ovh / the-bastion Goto Github PK
View Code? Open in Web Editor NEWAuthentication, authorization, traceability and auditability for SSH accesses.
Home Page: https://ovh.github.io/the-bastion/
License: Other
Authentication, authorization, traceability and auditability for SSH accesses.
Home Page: https://ovh.github.io/the-bastion/
License: Other
For now, this prefix is reserved for internal reasons. It should be possible to lift this restriction after a few changes and thorough testing, see #178
Hello,
I guess this isn't a bug but just how ssh works (or maybe I just don't use OVH Bastion well).
All group members can connect under every users who use the group key on the target server.
For example a server has 3 system users and each of these users authorize the public key of a Bastion group.
If one user want's to connect under one of the two other users, well, he can do it.
In the end, the connection to the servers can be traced by going back to the history from the bastion, but I still wonder about it because it's quite a suspicious behaviour.
Hi @speed47,
in the current release the output of the command help
ins incomplete.
For example the command groupDelEgressKey
is not display to me.
My user account is owner of the groups.
Regards,
Daniel
Good morning Guys,
i ad several groups which i want to delete on my bastion host. Every time i delete a group, it output follow error:
*** Deleting group 'keysbw-rs-servers' sudoers file `-> [ERR.] keysbw-rs-servers doesn't seem to be a valid bastion group
Below the complete output from console:
---bastion02----------------------------------------------the-bastion-3.01.01---
=> delete an existing bastion group
--------------------------------------------------------------------------------
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~ !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!! WARNING !!!!
~
~ You are about to DELETE a bastion group, to be sure you're not drunk, ~ please type the name of the group you want to delete (won't be echoed):
~
~ Removing /home/allowkeeper/surname.givename/allowed.ip.sbw-rs-servers...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-owner ~ Deleting group keysbw-rs-servers-owner...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-aclkeeper ~ Deleting group keysbw-rs-servers-aclkeeper...
~ Found 1 members, removing them from the group ~ ... removing surname.givename from group keysbw-rs-servers-gatekeeper ~ Deleting group keysbw-rs-servers-gatekeeper...
~ Found 2 members, removing them from the group ~ ... removing allowkeeper from group keysbw-rs-servers ~ ... removing surname.givename from group keysbw-rs-servers ~ Deleting main user of group keysbw-rs-servers...
*** Deleting group 'keysbw-rs-servers' sudoers file `-> [ERR.] keysbw-rs-servers doesn't seem to be a valid bastion group
If i try to delete the same group again, it display that the group do not exist.
~ Group 'keysbw-rs-servers' doesn't exist
What am I doing wrong? Is it a possibly an error?
Regards,
Daniel
Hello,
On my bastion I've got a few groups and... hundred of servers, which can make it hard to find a specific access.
We've added a server name in comment + internal DNS to be able to connect easily to a server but searching one can be tricky.
I've managed to add some shell function to make it work by doing "grep" to the stdout but a filter implemented in the selfListAccesses command itself would be nice to make it work more directly (mostly on 3rd party SSH clients) :
function bls() {
ssh -i ~/.ssh/key -t user@bastion -- --osh selfListAccesses | grep $1
}
Usage :
bls nameofserver
As the IP is always resolved when adding a server, I guess this search could only be on "comment" but if for some reason we're looking for servers in some network, filtering "ip/host" too could be nice aswell.
I guess it could be useful for many bastion's users, including OVH teams ? ;)
Imagine that you have your master bastion in region1 and your slave bastion in region2. Could I make the slave a master in case region1 goes offline for a longer period of time? Is there a way to rollback in case region1 comes online again?
I would like to avoid hosting a multiple masters as that adds a burden on administration of users and keys.
Hello,
i try to add a new user account with a dot in the name. I run it an error, that the group cound not create.
administrator@bastionhost01(master)> accountCreate --account test.test2 --uid-auto
---bs-server----------------------------------------------the-bastion-3.01.00---
=> create a new bastion account
--------------------------------------------------------------------------------
~ Please paste the SSH key you want to add. This bastion supports the following algorithms:
~ ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one
~ ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one
~ RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one
~
~ In any case, don't save it without a passphrase (your paste won't be echoed).
~ Creating group test.test2 with GID 99994...
~ Creating user test.test2 with UID 99994...
~ Creating tty group of account...
~ Group name contains invalid characters
Please add a filter for special characters for account names or allow it in der group names.
While doing a Chef cookbook to manage this awesome software, I found out that the MFAPasswordMaxDays
entry is duplicated in the bastion.conf.dist file in v3.01.00:
# MFAPasswordMaxDays (int >= 0)
# DESC: For the PAM UNIX password MFA, sets the maximum amount of days after which the password must be changed (see `chage -M')
# DEFAULT: 90
"MFAPasswordMaxDays": 90,
#
# MFAPasswordMaxDays (int >= 0)
# DESC: For the PAM UNIX password MFA, sets the number of days before expiration on which the user will be warned to change his password (see `chage -W')
# DEFAULT: 15
"MFAPasswordMaxDays": 15,
I'm not sure which one you'd like to keep, so I can't make a PR, but I hope this issue is useful! ๐
Hi team,
Is there any hints you can provide regarding the current and intended functionality of the 'http proxy'?
Is it serving the same purpose of the SSH bastion, but for HTTPS <--> HTTPS connections? What authentication methods does it support on the ingress/egress side?
We created a group named keylogy
on The Bastion and noted that in all outputs of commands like groupInfo --group keylogy
, the group name is truncated to logy
.
jonathanmarsaud@bssh(slave)> groupInfo --group keylogy
---<redacted>--------------------------------------------the-bastion-3.03.01---
=> group info
--------------------------------------------------------------------------------
~ Group logy's Owners are: <redacted>
~ Group logy's GateKeepers (managing the members/guests list) are: <redacted>
~ Group logy's ACLKeepers (managing the group servers list) are: <redacted>
~ Group logy's Members (with access to ALL the group servers) are: <redacted>
~ Group logy's Guests (with access to SOME of the group servers) are: -
~
~ The public key of this group is:
~
~ fingerprint: <redacted>
~ keyline follows, please copy the *whole* line:
from="<redacted>" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBQoSC81Q5s92Ysi/VTou2GFNyv0jmK5ctq9d427YzYN logy@bssh:1619685770
not sure what's happened but now I can't ssh to any host:
ssh bastion@xxxxxxxx
~ Welcome to bastion.xxxxx.xxxx , xxxx, your last login was 00:00:08 ago (Tue 2021-01-19 04:20:43 UTC) from xxxxxxx)
185.144.208.251:39982 => [email protected]:22 => [email protected]:22 ...
allowed ... log on(/home/qxmips/ttyrec/xxxxxx/2021-01-19.04-20-51.656242.c4d5847cbfe2.qxmips.bastion.1xxxxxxx.ttyrec)
will try the following accesses you have:
- group-member of vyos_infra with RSA-4096 key SHA256:xxxxxxxxxxxxxxxxxxxxx
- [2021/01/14]
Connecting...
Usage: ttyrec [options] -- <command> [command options]
Usage (legacy compatibility mode): ttyrec -e <command> [options] [ttyrec file name]
Options:
-z, --uuid UUID specify an UUID (can be any string) that will appear in the ttyrec output file names,
and kept with SIGUSR1 rotations (default: own PID)
-f, --output FILE full path of the first ttyrec file to write to (autogenerated if omitted)
-d, --dir FOLDER folder where to write the ttyrec files (taken from -f if omitted,
defaulting to working directory if both -f and -d are omitted)
-F, --name-format FMT custom strftime-compatible format string to qualify the full path of the output files,
including the SIGUSR1 rotated ones
-a, --append open the ttyrec output file in append mode instead of write-clobber mode
-Z enable on-the-fly compression if available, silently fallback to no compression if not
--zstd force on-the-fly compression of output file using zstd,
the resulting file will have a '.ttyrec.zst' extension
--max-flush-time S specify the maximum number of seconds after which we'll force zstd to flush its output buffers
to ensure that even somewhat quiet sessions gets regularly written out to disk, default is 15
-l, --level LEVEL set compression level, must be between 1 and 19 for zstd, default is 3
-n, --count-bytes count the number of bytes out and print it on termination (experimental)
-t, --lock-timeout S lock session on input timeout after S seconds
--warn-before-lock S warn S seconds before locking (see --lock-timeout)
-k, --kill-timeout S kill session on input timeout after S seconds
--warn-before-kill S warn S seconds before killing (see --kill-timeout)
-C, --no-cheatcodes disable cheat-codes (see below), this is the default
-c, --cheatcodes enable cheat-codes (see below)
-p, --no-openpty don't use openpty() even when it's available
-T, --term MODE MODE can be either 'never' (never allocate a pseudotty, even if stdin is a tty, and use pipes to
handle stdout/stderr instead), 'always' (always allocate a pseudotty, even if stdin is not a tty)
or 'auto' (default, allocate a pseudotty if stdin is a tty, uses pipes otherwise)
-v, --verbose verbose (debug) mode, use twice for more verbosity
-V, --version show version information
-e, --shell-cmd CMD enables legacy compatibility mode and specifies the command to be run under the user's $SHELL -c
Examples:
Run some shell commands in legacy mode: ttyrec -e 'for i in a b c; do echo $i; done' outfile.ttyrec
Run some shell commands in normal mode: ttyrec -f /tmp/normal.ttyrec -- sh -c 'for i in a b c; do echo $i; done'
Connect to a remote machine interactively: ttyrec -t 60 -k 300 -- ssh remoteserver
Execute a local script remotely with the default remote shell: ttyrec -- ssh remoteserver < script.sh
Record a screen session: ttyrec screen
Handled signals:
SIGUSR1 close current ttyrec file and reopen a new one (log rotation)
SIGURG lock session
SIGUSR2 unlock session
Cheat-codes (magic keystrokes combinations):
^L^L^L^L^L^L^L^L lock your session (that's 8 CTRL+L's)
^K^I^L^L^K^I^L^L kill your session
Remark about session lock and session kill:
If we don't have a tty, we can't lock, so -t will be ignored,
whereas -k will be applied without warning, as there's no tty to output a warning to.
You specified --warn-before-kill without enabling --timeout-kill, this doesn't make sense
seems like ttyrec doesn't like some param.
how i can check what parameters is ttyrec is called with?
Hi,
Is there a way to run a script after connection, and before giving the interactive shell to the user ? Typical scenario is an equipment that provides a restricted command line, and needs to enter a command then an administrator password to give full access.
An expect script might be ideal for that, but any other language could be used, provided it can wait for prompt strings, and write the needed commands/passwords in the connection.
Thanks.
The Bastion works fine for managing SSH connections. But is there way to manage SFTP/SCP through the bastion ?
It should be replaced by pam_faillock
, hence we need to have a Debian 11+ specific template for etc/pam.d/sshd.debian
Hello,
I'm trying to use The Bastion through a iOS SSH client but I'm unable to make it work as the bastion needs some command on connection :
Bad or empty command
The app can send command on connect but I've tried many things without success :
-i
-- -i
ssh root@someserver
info
-i info
An option to allow to force session to be interactive if there's no command would be nice, even though I'm not sure it would work without option "-t" support on the given SSH client (doesn't work on my Terminal MacOS app).
The obvious goal is to have a better compatibility with any kind of SSH client app, not everyone uses Linux/MacOS/Unix terminal ;)
Hello,
When i added a admin account thanks to the script : setup-first-admin-account.sh, i create an account but i need to put his name on the bastion.conf to setup him in admin.
But I have trouble understanding how to setup an admin account, because when I created the first admin account, each time a group was created, it had all the rights to it, if I want my other admin accounts to have all the rights to the groups already created, I have to do everything manually?
moreover when I put an account in "superowner" in the bastion.conf, it does not work (contrary to the addition in admin which works)
Excuse me for these questions which can be found their answers in the documentation: /
I may have misread or misinterpreted some explanation,
Thank you for your help,
when I try to ssh through my bastion an IPv6, I receive:
~ Unable to resolve host '<ipv6_address>' (IP <ipv6_address> version is not allowed)
It works fine with the IPv4 address of the host. The groupAddServer works with IPv4 and IPv6
Did I made something bad?
Right now it is a restricted command
Hello,
We're doing a PoC to see how The Bastion could work for us but we're having some issue using selfPlaySession via adminSudo.
Our goal is to be able to play some user's session to be able to check what has been done on a server, in case something went wrong.
Command is sent from an admin account with these settings :
adminSudo -- --sudo-as USER --sudo-cmd selfPlaySession -- --id ID
Example output (with admin/user replaced) :
---bastion--------------------------------------the-bastion-3.00.01---
=> launching a bastion command or connection, impersonating another user
--------------------------------------------------------------------------------
~ ADMIN SUDO: admin, you'll now impersonate user, this has been logged.
---bastion--------------------------------------the-bastion-3.00.01---
=> replay a past session
--------------------------------------------------------------------------------
~ ID: 3c5135b19531
~ Started: 2020/11/13 12:57:41
~ Ended: 2020/11/13 12:57:58
~ Duration: 0d+00:00:16.600744
~ Type: ssh
~ From: 10.254.254.103:50462 (10.254.254.103)
~ Via: [email protected]:22
~ To: [email protected]:22 (10.254.3.1)
~ RetCode: 0
~
~ Press '+' to play faster
~ Press '-' to play slower
~ Press '1' to restore normal playing speed
~
~ When you're ready to replay session 3c5135b19531, press ENTER.
~ Starting from the next line, the Total Recall begins. Press CTRL+C to jolt awake.
We cannot press ENTER to make the session plays :(
Is there another (undocumented) way to play a session from a specific account ?
If not, could you either fix this stdin issue or add some --autoplay option to selfPlaySession plugin to bypass this ?
Thanks !
Hi,
I'm experimenting The Bastion, and I have a large network with many equipments, which all already have different passwords configured.
Is there a way to use password authentication, and specify the login/password needed to use for each equipment to add in the bastion, without having to reconfigure them ?
Thanks.
Happy Halloween
Hi,
I've just installed The Bastion on a fresh Debian 10.
The /opt/bastion/bin/admin/setup-encryption.sh
script has helped me change my /home partition to an encrypted one, but at the end it says :
/opt/bastion/bin/admin/unlock-home.sh: line 5: /etc/bastion/luks-config.sh: No such file or directory
Not configured or badly configured (check /etc/bastion/luks-config.sh), nothing to do.
`-> [ OK ]
After a reboot, there is no passphrase prompted and obviously the partition is not mounted.
My partitions (/home is vdb1) :
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
vda 254:0 0 20G 0 disk
|-vda1 254:1 0 476M 0 part /boot
|-vda2 254:2 0 954M 0 part /
|-vda3 254:3 0 5.6G 0 part /usr
|-vda4 254:4 0 477M 0 part [SWAP]
|-vda5 254:5 0 477M 0 part [SWAP]
|-vda6 254:6 0 954M 0 part /tmp
`-vda7 254:7 0 11.2G 0 part /var
vdb 254:16 0 10G 0 disk
|-vdb1 254:17 0 4.7G 0 part
`-vdb2 254:18 0 5.4G 0 part /opt
The relevant part of my fstab :
/dev/disk/by-id/dm-name-home /home ext4 defaults,errors=remount-ro,noauto,nosuid,noexec,nodev 0 0
Did I do something wrong?
Bug: It seems like the bastion does not accept ip ranges for !scpup and !scpdownload:
Bastion group view:
admin@z1(master)> groupListServers --group example-infra
---bastion-a.eu-central-1a.infra.example.net---------------the-bastion-3.02.00---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY?
~ 10.15.0.0/19 22 admin example-infra(group) admin 2021-02-18 - - -
~ 10.15.0.0/19 (any) !scpupload example-infra(group) admin 2021-02-23 - - -
~ 10.15.0.0/19 (any) !scpdownload example-infra(group) admin 2021-02-23 - - -
~ 3 accesses listed
----------------------------------------------------------</groupListServers>---
Result using ansible:
TASK [install_gitlab : Copy GitLab configuration file.] ********************************************************************************************************
fatal: [gitlab.eu-central-1a.infra.example.net]: FAILED! => {"msg": "failed to transfer file to /home/admin/.ansible/tmp/ansible-local-97208bouj9_e6/tmppti5h9zm/gitlab.rb.j2 \u001b[?47l/home/admin/.ansible/tmp/ansible-tmp-1614071537.5889418-97310-161362758918463/source:\n\n>>>Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for scp\n\\033[31;1m~ Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for scp\\033[0m\n"}
Expectation:
TASK [install_gitlab : Copy GitLab configuration file.] ********************************************************************************************************
ok: [gitlab.eu-central-1a.infra.example.net]
Interestingly !scpupload and !scpdownload works fine when using single hosts instead of ip blocks.
Hi Guys,
we used different groups for our environment. Mostly it uses ED25519-256. For reasons of compatibility, I would like to switch individual groups from ED25519 to RSA. Delete and re-create the affected groups is no options. Because with that we must also add all servers again.
Can someone describe how i can replace an ED25519 with a RSA key?
/Daniel
In a multi-realm deployment infra, remote realm should send PIV informations to the local bastion.
This could be use to enforce local Multi-Factor Authentication policies even for realm users.
Firstly, thank you for having opened the code of the bastion! This is such a great tool :)
Provided the fact that the bastion is not a proxy jump, how could we use solutions like Ansible to run playbooks over our infrastructure?
Hello,
My goal is to access an http server listening only to localhost through the bastion.
kind of ssh -L 9090:localhost:9090 someuser@server42
I tried to :
ssh -L 9090:localhost:9090 -t admin@bastion -- someuser@server42
But without success.
I've found in (bastion) /etc/ssh/sshd_config there is
AllowTcpForwarding no
Setting to yes
didn't help.
Is it a good idea to change the bastion' sshd_config ? Is there a better way ?
PS: the http server is https://cockpit-project.org
I set TOTP on my account.
But after the sucessfull registration, all my verification are refused.
Is there any way to get my account back?
With the scratch code?
Thank you, guys, you're doing a fantastic job here.
There are small issues that are not working meanwhile:
I'm playing with a fresh CentOS 7 bastion installation (the-bastion-3.01.03), CentOS Linux release 7.9.2009.
The ttyrec-sessions are saved nicely and can be viewed locally through ttyplay but -osh selfPlaySession always returns "There were no terminal recording for this session" (the ids of the saved session on the disk system and returned via "selfListSessions" - are the same.
I have a group, with 4 servers, some of them have userComment
on it:
poweruser@zbst-rbeuque(master)> groupListServers --group foo
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY?
~ 127.0.0.1 22 ovh foo(group) poweruser 2020-10-26 - - -
~ 127.0.0.2 22 ovh foo(group) poweruser 2020-10-26 - test comment -
~ 127.0.0.3 22 ovh foo(group) poweruser 2020-10-26 - test foo comment -
~ 127.0.0.4 22 ovh foo(group) poweruser 2020-10-26 - - -
~ 4 accesses listed
When I add another user as a guest of my foo
group, user can't see the userComment
that has been set by the person who add the server.
user@zbst-rbeuque(master)> selfListAccesses
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> your access list
--------------------------------------------------------------------------------
~ Dear robot-framework, you have access to the following servers:
~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY?
~ 127.0.0.1 22 ovh foo(group-guest) poweruser 2020-10-26 - - -
~ 127.0.0.4 22 ovh foo(group-guest) poweruser 2020-10-26 - - -
~ 3 accesses listed
----------------------------------------------------------</selfListAccesses>---
I guess the issue is around:
groupSetRole
calls OVH::Bastion::is_access_way_granted
then osh-accountAddGroupServer
.
OVH::Bastion::is_access_way_granted
retrieve the current ACL, which contains the comment, but doesn't retrieve it completely, and more specifically, doesn't forward it to osh-accountAddGroupServer
This comment could be used as a parameter in osh-accountAddGroupServer
while calling OVH::Bastion::access_modify
.
This happens when trying the sandbox image on a system with UID shifting globally enabled.
We might want to avoid UIDs/GIDs > 64K at least on the sandbox image for this reason.
To easily handle bastion software version upgrades, possibly upgrading to dev branches instead of released stable versions, also verifying the GPG signature.
Hi,
It seems that ttyrec
files stored in /home/<user>/ttyrec/*
are not synced between slaves and master. So in a HA setup, when a user reach a slave, his session is only recorded locally on the slave, and not available on every machines of the cluster.
Is this intended? What is the workflow to see all recorded sessions of a user?
Thanks,
Hallo everyone,
we have some old switches in our network, which do not support public key authentication. So any it admin had a own account with a custom password.
I study the docs and found in /etc/bastion/bastion.conf
a parameter passwordAllowed
. According to the description exactly what i am looking for.
I change the value from 0
to 1
. After that i connected to a fresh bastion session and try different commands to get a prompt for password authentication.
Is the parameter even suitable for my requirements?
If so, which parameters do I have to use with the command ssh admin@host: 22
?
Regards,
Daniel
Hello,
i typed adminSudo and press that two times the key. The first parameter is displayed with four hyphen.
---bs-server----------------------------------------------the-bastion-3.01.00---
----------------------------------------------------------------------</help>---
administrator@bastionhost01(master)> adminSudo -- --sudo-as
Currently the osh_only property of an account is only set to true at account creation via the --osh-only parameter.
It should be possible to toggle this parameter with the accountModify plugin and get its status with the accountInfo plugin.
That would allow proper traceability of such manipulations through bastion code, avoiding manual changes on the bastion host itself as root.
Prerequisite: having arm64 ovh-ttyrec prebuilt binaries and/or deb/rpm
I had trouble in importing the admin public key per the documentation, briefly pasting it into the terminal when requesting does not advance the script. So I took another approach:
/opt/bastion/bin/admin/setup-gpg.sh
so that it accepts a second argument, the name of the file having the key.$gpgcmd --import "$1"
do_import "$2"; exit $?
so that the gpg --import is processed.
And only then the script worked.
On release, deploy docker images to OVHcloud's docker hub repository
Trying to create an account to a recently deployed bastion, using only --account
yields the following help message
~ Create a new bastion account
~
~ Usage: --osh accountCreate --account ACCOUNT [OPTIONS]
~
~ --account NAME Account name to create, NAME must contain only valid UNIX account name characters
~ --uid UID Account system UID, also see --uid-auto
~ --uid-auto Auto-select an UID from the allowed range (the upper available one will be used)
~ --always-active This account's activation won't be challenged on connection, even if the bastion is globally
~ configured to check for account activation
~ --osh-only This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
~ --immutable-key Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
~ --comment '"STRING"' An optional comment when creating the account. Quote it twice as shown if you're under a shell.
~ --public-key '"KEY"' Account public SSH key to deposit on the bastion, if not present,
~ you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
~ --no-key Don't prompt for an SSH key, no ingress public key will be installed
~ --ttl SECONDS|DURATION Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
~ Missing mandatory parameter 'account' or ('uid' or 'uid-auto')
According to it, I should be able to create an account using only the --account
option, but using --uid-auto
(or I assume manually passing an uid) was mandatory. Should the final line be 'account' and (...)
instead of 'account' or (...)
? If this were the case, the usage string should probably be updated too.
Bastion version: 3.03.00
add a comment while granting a guest access (groupAddGuestAccess
) to keep track why the user got this specific guest access
By using ovh-yubico-piv-checker.
Parts of the support have already been open-sourced, namely:
accountPIV
plugin, to set the per-account policycron/osh-piv-grace-reaper.pl
script, to expire PIV grace periodsaccountInfo
plugin, to report the status of the account PIV policyTo get complete support we need to:
selfAddIngressKey
/selfDelIngressKey
Hi guys,
today i have no bug report. It is more technical question. We want to manage access to CISCO switches with Bastion.
First i tried to connect from the bash with the command ssh:
ssh [email protected]
But i got follow error message:
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
With a look into the file /etc/sshd/sshd_config showed me, that with the installation of the bastion, some changes have been done.
I do some changes in the configuration file to find a solution for the error - without success.
Occurs the problem by hardening the ssh daemon or it's a default setting from the ssh daemon on Ubuntu 20.04 LTS?
Regards,
Daniel
Hi Guys,
on the weeekend had to generate a new ssh key pair on Switch. By that all users get on connection attempt an error, that the fingerprint not anymore correct. Also in the output the exact command ssh-keygen is displayed for the user.
But the user can not execute the command on this shell (osh.pl). Is there a option in the configuration file of the bastion to allow this?
Regards,
Daniel
tsoete@<REDACTED>(slave)> accountModify --account tsoete --pam-auth-bypass yes
---<REDACTED>------------------the-bastion-2.99.99-rc9.4-ovh1---
=> modify the configuration of an account
--------------------------------------------------------------------------------
~ Bypassing sshd PAM auth usage for this account...
~ ... done, this account will no longer use PAM for authentication
-------------------------------------------------------------</accountModify>---
~ IMPORTANT: You have been added to new groups since the session started.
~ You'll need to logout/login again from this interactive session to have
~ your new rights applied, or you'll get sudo errors if you try to use them.
When connecting to a host with a different standard port, you have to specify the port number.
It would be more convenient if the port is added to the ssh command depending on the server you want to connect to.
groupCreate should allow to define the ACLKeepers and GateKeepers
Hi,
We've been using The Bastion at our organization for some time and I noticed that it's not possible to use SCP to copy a file from one host on the bastion to another one also on the bastion. Is that a limitation of the software or is there some configuration needed ?
Thanks.
Hello,
last days i created some accounts with accountCreate
for our Proof of Concept (PoC). The mandatory parameter --uid-auto is not usably with the TAB Key. Everytime i got only the parameter --uid.
I tried two ways:
accountCreate --account test02 --uid -> Nothing happen else
accountCreate --account test02 --uid- -> Nothing happen else
I use the latest git tag of The Bastion.
Is it possible to extend the autocompletion?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.