting to yes didn't help.
Is it a good idea to change the bastion' sshd_config ? Is there a better way ?
PS: the http server is https://cockpit-project.org
[SELinux] TOTP don't seems to work
I set TOTP on my account.
But after the sucessfull registration, all my verification are refused.
Is there any way to get my account back?
With the scratch code?
-osh selfPlaySession doesn't play saved sessions on CentOS
Thank you, guys, you're doing a fantastic job here.
There are small issues that are not working meanwhile:
I'm playing with a fresh CentOS 7 bastion installation (the-bastion-3.01.03), CentOS Linux release 7.9.2009.
The ttyrec-sessions are saved nicely and can be viewed locally through ttyplay but -osh selfPlaySession always returns "There were no terminal recording for this session" (the ids of the saved session on the disk system and returned via "selfListSessions" - are the same.
Comments on servers are not visible to users added via group-guest on selfListAccesses
I have a group, with 4 servers, some of them have userComment on it:
poweruser@zbst-rbeuque(master)> groupListServers --group foo
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY?
~ 127.0.0.1 22 ovh foo(group) poweruser 2020-10-26 - - -
~ 127.0.0.2 22 ovh foo(group) poweruser 2020-10-26 - test comment -
~ 127.0.0.3 22 ovh foo(group) poweruser 2020-10-26 - test foo comment -
~ 127.0.0.4 22 ovh foo(group) poweruser 2020-10-26 - - -
~ 4 accesses listed
When I add another user as a guest of my foo group, user can't see the userComment that has been set by the person who add the server.
user@zbst-rbeuque(master)> selfListAccesses
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> your access list
--------------------------------------------------------------------------------
~ Dear robot-framework, you have access to the following servers:
~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY?
~ 127.0.0.1 22 ovh foo(group-guest) poweruser 2020-10-26 - - -
~ 127.0.0.4 22 ovh foo(group-guest) poweruser 2020-10-26 - - -
~ 3 accesses listed
----------------------------------------------------------</selfListAccesses>---
I guess the issue is around:
- https://github.com/ovh/the-bastion/blob/master/bin/helper/osh-accountAddGroupServer#L72
- https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm#L191
- https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/allowkeeper.inc#L235
groupSetRole calls OVH::Bastion::is_access_way_granted then osh-accountAddGroupServer.
OVH::Bastion::is_access_way_granted retrieve the current ACL, which contains the comment, but doesn't retrieve it completely, and more specifically, doesn't forward it to osh-accountAddGroupServer
This comment could be used as a parameter in osh-accountAddGroupServer while calling OVH::Bastion::access_modify.
docker: failed to register layer: Error processing tar file(exit status 1): Container ID 99999 cannot be mapped to a host ID.
This happens when trying the sandbox image on a system with UID shifting globally enabled.
We might want to avoid UIDs/GIDs > 64K at least on the sandbox image for this reason.
Add an --osh adminUpgrade script
To easily handle bastion software version upgrades, possibly upgrading to dev branches instead of released stable versions, also verifying the GPG signature.
Sync ttyrec files
Hi,
It seems that ttyrec files stored in /home/<user>/ttyrec/* are not synced between slaves and master. So in a HA setup, when a user reach a slave, his session is only recorded locally on the slave, and not available on every machines of the cluster.
Is this intended? What is the workflow to see all recorded sessions of a user?
Thanks,
logo
Password authentication for egress connections
Hallo everyone,
we have some old switches in our network, which do not support public key authentication. So any it admin had a own account with a custom password.
I study the docs and found in /etc/bastion/bastion.conf a parameter passwordAllowed. According to the description exactly what i am looking for.
I change the value from 0 to 1. After that i connected to a fresh bastion session and try different commands to get a prompt for password authentication.
Is the parameter even suitable for my requirements?
If so, which parameters do I have to use with the command ssh admin@host: 22?
Regards,
Daniel
Two hyphen to much on autocompletion
Hello,
i typed adminSudo and press that two times the key. The first parameter is displayed with four hyphen.
---bs-server----------------------------------------------the-bastion-3.01.00---
----------------------------------------------------------------------</help>---
administrator@bastionhost01(master)> adminSudo -- --sudo-as
osh_only property setting handling
Currently the osh_only property of an account is only set to true at account creation via the --osh-only parameter.
It should be possible to toggle this parameter with the accountModify plugin and get its status with the accountInfo plugin.
That would allow proper traceability of such manipulations through bastion code, avoiding manual changes on the bastion host itself as root.
Make Docker sandbox arm64-compatible (Raspberry Pi 3+ & friends)
Prerequisite: having arm64 ovh-ttyrec prebuilt binaries and/or deb/rpm
better ways gpg import (paste public key not working)
I had trouble in importing the admin public key per the documentation, briefly pasting it into the terminal when requesting does not advance the script. So I took another approach:
- Created the "adminkey.txt" and pasted the admin gpg public key into it.
- Modified the
/opt/bastion/bin/admin/setup-gpg.shso that it accepts a second argument, the name of the file having the key. - Modified the lines
and
$gpgcmd --import "$1"do_import "$2"; exit $?
so that the gpg --import is processed.
And only then the script worked.
Deploy docker images to Docker Hub
On release, deploy docker images to OVHcloud's docker hub repository
accountCreate help text doesn't seem to be correct
Trying to create an account to a recently deployed bastion, using only --account yields the following help message
~ Create a new bastion account
~
~ Usage: --osh accountCreate --account ACCOUNT [OPTIONS]
~
~ --account NAME Account name to create, NAME must contain only valid UNIX account name characters
~ --uid UID Account system UID, also see --uid-auto
~ --uid-auto Auto-select an UID from the allowed range (the upper available one will be used)
~ --always-active This account's activation won't be challenged on connection, even if the bastion is globally
~ configured to check for account activation
~ --osh-only This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
~ --immutable-key Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
~ --comment '"STRING"' An optional comment when creating the account. Quote it twice as shown if you're under a shell.
~ --public-key '"KEY"' Account public SSH key to deposit on the bastion, if not present,
~ you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
~ --no-key Don't prompt for an SSH key, no ingress public key will be installed
~ --ttl SECONDS|DURATION Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
~ Missing mandatory parameter 'account' or ('uid' or 'uid-auto')
According to it, I should be able to create an account using only the --account option, but using --uid-auto (or I assume manually passing an uid) was mandatory. Should the final line be 'account' and (...) instead of 'account' or (...)? If this were the case, the usage string should probably be updated too.
Bastion version: 3.03.00
Add comment parameter on groupAddGuestAccess
Idea suggestion
add a comment while granting a guest access (groupAddGuestAccess) to keep track why the user got this specific guest access
Implement PIV support
By using ovh-yubico-piv-checker.
Parts of the support have already been open-sourced, namely:
- The
accountPIVplugin, to set the per-account policy - The
cron/osh-piv-grace-reaper.plscript, to expire PIV grace periods - The
accountInfoplugin, to report the status of the account PIV policy - a few internal helper functions
To get complete support we need to:
- add PIV support to
selfAddIngressKey/selfDelIngressKey - A global bastion-wide policy flag, if enforcing PIV for all accounts is desired
No matching key exchange method found
Hi guys,
today i have no bug report. It is more technical question. We want to manage access to CISCO switches with Bastion.
First i tried to connect from the bash with the command ssh:
ssh [email protected]
But i got follow error message:
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
With a look into the file /etc/sshd/sshd_config showed me, that with the installation of the bastion, some changes have been done.
I do some changes in the configuration file to find a solution for the error - without success.
Occurs the problem by hardening the ssh daemon or it's a default setting from the ssh daemon on Ubuntu 20.04 LTS?
Regards,
Daniel
Is it possible to remove a particular host key?
Hi Guys,
on the weeekend had to generate a new ssh key pair on Switch. By that all users get on connection attempt an error, that the fingerprint not anymore correct. Also in the output the exact command ssh-keygen is displayed for the user.
But the user can not execute the command on this shell (osh.pl). Is there a option in the configuration file of the bastion to allow this?
Regards,
Daniel
accountModify works on slave nodes
tsoete@<REDACTED>(slave)> accountModify --account tsoete --pam-auth-bypass yes
---<REDACTED>------------------the-bastion-2.99.99-rc9.4-ovh1---
=> modify the configuration of an account
--------------------------------------------------------------------------------
~ Bypassing sshd PAM auth usage for this account...
~ ... done, this account will no longer use PAM for authentication
-------------------------------------------------------------</accountModify>---
~ IMPORTANT: You have been added to new groups since the session started.
~ You'll need to logout/login again from this interactive session to have
~ your new rights applied, or you'll get sudo errors if you try to use them.
Add automaticaly the port number when connecting to a host with a different ssh port
When connecting to a host with a different standard port, you have to specify the port number.
It would be more convenient if the port is added to the ssh command depending on the server you want to connect to.
Add more features to groupCreate
groupCreate should allow to define the ACLKeepers and GateKeepers
Server to Server SCP through the bastion
Hi,
We've been using The Bastion at our organization for some time and I noticed that it's not possible to use SCP to copy a file from one host on the bastion to another one also on the bastion. Is that a limitation of the software or is there some configuration needed ?
Thanks.
Parameter to not work with autocompletion
Hello,
last days i created some accounts with accountCreate for our Proof of Concept (PoC). The mandatory parameter --uid-auto is not usably with the TAB Key. Everytime i got only the parameter --uid.
I tried two ways:
accountCreate --account test02 --uid -> Nothing happen else
accountCreate --account test02 --uid- -> Nothing happen else
I use the latest git tag of The Bastion.
Is it possible to extend the autocompletion?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.