├── .dockerignore ├── .github └── workflows │ ├── dockerhub.yml │ ├── documentation.yml │ ├── freebsd.yml │ ├── tests.yml │ └── tests_basic.yml ├── .gitignore ├── AUTHORS ├── CONTRIBUTING.md ├── CONTRIBUTORS ├── DESIGN.md ├── LICENSE ├── MAINTAINERS ├── README.md ├── bin ├── admin │ ├── check-consistency.pl │ ├── check_uid_gid_collisions.pl │ ├── fix-group-gid.sh │ ├── fixrights.sh │ ├── grant-all-restricted-commands-to.sh │ ├── install │ ├── install-mkhash-helper.sh │ ├── install-ttyrec.sh │ ├── install-yubico-piv-checker.sh │ ├── osh-sync-watcher.sh │ ├── packages-check.sh │ ├── rename-account.sh │ ├── rename-group.sh │ ├── restore-account.sh │ ├── setup-encryption.sh │ ├── setup-first-admin-account.sh │ ├── setup-gpg.sh │ └── unlock-home.sh ├── cron │ ├── osh-backup-acl-keys.sh │ ├── osh-cleanup-guest-key-access.pl │ ├── osh-encrypt-rsync.pl │ ├── osh-lingering-sessions-reaper.sh │ ├── osh-orphaned-homedir.sh │ ├── osh-piv-grace-reaper.pl │ ├── osh-remove-empty-folders.sh │ └── osh-rotate-ttyrec.sh ├── dev │ ├── debug_toggle.sh │ ├── perl-check.sh │ ├── perl-critic.sh │ ├── perl-tidy.sh │ ├── perl-use-all.sh │ ├── perlcriticrc │ └── shell-check.sh ├── helper │ ├── osh-accountAddGroupServer │ ├── osh-accountCreate │ ├── osh-accountDelete │ ├── osh-accountFreezeToggle │ ├── osh-accountGeneratePassword │ ├── osh-accountGetPasswordInfo │ ├── osh-accountKillSessions │ ├── osh-accountListEgressKeys │ ├── osh-accountListIngressKeys │ ├── osh-accountListPasswords │ ├── osh-accountMFAResetPassword │ ├── osh-accountMFAResetTOTP │ ├── osh-accountModify │ ├── osh-accountModifyCommand │ ├── osh-accountModifyPersonalAccess │ ├── osh-accountPIV │ ├── osh-accountUnexpire │ ├── osh-accountUnlock │ ├── osh-adminMaintenance │ ├── osh-assetForgetHostKey │ ├── osh-groupAddServer │ ├── osh-groupAddSymlinkToAccount │ ├── osh-groupCreate │ ├── osh-groupDelEgressKey │ ├── osh-groupDelete │ ├── osh-groupGenerateEgressKey │ ├── osh-groupGeneratePassword │ ├── osh-groupModify │ ├── osh-groupSetRole │ ├── osh-groupSetServers │ ├── osh-selfMFASetupPassword │ └── osh-selfMFASetupTOTP ├── other │ ├── check-active-account-fortestsonly.pl │ └── check-active-account-simple.pl ├── plugin │ ├── admin │ │ ├── adminMaintenance │ │ ├── adminMaintenance.json │ │ ├── adminSudo │ │ └── adminSudo.json │ ├── group-aclkeeper │ │ ├── groupAddServer │ │ ├── groupAddServer.json │ │ ├── groupDelServer │ │ ├── groupDelServer.json │ │ └── groupSetServers │ ├── group-gatekeeper │ │ ├── groupAddGuestAccess │ │ ├── groupAddGuestAccess.json │ │ ├── groupAddMember │ │ ├── groupAddMember.json │ │ ├── groupDelGuestAccess │ │ ├── groupDelGuestAccess.json │ │ ├── groupDelMember │ │ ├── groupDelMember.json │ │ ├── groupListGuestAccesses │ │ └── groupListGuestAccesses.json │ ├── group-owner │ │ ├── groupAddAclkeeper │ │ ├── groupAddAclkeeper.json │ │ ├── groupAddGatekeeper │ │ ├── groupAddGatekeeper.json │ │ ├── groupAddOwner │ │ ├── groupAddOwner.json │ │ ├── groupDelAclkeeper │ │ ├── groupDelAclkeeper.json │ │ ├── groupDelEgressKey │ │ ├── groupDelEgressKey.json │ │ ├── groupDelGatekeeper │ │ ├── groupDelGatekeeper.json │ │ ├── groupDelOwner │ │ ├── groupDelOwner.json │ │ ├── groupDestroy │ │ ├── groupDestroy.json │ │ ├── groupGenerateEgressKey │ │ ├── groupGenerateEgressKey.json │ │ ├── groupGeneratePassword │ │ ├── groupGeneratePassword.json │ │ ├── groupModify │ │ ├── groupModify.json │ │ ├── groupTransmitOwnership │ │ └── groupTransmitOwnership.json │ ├── open │ │ ├── alive │ │ ├── alive.json │ │ ├── batch │ │ ├── clush │ │ ├── groupInfo │ │ ├── groupInfo.json │ │ ├── groupList │ │ ├── groupList.json │ │ ├── groupListPasswords │ │ ├── groupListPasswords.json │ │ ├── groupListServers │ │ ├── groupListServers.json │ │ ├── help │ │ ├── help.json │ │ ├── info │ │ ├── info.json │ │ ├── lock │ │ ├── lock.json │ │ ├── mtr │ │ ├── mtr.json │ │ ├── nc │ │ ├── nc.json │ │ ├── ping │ │ ├── ping.json │ │ ├── rsync │ │ ├── rsync.json │ │ ├── scp │ │ ├── scp.json │ │ ├── selfAddIngressKey │ │ ├── selfAddIngressKey.json │ │ ├── selfDelIngressKey │ │ ├── selfDelIngressKey.json │ │ ├── selfForgetHostKey │ │ ├── selfForgetHostKey.json │ │ ├── selfGenerateEgressKey │ │ ├── selfGenerateEgressKey.json │ │ ├── selfGeneratePassword │ │ ├── selfGeneratePassword.json │ │ ├── selfGenerateProxyPassword │ │ ├── selfGenerateProxyPassword.json │ │ ├── selfListAccesses │ │ ├── selfListAccesses.json │ │ ├── selfListEgressKeys │ │ ├── selfListIngressKeys │ │ ├── selfListIngressKeys.json │ │ ├── selfListPasswords │ │ ├── selfListPasswords.json │ │ ├── selfListSessions │ │ ├── selfMFAResetPassword │ │ ├── selfMFAResetPassword.json │ │ ├── selfMFAResetTOTP │ │ ├── selfMFAResetTOTP.json │ │ ├── selfMFASetupPassword │ │ ├── selfMFASetupPassword.json │ │ ├── selfMFASetupTOTP │ │ ├── selfMFASetupTOTP.json │ │ ├── selfPlaySession │ │ ├── selfPlaySession.json │ │ ├── sftp │ │ ├── sftp.json │ │ ├── unlock │ │ └── unlock.json │ └── restricted │ │ ├── accountAddPersonalAccess │ │ ├── accountAddPersonalAccess.json │ │ ├── accountCreate │ │ ├── accountCreate.json │ │ ├── accountDelPersonalAccess │ │ ├── accountDelPersonalAccess.json │ │ ├── accountDelete │ │ ├── accountDelete.json │ │ ├── accountFreeze │ │ ├── accountFreeze.json │ │ ├── accountGeneratePassword │ │ ├── accountGeneratePassword.json │ │ ├── accountGrantCommand │ │ ├── accountGrantCommand.json │ │ ├── accountInfo │ │ ├── accountInfo.json │ │ ├── accountList │ │ ├── accountList.json │ │ ├── accountListAccesses │ │ ├── accountListAccesses.json │ │ ├── accountListEgressKeys │ │ ├── accountListEgressKeys.json │ │ ├── accountListIngressKeys │ │ ├── accountListIngressKeys.json │ │ ├── accountListPasswords │ │ ├── accountListPasswords.json │ │ ├── accountMFAResetPassword │ │ ├── accountMFAResetPassword.json │ │ ├── accountMFAResetTOTP │ │ ├── accountMFAResetTOTP.json │ │ ├── accountModify │ │ ├── accountModify.json │ │ ├── accountPIV │ │ ├── accountPIV.json │ │ ├── accountRevokeCommand │ │ ├── accountRevokeCommand.json │ │ ├── accountUnexpire │ │ ├── accountUnexpire.json │ │ ├── accountUnfreeze │ │ ├── accountUnfreeze.json │ │ ├── accountUnlock │ │ ├── accountUnlock.json │ │ ├── assetForgetHostKey │ │ ├── groupCreate │ │ ├── groupCreate.json │ │ ├── groupDelete │ │ ├── groupDelete.json │ │ ├── realmCreate │ │ ├── realmCreate.json │ │ ├── realmDelete │ │ ├── realmDelete.json │ │ ├── realmInfo │ │ ├── realmInfo.json │ │ ├── realmList │ │ ├── rootListIngressKeys │ │ ├── rootListIngressKeys.json │ │ ├── selfAddPersonalAccess │ │ ├── selfAddPersonalAccess.json │ │ ├── selfDelPersonalAccess │ │ ├── selfDelPersonalAccess.json │ │ ├── whoHasAccessTo │ │ └── whoHasAccessTo.json ├── proxy │ ├── osh-http-proxy-daemon │ └── osh-http-proxy-worker ├── shell │ ├── autologin │ ├── bastion-sync-helper.sh │ ├── connect.pl │ ├── osh.pl │ └── pam_exec_pwd_info.sh └── sudogen │ └── generate-sudoers.sh ├── contrib ├── git │ └── pre-commit └── nrpe │ ├── README.md │ ├── etc │ └── nagios │ │ ├── nrpe.d │ │ ├── check_bastion_healthcheck.cfg │ │ ├── check_bastion_http_proxy.cfg │ │ ├── check_bastion_locked.cfg │ │ ├── check_bastion_root_connected_too_long.cfg │ │ ├── check_bastion_sync_daemon.cfg │ │ ├── check_bastion_version.cfg │ │ ├── check_log_bastion_backup.cfg │ │ ├── check_log_bastion_encrypt_rsync.cfg │ │ ├── check_log_bastion_guest_key_cleanup.cfg │ │ ├── check_log_bastion_misc.cfg │ │ ├── check_log_bastion_orphaned_homedir.cfg │ │ ├── check_log_bastion_piv_grace.cfg │ │ └── check_log_bastion_secondaries_sync.cfg │ │ └── plugins.d │ │ └── check_logfiles.cfg │ ├── probes │ ├── bastion-healthcheck │ ├── bastion-http-proxy │ ├── bastion-locked │ ├── bastion-root-connected-too-long │ └── bastion-version │ └── sudoers.example ├── doc ├── CHANGELOG.md ├── HIERARCHY.md ├── INSTALL.md ├── UPGRADE.md ├── VERSIONING.md ├── release-notes │ ├── v3.00.00.md │ ├── v3.00.01.md │ ├── v3.00.02.md │ ├── v3.01.00.md │ ├── v3.01.01.md │ ├── v3.01.02.md │ ├── v3.01.03.md │ ├── v3.01.99-rc1.md │ ├── v3.01.99-rc2.md │ ├── v3.01.99-rc3.md │ ├── v3.01.99-rc4.md │ ├── v3.02.00.md │ ├── v3.03.00.md │ ├── v3.03.01.md │ ├── v3.03.99-rc1.md │ ├── v3.03.99-rc2.md │ ├── v3.04.00.md │ ├── v3.05.00.md │ ├── v3.05.01.md │ ├── v3.06.00.md │ ├── v3.07.00.md │ ├── v3.08.00.md │ ├── v3.08.01.md │ ├── v3.09.00-rc1.md │ ├── v3.09.00-rc2.md │ ├── v3.09.00-rc3.md │ ├── v3.09.00.md │ ├── v3.09.02.md │ ├── v3.10.00.md │ ├── v3.11.00.md │ ├── v3.11.01.md │ ├── v3.11.02.md │ ├── v3.12.00.md │ ├── v3.13.00.md │ ├── v3.13.01.md │ ├── v3.14.00.md │ ├── v3.14.15.md │ ├── v3.14.16.md │ ├── v3.15.00.md │ ├── v3.16.00.md │ ├── v3.16.01.md │ ├── v3.16.99-rc1.md │ ├── v3.16.99-rc2.md │ ├── v3.16.99-rc3.md │ ├── v3.17.00.md │ ├── v3.17.01.md │ ├── v3.18.00.md │ ├── v3.18.99-rc1.md │ ├── v3.19.00.md │ ├── v3.19.01.md │ └── v3.20.00.md ├── sphinx-plugins-override │ ├── accountInfo.rst │ ├── groupInfo.rst │ ├── help.rst │ ├── info.rst │ ├── lock.rst │ ├── nc.rst │ ├── rsync.override.rst │ ├── scp.override.rst │ └── sftp.override.rst ├── sphinx-reference-headers │ └── osh-encrypt-rsync.conf.header └── sphinx │ ├── Makefile │ ├── _static │ └── css │ │ └── thebastion.css │ ├── administration │ ├── configuration │ │ ├── bastion_conf.rst │ │ ├── index.rst │ │ ├── osh-backup-acl-keys_conf.rst │ │ ├── osh-cleanup-guest-key-access_conf.rst │ │ ├── osh-encrypt-rsync_conf.rst │ │ ├── osh-http-proxy_conf.rst │ │ ├── osh-lingering-sessions-reaper_conf.rst │ │ ├── osh-orphaned-homedir_conf.rst │ │ ├── osh-piv-grace-reaper_conf.rst │ │ ├── osh-remove-empty-folders_conf.rst │ │ └── osh-sync-watcher_sh.rst │ ├── logs.rst │ ├── mfa.rst │ ├── security_advisories.rst │ └── security_advisories │ │ └── cve_2023_45140.rst │ ├── build-config-doc-ref.pl │ ├── build-plugins-help.sh │ ├── conf.py │ ├── development │ ├── setup.rst │ └── tests.rst │ ├── faq.rst │ ├── img │ ├── group_roles.png │ ├── groups.png │ └── locked_session.png │ ├── index.rst │ ├── installation │ ├── advanced.rst │ ├── basic.rst │ ├── docker.rst │ ├── restoring_from_backup.rst │ └── upgrading.rst │ ├── plugins │ ├── admin │ │ ├── adminMaintenance.rst │ │ ├── adminSudo.rst │ │ └── index.rst │ ├── group-aclkeeper │ │ ├── groupAddServer.rst │ │ ├── groupDelServer.rst │ │ ├── groupSetServers.rst │ │ └── index.rst │ ├── group-gatekeeper │ │ ├── groupAddGuestAccess.rst │ │ ├── groupAddMember.rst │ │ ├── groupDelGuestAccess.rst │ │ ├── groupDelMember.rst │ │ ├── groupListGuestAccesses.rst │ │ └── index.rst │ ├── group-owner │ │ ├── groupAddAclkeeper.rst │ │ ├── groupAddGatekeeper.rst │ │ ├── groupAddOwner.rst │ │ ├── groupDelAclkeeper.rst │ │ ├── groupDelEgressKey.rst │ │ ├── groupDelGatekeeper.rst │ │ ├── groupDelOwner.rst │ │ ├── groupDestroy.rst │ │ ├── groupGenerateEgressKey.rst │ │ ├── groupGeneratePassword.rst │ │ ├── groupModify.rst │ │ ├── groupTransmitOwnership.rst │ │ └── index.rst │ ├── open │ │ ├── alive.rst │ │ ├── batch.rst │ │ ├── clush.rst │ │ ├── groupInfo.rst │ │ ├── groupList.rst │ │ ├── groupListPasswords.rst │ │ ├── groupListServers.rst │ │ ├── help.rst │ │ ├── index.rst │ │ ├── info.rst │ │ ├── lock.rst │ │ ├── mtr.rst │ │ ├── nc.rst │ │ ├── ping.rst │ │ ├── rsync.rst │ │ ├── scp.rst │ │ ├── selfAddIngressKey.rst │ │ ├── selfDelIngressKey.rst │ │ ├── selfForgetHostKey.rst │ │ ├── selfGenerateEgressKey.rst │ │ ├── selfGeneratePassword.rst │ │ ├── selfGenerateProxyPassword.rst │ │ ├── selfListAccesses.rst │ │ ├── selfListEgressKeys.rst │ │ ├── selfListIngressKeys.rst │ │ ├── selfListPasswords.rst │ │ ├── selfListSessions.rst │ │ ├── selfMFAResetPassword.rst │ │ ├── selfMFAResetTOTP.rst │ │ ├── selfMFASetupPassword.rst │ │ ├── selfMFASetupTOTP.rst │ │ ├── selfPlaySession.rst │ │ ├── sftp.rst │ │ └── unlock.rst │ └── restricted │ │ ├── accountAddPersonalAccess.rst │ │ ├── accountCreate.rst │ │ ├── accountDelPersonalAccess.rst │ │ ├── accountDelete.rst │ │ ├── accountFreeze.rst │ │ ├── accountGeneratePassword.rst │ │ ├── accountGrantCommand.rst │ │ ├── accountInfo.rst │ │ ├── accountList.rst │ │ ├── accountListAccesses.rst │ │ ├── accountListEgressKeys.rst │ │ ├── accountListIngressKeys.rst │ │ ├── accountListPasswords.rst │ │ ├── accountMFAResetPassword.rst │ │ ├── accountMFAResetTOTP.rst │ │ ├── accountModify.rst │ │ ├── accountPIV.rst │ │ ├── accountRevokeCommand.rst │ │ ├── accountUnexpire.rst │ │ ├── accountUnfreeze.rst │ │ ├── accountUnlock.rst │ │ ├── assetForgetHostKey.rst │ │ ├── groupCreate.rst │ │ ├── groupDelete.rst │ │ ├── index.rst │ │ ├── realmCreate.rst │ │ ├── realmDelete.rst │ │ ├── realmInfo.rst │ │ ├── realmList.rst │ │ ├── rootListIngressKeys.rst │ │ ├── selfAddPersonalAccess.rst │ │ ├── selfDelPersonalAccess.rst │ │ └── whoHasAccessTo.rst │ ├── presentation │ ├── features.rst │ ├── principles.rst │ └── security.rst │ └── using │ ├── api.rst │ ├── basics │ ├── access_management.rst │ ├── first_steps.rst │ └── index.rst │ ├── http_proxy.rst │ ├── piv.rst │ ├── sftp_scp_rsync.rst │ └── specific_ssh_clients_tutorials │ ├── index.rst │ ├── putty.rst │ ├── putty1.png │ ├── putty10.png │ ├── putty2.png │ ├── putty3.png │ ├── putty4.png │ ├── putty5.png │ ├── putty6.png │ ├── putty7.png │ ├── putty8.png │ └── putty9.png ├── docker ├── Dockerfile.debian10 ├── Dockerfile.debian11 ├── Dockerfile.debian12 ├── Dockerfile.opensuse15 ├── Dockerfile.rockylinux8 ├── Dockerfile.rockylinux9 ├── Dockerfile.sandbox ├── Dockerfile.tester ├── Dockerfile.ubuntu2004 ├── Dockerfile.ubuntu2204 ├── Dockerfile.ubuntu2404 ├── devenv │ ├── Dockerfile │ └── run-tool.sh └── entrypoint.sh ├── etc ├── bastion │ ├── bastion.conf.dist │ ├── luks-config.sh.dist │ ├── osh-backup-acl-keys.conf.dist │ ├── osh-cleanup-guest-key-access.conf.dist │ ├── osh-encrypt-rsync.conf.dist │ ├── osh-http-proxy.conf.dist │ ├── osh-lingering-sessions-reaper.conf.dist │ ├── osh-orphaned-homedir.conf.dist │ ├── osh-piv-grace-reaper.conf.dist │ ├── osh-remove-empty-folders.conf.dist │ ├── osh-sync-watcher.rsyncfilter.dist │ └── osh-sync-watcher.sh.dist ├── cron.d │ ├── osh-backup-acl-keys.dist │ ├── osh-cleanup-guest-key-access.dist │ ├── osh-encrypt-rsync-ttyrec.dist │ ├── osh-lingering-sessions-reaper.dist │ ├── osh-orphaned-homedir.dist │ ├── osh-piv-grace-reaper.dist │ ├── osh-remove-empty-folders.dist │ └── osh-rotate-ttyrec.dist ├── init.d │ ├── osh-http-proxy │ └── osh-sync-watcher ├── logrotate.d │ ├── osh-backup-acl-keys.dist │ ├── osh-encrypt-rsync.dist │ ├── osh-http-proxy.dist │ ├── osh-sync-watcher.dist │ └── osh-syslog.dist ├── pam.d │ ├── sshd.debian │ ├── sshd.debian11 │ ├── sshd.debian12 │ ├── sshd.freebsd │ ├── sshd.rhel │ └── sshd.ubuntu2204 ├── profile.d │ └── luks-info.sh ├── selinux │ ├── the-bastion.pp │ └── the-bastion.te ├── ssh │ ├── banner │ ├── ssh_config.centos8 │ ├── ssh_config.centos9 │ ├── ssh_config.debian10 │ ├── ssh_config.debian11 │ ├── ssh_config.debian12 │ ├── ssh_config.default │ ├── ssh_config.freebsd │ ├── ssh_config.opensuse15 │ ├── sshd_config.centos8 │ ├── sshd_config.centos9 │ ├── sshd_config.debian10 │ ├── sshd_config.debian11 │ ├── sshd_config.debian12 │ ├── sshd_config.default │ ├── sshd_config.freebsd │ └── sshd_config.opensuse15 ├── sudoers.account.template.d │ ├── 100-header.sudoers │ ├── 500-base.sudoers │ └── 600-pamtester.freebsd.sudoers ├── sudoers.d │ ├── osh-bastion-config │ ├── osh-bastion-http-proxy │ ├── osh-bastion-sync │ ├── osh-plugin-accountCreate │ ├── osh-plugin-accountDelete │ ├── osh-plugin-accountFreezeToggle │ ├── osh-plugin-accountGeneratePassword │ ├── osh-plugin-accountGetPasswordInfo │ ├── osh-plugin-accountKillSessions │ ├── osh-plugin-accountListEgressKeys │ ├── osh-plugin-accountListIngressKeys │ ├── osh-plugin-accountListPasswords │ ├── osh-plugin-accountMFAResetPassword │ ├── osh-plugin-accountMFAResetTOTP │ ├── osh-plugin-accountModify │ ├── osh-plugin-accountModifyCommand │ ├── osh-plugin-accountModifyPersonalAccess │ ├── osh-plugin-accountPIV │ ├── osh-plugin-accountUnexpire │ ├── osh-plugin-accountUnlock │ ├── osh-plugin-adminMaintenance │ ├── osh-plugin-adminSudo │ ├── osh-plugin-assetForgetHostKey │ ├── osh-plugin-groupCreate │ ├── osh-plugin-groupDelete │ ├── osh-plugin-realmCreate │ └── osh-plugin-rootListIngressKeys ├── sudoers.group.template.d │ ├── 100-header.sudoers │ └── 500-base.sudoers ├── syslog-ng │ └── conf.d │ │ └── 20-bastion.conf.dist └── systemd │ ├── osh-http-proxy.service │ └── osh-sync-watcher.service ├── install └── modules │ └── README ├── lib ├── perl │ └── OVH │ │ ├── Bastion.pm │ │ ├── Bastion │ │ ├── Helper.pm │ │ ├── Plugin.pm │ │ ├── Plugin │ │ │ ├── ACL.pm │ │ │ ├── generateEgressKey.pm │ │ │ ├── generatePassword.pm │ │ │ ├── groupSetRole.pm │ │ │ ├── handleSessions.pm │ │ │ └── otherProtocol.pm │ │ ├── ProxyHTTP.pm │ │ ├── allowdeny.inc │ │ ├── allowkeeper.inc │ │ ├── configuration.inc │ │ ├── execute.inc │ │ ├── interactive.inc │ │ ├── jail.inc │ │ ├── log.inc │ │ ├── mock.inc │ │ ├── os.inc │ │ ├── password.inc │ │ └── ssh.inc │ │ ├── Result.pm │ │ └── SimpleLog.pm └── shell │ ├── colors.inc │ ├── functions.inc │ └── install.inc └── tests ├── functional ├── docker │ ├── docker_build_and_run_tests.sh │ ├── docker_build_and_run_tests_all.sh │ ├── target_role.sh │ └── tester_role.sh ├── fake_ttyrec.sh ├── launch_tests_on_instance.sh ├── proxy │ └── remote-daemon └── tests.d │ ├── 200-scripts.sh │ ├── 300-activeness.sh │ ├── 305-admin-superowner.sh │ ├── 310-realm.sh │ ├── 320-base.sh │ ├── 325-accountinfo.sh │ ├── 330-selfkeys.sh │ ├── 340-selfaccesses.sh │ ├── 341-selfaccesses-force-password.sh │ ├── 345-assetforgethostkey.sh │ ├── 346-testagentforward.sh │ ├── 350-groups.sh │ ├── 355-ipv6.sh │ ├── 360-plugins.sh │ ├── 370-mfa.sh │ ├── 380-config-options.sh │ ├── 390-mfa-realm.sh │ ├── 395-mfa-scp-sftp-rsync.sh │ ├── 400-piv.sh │ ├── 500-http-proxy.sh │ ├── 900-strict-checking.sh │ └── dummy └── unit ├── run-tests.pl └── tests ├── base.t ├── is_access_granted_ipv4.t ├── is_access_granted_ipv6.t └── is_valid_ip.t /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | doc 3 | docs 4 | *.tar.gz 5 | -------------------------------------------------------------------------------- /.github/workflows/dockerhub.yml: -------------------------------------------------------------------------------- 1 | name: dockerhub publish 2 | 3 | on: 4 | workflow_dispatch: 5 | release: 6 | types: published 7 | repository_dispatch: 8 | types: dockerhub 9 | 10 | jobs: 11 | main: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - 15 | name: Set up QEMU 16 | uses: docker/setup-qemu-action@v2 17 | - 18 | name: Set up Docker Buildx 19 | uses: docker/setup-buildx-action@v2 20 | - 21 | name: Login to DockerHub 22 | uses: docker/login-action@v2 23 | with: 24 | username: ${{ secrets.DOCKERHUB_LOGIN }} 25 | password: ${{ secrets.DOCKERHUB_TOKEN }} 26 | - 27 | name: Build and push 28 | id: docker_build 29 | uses: docker/build-push-action@v4 30 | with: 31 | push: true 32 | file: docker/Dockerfile.sandbox 33 | tags: ovhcom/the-bastion:sandbox 34 | platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x 35 | - 36 | name: Image digest 37 | run: echo ${{ steps.docker_build.outputs.digest }} 38 | -------------------------------------------------------------------------------- /.github/workflows/documentation.yml: -------------------------------------------------------------------------------- 1 | name: documentation 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | publish: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v4 15 | with: 16 | persist-credentials: false 17 | - name: Install sphinx and prerequisites 18 | run: | 19 | sudo apt update 20 | sudo apt install -y python3-sphinx-rtd-theme python3-sphinx make libcommon-sense-perl libjson-perl libdatetime-perl libterm-readkey-perl 21 | - name: Build documentation 22 | run: cd doc/sphinx/ && make all 23 | - name: Deploy to GitHub Pages 24 | if: success() 25 | uses: crazy-max/ghaction-github-pages@v2 26 | with: 27 | target_branch: gh-pages 28 | build_dir: docs 29 | allow_empty_commit: false 30 | env: 31 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 32 | -------------------------------------------------------------------------------- /.github/workflows/tests_basic.yml: -------------------------------------------------------------------------------- 1 | name: Basic tests 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | test: 7 | name: perlcritic, perltidy, shellcheck, doc 8 | runs-on: ubuntu-24.04 9 | timeout-minutes: 10 10 | steps: 11 | - uses: actions/checkout@v4 12 | with: 13 | persist-credentials: false 14 | - name: install prerequisites 15 | run: sudo ./bin/admin/packages-check.sh -i -d 16 | env: 17 | DEBIAN_FRONTEND: noninteractive 18 | - name: shellcheck 19 | run: bin/dev/shell-check.sh 20 | - name: perl critic 21 | run: bin/dev/perl-critic.sh 22 | - name: perl tidy 23 | run: bin/dev/perl-tidy.sh test 24 | - name: autogenerate documentation 25 | run: make -C doc/sphinx autogenerated 26 | - name: verify git diff 27 | run: | 28 | if [ "$(git diff --numstat | wc -l)" != 0 ]; then 29 | git diff 30 | echo 31 | echo "Some autogenerated documentation files are not up to date." >&2 32 | echo "Please run 'make -C doc/sphinx autogenerated' and commit the result." >&2 33 | exit 1 34 | fi 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | doc/sphinx/_build 2 | docs 3 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | # This is the official list of The Bastion authors for copyright purposes. 2 | # This file is distinct from the CONTRIBUTORS files 3 | # and it lists the copyright holders only. 4 | 5 | # Names should be added to this file as one of 6 | # Organization's name 7 | # Individual's name 8 | # Individual's name 9 | 10 | # Please keep the list sorted. 11 | 12 | OVH SAS 13 | -------------------------------------------------------------------------------- /CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | # This is the official list of people who can contribute 2 | # (and typically have contributed) code to The Bastion repository. 3 | # 4 | # Names should be added to this file only after verifying that 5 | # the individual or the individual's organization has agreed to 6 | # the appropriate CONTRIBUTING.md file. 7 | # 8 | # Names should be added to this file like so: 9 | # Individual's name 10 | # Individual's name 11 | # 12 | # Please keep the list sorted. 13 | # 14 | Adrien Barreau 15 | Cédric Roussel 16 | Stéphane Lesimple 17 | -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | # This is the official list of the project maintainers. 2 | # This is mostly useful for contributors that want to push 3 | # significant pull requests or for project management issues. 4 | # 5 | # 6 | # Names should be added to this file like so: 7 | # Individual's name 8 | # Individual's name 9 | # 10 | # Please keep the list sorted. 11 | # 12 | Stéphane Lesimple 13 | -------------------------------------------------------------------------------- /bin/admin/unlock-home.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | CONFIGFILE=/etc/bastion/luks-config.sh 4 | # shellcheck source=etc/bastion/luks-config.sh.dist 5 | . "$CONFIGFILE" 6 | 7 | do_mount() 8 | { 9 | mount "$MOUNTPOINT"; ret=$? 10 | if [ $ret -eq 0 ] ; then 11 | echo "Success!" 12 | else 13 | echo "Failure... is $MOUNTPOINT correctly specified in /etc/fstab?" 14 | fi 15 | exit $ret 16 | } 17 | 18 | if [ -z "$DEV_ENCRYPTED" ] || [ -z "$UNLOCKED_NAME" ] || [ -z "$MOUNTPOINT" ] || [ ! -d "$MOUNTPOINT" ] || [ ! -b "$DEV_ENCRYPTED" ] ; then 19 | echo "Not configured or badly configured (check $CONFIGFILE), nothing to do." 20 | exit 0 21 | fi 22 | 23 | if [ -e "$MOUNTPOINT/allowkeeper" ] ; then 24 | echo "Already unlocked and mounted" 25 | exit 0 26 | fi 27 | 28 | DEV_UNLOCKED="/dev/disk/by-id/dm-name-$UNLOCKED_NAME" 29 | if [ -e "$DEV_UNLOCKED" ] ; then 30 | echo "Already unlocked ($DEV_UNLOCKED), mounting..." 31 | do_mount 32 | fi 33 | 34 | echo "Mounting $DEV_ENCRYPTED as $UNLOCKED_NAME" 35 | cryptsetup luksOpen "$DEV_ENCRYPTED" "$UNLOCKED_NAME" 36 | sleep 1 37 | if [ -e "$DEV_UNLOCKED" ] ; then 38 | echo "Mounting..." 39 | do_mount 40 | else 41 | echo "Partition still encrypted, bad password?" 42 | exit 1 43 | fi 44 | 45 | -------------------------------------------------------------------------------- /bin/cron/osh-rotate-ttyrec.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | set -e 4 | 5 | basedir=$(readlink -f "$(dirname "$0")"/../..) 6 | # shellcheck source=lib/shell/functions.inc 7 | . "$basedir"/lib/shell/functions.inc 8 | 9 | # default config values for this script 10 | : 11 | 12 | # set error trap, read config, setup logging, exit early if script is disabled, etc. 13 | script_init osh-rotate-ttyrec config_optional check_secure_lax 14 | 15 | if [ "$1" = "--big-only" ]; then 16 | _log "Rotating big ttyrec files..." 17 | tokill='' 18 | nb=0 19 | # shellcheck disable=SC2034 20 | while read -r command pid user fd type device size node name 21 | do 22 | if echo "$size" | grep -qE '^[0-9]+$' && [ "$size" -gt 100000000 ]; then 23 | tokill="$tokill $pid" 24 | (( ++nb )) 25 | fi 26 | done < <(lsof -a -n -c ttyrec -- /home/ 2>/dev/null) 27 | if [ -n "$tokill" ]; then 28 | _log "Rotating $nb big ttyrec files..." 29 | # add || true to avoid script termination due to TOCTTOU and set -e 30 | # shellcheck disable=SC2086 31 | kill -USR1 $tokill || true 32 | fi 33 | else 34 | _log "Rotating all ttyrec files..." 35 | if pkill --signal USR1 ttyrec; then 36 | _log "Rotation done" 37 | else 38 | _log "No ttyrec files to rotate" 39 | fi 40 | fi 41 | 42 | exit_success 43 | -------------------------------------------------------------------------------- /bin/dev/debug_toggle.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | account=$1 4 | toggle=$2 5 | 6 | _help() 7 | { 8 | echo "$0 " 9 | exit 1 10 | } 11 | 12 | [ -z "$toggle" ] && _help 13 | 14 | if [ ! -d "/home/$account" ] ; then 15 | echo "/home/$account not found" 16 | exit 1 17 | fi 18 | 19 | if [ "$toggle" = on ] ; then 20 | echo yes > "/home/$account/config.debug" 21 | chown "$account":"$account" "/home/$account/config.debug" 22 | echo "debug enabled for $account" 23 | elif [ "$toggle" = off ] ; then 24 | rm -f "/home/$account/config.debug" 25 | echo "debug disabled for $account" 26 | else 27 | echo "Unknown toggle ($toggle)" 28 | _help 29 | fi 30 | 31 | exit 0 32 | -------------------------------------------------------------------------------- /bin/dev/perl-critic.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | 4 | basedir=$(readlink -f "$(dirname "$0")"/../..) 5 | # shellcheck source=lib/shell/functions.inc 6 | . "$basedir"/lib/shell/functions.inc 7 | 8 | cd "$basedir" || exit 1 9 | 10 | action_doing "Checking perlcritic" 11 | # shellcheck disable=SC2086 12 | perlcritic --color -q -p "$(dirname "$0")"/perlcriticrc bin contrib docker install lib tests; ret1=$? 13 | perlcritic --color -q -p "$(dirname "$0")"/perlcriticrc lib/perl/OVH/Bastion/*.inc; ret2=$? 14 | if [ "$ret1" = 0 ] && [ "$ret2" = 0 ]; then 15 | # shellcheck disable=SC2119 16 | action_done 17 | else 18 | action_error "perlcritic found errors" 19 | exit 1 20 | fi 21 | -------------------------------------------------------------------------------- /bin/dev/perl-use-all.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | 4 | basedir=$(readlink -f "$(dirname "$0")"/../..) 5 | # shellcheck source=lib/shell/functions.inc 6 | . "$basedir"/lib/shell/functions.inc 7 | 8 | # shellcheck disable=SC2013 9 | modules=$( 10 | grep -RhEw '(use|require) ([a-zA-Z][a-zA-Z0-9_:]+)' "$basedir/lib/perl/" "$basedir/bin/" | \ 11 | grep -v -e '"' -e "'" -e '# pragma optional module' -e OVH:: | \ 12 | sed -re 's/#.*//' | \ 13 | grep -Eo '(use|require) ([a-zA-Z][a-zA-Z0-9_:]+)' | \ 14 | awk '{print $2}' | \ 15 | sort -u | \ 16 | grep -Ev '^[a-z0-9_]+$' 17 | ) 18 | 19 | if [ "$1" = "corelist" ]; then 20 | action_doing "Computing list of non-CORE needed Perl modules..." 21 | # shellcheck disable=SC2086 22 | for module in $(corelist $modules | awk '/was not in CORE/ {print $1}' | sort); do 23 | action_detail "$module" 24 | done 25 | else 26 | action_doing "Checking whether all required modules are installed..." 27 | perlcmdline="perl " 28 | for module in $modules; do 29 | action_detail "$module" 30 | perlcmdline="$perlcmdline -M$module" 31 | done 32 | perlcmdline="$perlcmdline -e 1" 33 | 34 | if ! $perlcmdline; then 35 | action_error "Some modules are missing!" 36 | exit 1 37 | else 38 | action_done "" 39 | fi 40 | fi 41 | -------------------------------------------------------------------------------- /bin/other/check-active-account-fortestsonly.pl: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | # DO NOT USE THIS SCRIPT IN PRODUCTION! 6 | # This is only used for the functional tests, it returns true for odd UIDs, false otherwise. 7 | # If you think this is a good way of determining your users activeness, you might want to revise your security procedures. 8 | 9 | use constant { 10 | EXIT_ACTIVE => 0, 11 | EXIT_INACTIVE => 1, 12 | EXIT_UNKNOWN => 2, 13 | EXIT_UNKNOWN_SILENT_ERROR => 3, 14 | EXIT_UNKNOWN_NOISY_ERROR => 4, 15 | }; 16 | 17 | sub failtest { 18 | my $msg = shift || "Error"; 19 | print STDERR "$msg. This will fail the test: MAKETESTFAIL\n"; 20 | exit EXIT_UNKNOWN_NOISY_ERROR; 21 | } 22 | 23 | my $sysaccount = shift; 24 | if (!$sysaccount) { 25 | failtest("No account name to check"); 26 | } 27 | 28 | my $uid = getpwnam($sysaccount); 29 | failtest("Can't find this account") if not defined $uid; 30 | 31 | exit EXIT_ACTIVE if ($uid % 2 == 0); 32 | exit EXIT_INACTIVE; 33 | -------------------------------------------------------------------------------- /bin/plugin/admin/adminMaintenance.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "adminMaintenance" , { "ac" : ["--lock","--unlock"]}, 4 | "adminMaintenance +--lock" , { "ac" : ["--message",""]}, 5 | "adminMaintenance +--lock +--message" , { "pr" : ["\"\""]}, 6 | "adminMaintenance +--lock +--message +.+" , { "pr" : [""]}, 7 | "adminMaintenance +--unlock" , { "pr" : [""]} 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/admin/adminSudo.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "adminSudo" , { "ac" : ["-- --sudo-as"]}, 4 | "adminSudo +-- +--sudo-as" , { "ac" : ["" ]}, 5 | "adminSudo +-- +--sudo-as +\\S+" , { "ac" : ["--sudo-cmd" ]}, 6 | "adminSudo +-- +--sudo-as +\\S+ +--sudo-cmd" , { "ac" : ["" ]}, 7 | "adminSudo +-- +--sudo-as +\\S+ +--sudo-cmd +\\S+" , { "ac" : ["--" ]}, 8 | "adminSudo +-- +--sudo-as +\\S+ +--sudo-cmd +\\S+ +--" , { "pr" : [" or additional COMMAND-specific options" ]} 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-aclkeeper/groupDelServer.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelServer" , {"ac" : ["--group"]}, 4 | "groupDelServer +--group" , {"ac" : [""]}, 5 | "groupDelServer +--group +\\S+" , {"ac" : ["--host"]}, 6 | "groupDelServer +--group +\\S+ +--host" , {"pr" : ["", "", ""]}, 7 | "groupDelServer +--group +\\S+ +--host +\\S+" , {"ac" : ["--port", "--port-any"]}, 8 | "groupDelServer +--group +\\S+ +--host +\\S+ +--port" , {"pr" : [""]}, 9 | "groupDelServer +--group +\\S+ +--host +\\S+ +--port(-any| +\\d+)" , {"ac" : ["--user", "--user-any"]}, 10 | "groupDelServer +--group +\\S+ +--host +\\S+ +--port(-any| +\\d+) +--user" , {"pr" : [""]}, 11 | "groupDelServer +--group +\\S+ +--host +\\S+ +--port(-any| +\\d+) +--user(-any| +\\S+)" , {"pr" : ["", "--force"]} 12 | ], 13 | "master_only": true 14 | } 15 | -------------------------------------------------------------------------------- /bin/plugin/group-gatekeeper/groupAddMember.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupAddMember" , {"ac" : ["--account"]}, 4 | "groupAddMember +--account" , {"ac" : [""]}, 5 | "groupAddMember +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupAddMember +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupAddMember +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-gatekeeper/groupDelMember.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelMember" , {"ac" : ["--account"]}, 4 | "groupDelMember +--account" , {"ac" : [""]}, 5 | "groupDelMember +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupDelMember +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupDelMember +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-gatekeeper/groupListGuestAccesses.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupListGuestAccesses" , {"ac" : ["--account"]}, 4 | "groupListGuestAccesses +--account" , {"ac" : [""]}, 5 | "groupListGuestAccesses +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupListGuestAccesses +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupListGuestAccesses +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupAddAclkeeper: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | use OVH::Bastion::Plugin::groupSetRole; 11 | 12 | my $remainingOptions = OVH::Bastion::Plugin::begin( 13 | argv => \@ARGV, 14 | header => "grant an account as aclkeeper of a group", 15 | options => {"account=s" => \my $account, "group=s" => \my $group}, 16 | helptext => <<'EOF', 17 | Add the group aclkeeper role to an account 18 | 19 | Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT 20 | 21 | --group GROUP which group to set ACCOUNT as an aclkeeper of 22 | --account ACCOUNT which account to set as an aclkeeper of GROUP 23 | 24 | The specified account will be able to manage the server list of this group 25 | EOF 26 | ); 27 | 28 | my $fnret = OVH::Bastion::Plugin::groupSetRole::act( 29 | account => $account, 30 | group => $group, 31 | action => 'add', 32 | type => 'aclkeeper', 33 | sudo => 0, 34 | silentoverride => 0, 35 | self => $self, 36 | scriptName => $scriptName, 37 | savedArgs => $savedArgs 38 | ); 39 | help() if not $fnret; 40 | osh_exit($fnret); 41 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupAddAclkeeper.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupAddAclkeeper" , {"ac" : ["--account"]}, 4 | "groupAddAclkeeper +--account" , {"ac" : [""]}, 5 | "groupAddAclkeeper +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupAddAclkeeper +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupAddAclkeeper +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupAddGatekeeper: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | use OVH::Bastion::Plugin::groupSetRole; 11 | 12 | my ($account, $group); 13 | my $remainingOptions = OVH::Bastion::Plugin::begin( 14 | argv => \@ARGV, 15 | header => "grant an account as gatekeeper of a group", 16 | options => {"account=s", \$account, "group=s", \$group}, 17 | helptext => <<'EOF', 18 | Add the group gatekeeper role to an account 19 | 20 | Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT 21 | 22 | --group GROUP which group to set ACCOUNT as a gatekeeper of 23 | --account ACCOUNT which account to set as a gatekeeper of GROUP 24 | 25 | The specified account will be able to manage the members list of this group, 26 | along with the guests list 27 | EOF 28 | ); 29 | 30 | my $fnret = OVH::Bastion::Plugin::groupSetRole::act( 31 | account => $account, 32 | group => $group, 33 | action => 'add', 34 | type => 'gatekeeper', 35 | sudo => 0, 36 | silentoverride => 0, 37 | self => $self, 38 | scriptName => $scriptName, 39 | savedArgs => $savedArgs 40 | ); 41 | help() if not $fnret; 42 | osh_exit($fnret); 43 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupAddGatekeeper.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupAddGatekeeper" , {"ac" : ["--account"]}, 4 | "groupAddGatekeeper +--account" , {"ac" : [""]}, 5 | "groupAddGatekeeper +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupAddGatekeeper +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupAddGatekeeper +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupAddOwner.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupAddOwner" , {"ac" : ["--account"]}, 4 | "groupAddOwner +--account" , {"ac" : [""]}, 5 | "groupAddOwner +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupAddOwner +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupAddOwner +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelAclkeeper: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | use OVH::Bastion::Plugin::groupSetRole; 11 | 12 | my $remainingOptions = OVH::Bastion::Plugin::begin( 13 | argv => \@ARGV, 14 | header => "revoke an account as aclkeeper of a group", 15 | options => {"account=s" => \my $account, "group=s" => \my $group}, 16 | helptext => <<'EOF', 17 | Remove the group aclkeeper role from an account 18 | 19 | Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT 20 | 21 | --group GROUP which group to remove ACCOUNT as an aclkeeper of 22 | --account ACCOUNT which account to remove as an aclkeeper of GROUP 23 | 24 | The specified account will no longer be able to manage the server list of this group 25 | EOF 26 | ); 27 | 28 | my $fnret = OVH::Bastion::Plugin::groupSetRole::act( 29 | account => $account, 30 | group => $group, 31 | action => 'del', 32 | type => 'aclkeeper', 33 | sudo => 0, 34 | silentoverride => 0, 35 | self => $self, 36 | scriptName => $scriptName, 37 | savedArgs => $savedArgs 38 | ); 39 | help() if not $fnret; 40 | osh_exit($fnret); 41 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelAclkeeper.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelAclkeeper" , {"ac" : ["--account"]}, 4 | "groupDelAclkeeper +--account" , {"ac" : [""]}, 5 | "groupDelAclkeeper +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupDelAclkeeper +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupDelAclkeeper +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelEgressKey.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelEgressKey" , {"ac" : ["--group"]}, 4 | "groupDelEgressKey +--group" , {"ac" : [""]}, 5 | "groupDelEgressKey +--group +\\S+" , {"ac" : ["--id"]}, 6 | "groupDelEgressKey +--group +\\S+ +--id" , {"pr" : [""]}, 7 | "groupDelEgressKey +--group +\\S+ +--id +\\d+", {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelGatekeeper: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | use OVH::Bastion::Plugin::groupSetRole; 11 | 12 | my ($account, $group); 13 | my $remainingOptions = OVH::Bastion::Plugin::begin( 14 | argv => \@ARGV, 15 | header => "revoke an account as gatekeeper of a group", 16 | options => {"account=s", \$account, "group=s", \$group}, 17 | helptext => <<'EOF', 18 | Remove the group gatekeeper role from an account 19 | 20 | Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT 21 | 22 | --group GROUP which group to remove ACCOUNT as a gatekeeper of 23 | --account ACCOUNT which account to remove as a gatekeeper of GROUP 24 | 25 | The specified account will no longer be able to manager the members nor 26 | the guest list of this group 27 | EOF 28 | ); 29 | 30 | my $fnret = OVH::Bastion::Plugin::groupSetRole::act( 31 | account => $account, 32 | group => $group, 33 | action => 'del', 34 | type => 'gatekeeper', 35 | sudo => 0, 36 | silentoverride => 0, 37 | self => $self, 38 | scriptName => $scriptName, 39 | savedArgs => $savedArgs 40 | ); 41 | help() if not $fnret; 42 | osh_exit($fnret); 43 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelGatekeeper.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelGatekeeper" , {"ac" : ["--account"]}, 4 | "groupDelGatekeeper +--account" , {"ac" : [""]}, 5 | "groupDelGatekeeper +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupDelGatekeeper +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupDelGatekeeper +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelOwner: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | use OVH::Bastion::Plugin::groupSetRole; 11 | 12 | my ($account, $group); 13 | my $remainingOptions = OVH::Bastion::Plugin::begin( 14 | argv => \@ARGV, 15 | header => "revoke an account as owner of a group", 16 | options => {"account=s", \$account, "group=s", \$group}, 17 | helptext => <<'EOF', 18 | Remove the group owner role from an account 19 | 20 | Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT 21 | 22 | --group GROUP which group to set ACCOUNT as an owner of 23 | --account ACCOUNT which account to set as an owner of GROUP 24 | 25 | The specified account will no longer be able to manage the owner, 26 | gatekeeper and aclkeeper lists of this group 27 | EOF 28 | ); 29 | 30 | my $fnret = OVH::Bastion::Plugin::groupSetRole::act( 31 | account => $account, 32 | group => $group, 33 | action => 'del', 34 | type => 'owner', 35 | sudo => 0, 36 | silentoverride => 0, 37 | self => $self, 38 | scriptName => $scriptName, 39 | savedArgs => $savedArgs 40 | ); 41 | help() if not $fnret; 42 | osh_exit($fnret); 43 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDelOwner.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelOwner" , {"ac" : ["--account"]}, 4 | "groupDelOwner +--account" , {"ac" : [""]}, 5 | "groupDelOwner +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupDelOwner +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupDelOwner +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupDestroy.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDestroy" , {"ac" : ["--group"]}, 4 | "groupDestroy +--group" , {"ac" : [""]}, 5 | "groupDestroy +--group +\\S+" , {"pr" : ""} 6 | ], 7 | "master_only": true, 8 | "terminal_mode": "raw" 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupGenerateEgressKey.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupGenerateEgressKey" , {"ac" : ["--group"]}, 4 | "groupGenerateEgressKey +--group" , {"ac" : [""]}, 5 | "groupGenerateEgressKey +--group +\\S+" , {"ac" : ["--algo"]}, 6 | "groupGenerateEgressKey +--group +\\S+ +--algo" , {"ac" : ["rsa", "ecdsa", "ed25519"]}, 7 | "groupGenerateEgressKey +--group +\\S+ +--algo +\\S+" , {"ac" : ["--size"]}, 8 | "groupGenerateEgressKey +--group +\\S+ +--algo +\\S+ +--size" , {"pr" : [""]}, 9 | "groupGenerateEgressKey +--group +\\S+ +--algo +\\S+ +--size +\\d+" , {"ac" : ["", "--encrypted"]}, 10 | "groupGenerateEgressKey +--group +\\S+ +--algo +\\S+ +--size +\\d+ +--encrypted", {"pr" : [""]} 11 | ], 12 | "master_only": true, 13 | "terminal_mode" : "raw" 14 | } 15 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupGeneratePassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupGeneratePassword" , {"ac" : ["--group"]}, 4 | "groupGeneratePassword +--group" , {"ac" : [""]}, 5 | "groupGeneratePassword +--group +\\S+" , {"ac" : ["", "--size"]}, 6 | "groupGeneratePassword +--group +\\S+ +--size" , {"pr" : [""]}, 7 | "groupGeneratePassword +--group +\\S+ +--size +\\d+" , {"pr" : [""]} 8 | ], 9 | "master_only": true, 10 | "terminal_mode": "noecho" 11 | } 12 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupModify.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupModify" , {"ac" : ["--group"]}, 4 | "groupModify +--group" , {"ac" : [""]}, 5 | "groupModify +--group +.+--mfa-required" , {"ac" : ["password","totp","any","none"]}, 6 | "groupModify +--group +.+--guest-ttl-limit" , {"pr" : [""]}, 7 | "groupModify +--group +.+--idle-lock-timeout" , {"pr" : ["","0 (disable)","-1 (use bastion default)"]}, 8 | "groupModify +--group +.+--idle-kill-timeout" , {"pr" : ["","0 (disable)","-1 (use bastion default)"]}, 9 | "groupModify +--group +.+" , {"ac" : ["--mfa-required","--guest-ttl-limit","--idle-lock-timeout","--idle-kill-timeout",""]} 10 | ], 11 | "master_only": 1 12 | } 13 | -------------------------------------------------------------------------------- /bin/plugin/group-owner/groupTransmitOwnership.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupTransmitOwnership" , {"ac" : ["--account"]}, 4 | "groupTransmitOwnership +--account" , {"ac" : [""]}, 5 | "groupTransmitOwnership +--account +\\S+" , {"ac" : ["--group"]}, 6 | "groupTransmitOwnership +--account +\\S+ +--group" , {"ac" : [""]}, 7 | "groupTransmitOwnership +--account +\\S+ +--group +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/open/alive.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "alive" , {"pr" : [""]}, 4 | "alive +\\S+" , {"pr" : [""]} 5 | ] 6 | } 7 | -------------------------------------------------------------------------------- /bin/plugin/open/groupInfo.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupInfo" , {"ac" : ["--group"]}, 4 | "groupInfo +--group" , {"ac" : [""]}, 5 | "groupInfo +--group +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/groupList.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupList" , {"ac" : ["", "--all"]}, 4 | "groupList +--all" , {"pr" : [""]} 5 | ] 6 | } 7 | -------------------------------------------------------------------------------- /bin/plugin/open/groupListPasswords.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupListPasswords" , {"ac" : ["--group"]}, 4 | "groupListPasswords +--group" , {"ac" : [""]}, 5 | "groupListPasswords +--group +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/groupListServers.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupListServers" , {"ac" : ["--group"]}, 4 | "groupListServers +--group" , {"ac" : [""]}, 5 | "groupListServers +--group +\\S+" , {"ac" : ["", "--reverse-dns"]}, 6 | "groupListServers +--group +\\S+ +--reverse-dns" , {"pr" : [""]} 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/open/help.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "help" , {"pr" : [""]} 4 | ], 5 | "mfa_setup_not_required": true 6 | } 7 | -------------------------------------------------------------------------------- /bin/plugin/open/info.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "info" , {"pr" : [""]} 4 | ], 5 | "mfa_setup_not_required": true 6 | } 7 | -------------------------------------------------------------------------------- /bin/plugin/open/lock: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "lock all your current sessions", 14 | options => { 15 | 'report' => \my $report, 16 | }, 17 | helptext => <<'EOF', 18 | Manually lock all your current sessions 19 | 20 | Usage: --osh SCRIPT_NAME 21 | EOF 22 | ); 23 | 24 | # code 25 | my $fnret; 26 | my @command; 27 | 28 | @command = qw{ pkill -c --uid }; 29 | push @command, $self; 30 | push @command, qw{ -URG ttyrec }; 31 | 32 | osh_info "Locking all your sessions..."; 33 | 34 | $fnret = OVH::Bastion::execute(cmd => \@command, noisy_stdout => 0, noisy_stderr => 1); 35 | $fnret or osh_exit $fnret; 36 | 37 | if ($fnret->value && $fnret->value->{'stdout'}) { 38 | my $nb = $fnret->value->{'stdout'}->[0] / 2; 39 | osh_info "Sent lock signal to $nb session" . ($nb == 1 ? '' : 's'); 40 | } 41 | 42 | osh_ok {}; 43 | -------------------------------------------------------------------------------- /bin/plugin/open/lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "lock" , {"pr" : [""]} 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /bin/plugin/open/mtr.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "mtr" , {"ac" : ["--host"]}, 4 | "mtr +--host" , {"pr" : [""]}, 5 | "mtr +--host +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/nc.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "nc" , {"ac" : ["--host"]}, 4 | "nc +--host" , {"pr" : [""]}, 5 | "nc +--host +\\S+" , {"ac" : ["--port"]}, 6 | "nc +--host +\\S+ +--port +\\d+" , {"ac" : ["", "--timeout"]}, 7 | "nc +--host +\\S+ +--port +\\d+ +--timeout" , {"pr" : [""]}, 8 | "nc +--host +\\S+ +--port +\\d+ +--timeout +\\d+" , {"pr" : [""]} 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/open/ping.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "ping" , {"ac" : ["--host"]}, 4 | "ping +--host" , {"pr" : [""]}, 5 | "ping +--host +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/rsync.json: -------------------------------------------------------------------------------- 1 | { 2 | "stealth_stdout": true, 3 | "force_stderr": true 4 | } 5 | -------------------------------------------------------------------------------- /bin/plugin/open/scp.json: -------------------------------------------------------------------------------- 1 | { 2 | "execution_mode": "system", 3 | "stealth_stdout": true, 4 | "jit_mfa": "token", 5 | "jit_mfa_allow_no_host": true, 6 | "force_stderr": true 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/selfAddIngressKey.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfAddIngressKey" , {"ac" : ["--public-key \"",""]}, 4 | "selfAddIngressKey +--public-key +\"" , {"pr" : [""]}, 5 | "selfAddIngressKey +--public-key +\"[^\"]+" , {"ac" : ["\""]}, 6 | "selfAddIngressKey +--public-key +\"[^\"]+\"" , {"pr" : [""]} 7 | ], 8 | "master_only": true 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/selfDelIngressKey.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfDelIngressKey" , {"ac" : ["--line-number-to-delete", "--fingerprint-to-delete", ""]}, 4 | "selfDelIngressKey +--line-number-to-delete" , {"pr" : [""]}, 5 | "selfDelIngressKey +--line-number-to-delete +\\S+" , {"pr" : [""]}, 6 | "selfDelIngressKey +--fingerprint-to-delete" , {"pr" : [""]}, 7 | "selfDelIngressKey +--fingerprint-to-delete +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/open/selfForgetHostKey.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfForgetHostKey" , {"ac" : ["--host"]}, 4 | "selfForgetHostKey +--host" , {"pr" : [""]}, 5 | "selfForgetHostKey +--host +\\S+" , {"ac" : ["", "--port"]}, 6 | "selfForgetHostKey +--host +\\S+ +--port" , {"pr" : [""]}, 7 | "selfForgetHostKey +--host +\\S+ +--port +\\S+" , {"pr" : [""]} 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/selfGenerateEgressKey.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfGenerateEgressKey" , {"ac" : ["--algo"]}, 4 | "selfGenerateEgressKey +--algo" , {"ac" : ["rsa", "ecdsa", "ed25519"]}, 5 | "selfGenerateEgressKey +--algo +\\S+" , {"ac" : ["--size"]}, 6 | "selfGenerateEgressKey +--algo +\\S+ +--size" , {"pr" : [""]}, 7 | "selfGenerateEgressKey +--algo +\\S+ +--size +\\d+" , {"ac" : ["", "--encrypted"]}, 8 | "selfGenerateEgressKey +--algo +\\S+ +--size +\\d+ +--encrypted" , {"pr" : [""]} 9 | ], 10 | "master_only": true, 11 | "terminal_mode": "raw" 12 | } 13 | -------------------------------------------------------------------------------- /bin/plugin/open/selfGeneratePassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfGeneratePassword" , {"ac" : ["--size",""]}, 4 | "selfGeneratePassword +--size" , {"pr" : [""]}, 5 | "selfGeneratePassword +--size +\\S+" , {"pr" : [""]} 6 | ], 7 | "master_only": true, 8 | "terminal_mode": "noecho" 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/selfGenerateProxyPassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfGenerateProxyPassword" , {"ac" : ["--size",""]}, 4 | "selfGenerateProxyPassword +--size" , {"pr" : [""]}, 5 | "selfGenerateProxyPassword +--size +\\S+" , {"ac" : [""]} 6 | ], 7 | "master_only": true, 8 | "terminal_mode": "noecho" 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/selfListAccesses.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfListAccesses" , {"ac" : ["", "--hide-groups", "--reverse-dns"]}, 4 | "selfListAccesses +--hide-groups" , {"ac" : ["", "--reverse-dns"]}, 5 | "selfListAccesses +--reverse-dns" , {"ac" : ["", "--hide-groups"]}, 6 | "selfListAccesses +--(reverse-dns|hide-groups) +--(reverse-dns|hide-groups)" , {"pr" : [""]} 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/open/selfListIngressKeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfListIngressKeys" , {"pr" : [""]} 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /bin/plugin/open/selfListPasswords: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "list your egress passwords", 14 | options => {}, 15 | helptext => <<'EOF' 16 | List the hashes and metadata of the egress passwords associated to your account 17 | 18 | Usage: --osh SCRIPT_NAME 19 | 20 | The passwords corresponding to these hashes are only needed for devices that don't support key-based SSH 21 | EOF 22 | ); 23 | 24 | # code 25 | my $fnret; 26 | 27 | $fnret = OVH::Bastion::get_hashes_list(context => 'account', account => $self); 28 | $fnret or osh_exit $fnret; 29 | 30 | foreach my $item (@{$fnret->value}) { 31 | osh_info $item->{'description'}; 32 | foreach my $hash (sort keys %{$item->{'hashes'}}) { 33 | osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash})); 34 | } 35 | osh_info "\n"; 36 | } 37 | if (not @{$fnret->value}) { 38 | osh_info "You don't have any egress password configured"; 39 | } 40 | 41 | osh_ok($fnret); 42 | -------------------------------------------------------------------------------- /bin/plugin/open/selfListPasswords.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfListPasswords" , {"pr" : [""]} 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /bin/plugin/open/selfMFAResetPassword: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "remove the UNIX password of your account (MFA)", 14 | options => {}, 15 | helptext => <<'EOF' 16 | Remove the UNIX password of your account 17 | 18 | Usage: --osh SCRIPT_NAME 19 | 20 | Note that if your password is set, you'll be prompted for it. 21 | Also note that this doesn't remove your UNIX password requirement, if set (see ``accountModify`` for this). 22 | EOF 23 | ); 24 | 25 | my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; 26 | push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountMFAResetPassword'; 27 | push @command, "--account", $self; 28 | 29 | osh_exit(OVH::Bastion::helper(cmd => \@command)); 30 | -------------------------------------------------------------------------------- /bin/plugin/open/selfMFAResetPassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfMFAResetPassword" , {"pr" : [""]} 4 | ], 5 | "master_only": true, 6 | "mfa_required": "any" 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/selfMFAResetTOTP: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "remove the TOTP configuration of your account (MFA)", 14 | options => {}, 15 | helptext => <<'EOF' 16 | Remove the TOTP configuration of your account 17 | 18 | Usage: --osh SCRIPT_NAME 19 | 20 | Note that if your TOTP is set, you'll be prompted for it. 21 | Also note that this doesn't remove your TOTP requirement, if set (see accountModify for this). 22 | EOF 23 | ); 24 | 25 | my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; 26 | push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountMFAResetTOTP'; 27 | push @command, "--account", $self; 28 | 29 | osh_exit(OVH::Bastion::helper(cmd => \@command)); 30 | -------------------------------------------------------------------------------- /bin/plugin/open/selfMFAResetTOTP.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfMFAResetTOTP" , {"pr" : [""]} 4 | ], 5 | "master_only": true, 6 | "mfa_required": "any" 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/open/selfMFASetupPassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfMFASetupPassword" , {"pr" : [""]} 4 | ], 5 | "master_only": true, 6 | "execution_mode_on_freebsd": "system", 7 | "terminal_mode": "noecho", 8 | "mfa_setup_not_required": true 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/selfMFASetupTOTP.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfMFASetupTOTP" , {"pr" : [""]} 4 | ], 5 | "master_only": true, 6 | "mfa_required": "any-if-configured", 7 | "mfa_setup_not_required": true, 8 | "terminal_mode": "noecho" 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/selfPlaySession.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfPlaySession" , {"ac" : ["--id"]}, 4 | "selfPlaySession +--id" , {"pr" : [""]}, 5 | "selfPlaySession +--id +\\S+" , {"pr" : [""]} 6 | ], 7 | "terminal_mode": "cbreak", 8 | "execution_mode": "binary" 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/open/sftp.json: -------------------------------------------------------------------------------- 1 | { 2 | "stealth_stdout": true, 3 | "jit_mfa": "token", 4 | "jit_mfa_allow_no_host": true, 5 | "force_stderr": true 6 | } 7 | -------------------------------------------------------------------------------- /bin/plugin/open/unlock.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "unlock" , {"pr" : [""]} 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountCreate.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountCreate" , {"ac" : ["--account"]}, 4 | "accountCreate +--account" , {"pr" : [""]}, 5 | "accountCreate +--account +\\S+" , {"ac" : ["--uid","--uid-auto"]}, 6 | "accountCreate +--account +\\S+ +--uid" , {"pr" : [""]}, 7 | "accountCreate +--account +\\S+ +--uid( +\\S+|-auto)" , {"ac" : ["", "--always-active", "--comment"]}, 8 | "accountCreate +--account +\\S+ +--uid( +\\S+|-auto) +--always-active" , {"ac" : ["", "--comment"]}, 9 | "accountCreate +--account +\\S+ +--uid( +\\S+|-auto) +.*--comment" , {"pr" : [""]}, 10 | "accountCreate +--account +\\S+ +--uid( +\\S+|-auto) +(--always-active +--comment +\\S+|--comment +\\S+ +--always-active)" , {"pr" : [""]} 11 | ], 12 | "master_only": true, 13 | "terminal_mode": "raw" 14 | } 15 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountDelPersonalAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountDelPersonalAccess" , {"ac" : ["--account"]}, 4 | "accountDelPersonalAccess +--account" , {"ac" : [""]}, 5 | "accountDelPersonalAccess +--account +\\S+" , {"ac" : ["--host"]}, 6 | "accountDelPersonalAccess +--account +\\S+ +--host" , {"pr" : ["", "", ""]}, 7 | "accountDelPersonalAccess +--account +\\S+ +--host +\\S+" , {"ac" : ["", "--user", "--port"]}, 8 | "accountDelPersonalAccess +--account +\\S+ +--host +\\S+ +.*--user" , {"pr" : [""]}, 9 | "accountDelPersonalAccess +--account +\\S+ +--host +\\S+ +.*--port" , {"pr" : [""]}, 10 | "accountDelPersonalAccess +--account +\\S+ +--host +\\S+ +--user +\\S+" , {"ac" : ["", "--port"]}, 11 | "accountDelPersonalAccess +--account +\\S+ +--host +\\S+ +--port +\\S+" , {"ac" : ["", "--user"]}, 12 | "accountDelPersonalAccess +--account +\\S+ +--host +\\S+ +--(port|user) +\\S+ +--(port|user) +\\S+" , {"pr" : [""]} 13 | ], 14 | "master_only": true 15 | } 16 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountDelete.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountDelete" , {"ac" : ["--account"]}, 4 | "accountDelete +--account" , {"ac" : [""]}, 5 | "accountDelete +--account +\\S+" , {"ac" : ["", "--comment"]}, 6 | "accountDelete +--account +\\S+ +--comment" , {"pr" : [""]}, 7 | "accountDelete +--account +\\S+ +--comment +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountFreeze.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountFreeze" , {"ac" : ["--account"]}, 4 | "accountFreeze +--account" , {"ac" : [""]}, 5 | "accountFreeze +--account +\\S+" , {"ac" : ["--reason",""]}, 6 | "accountFreeze +--account +\\S+ +--reason" , {"pr" : ["\"reason between quotes\""]}, 7 | "accountFreeze +--account +\\S+ +--reason +.+" , {"pr" : [""]} 8 | ], 9 | "master_only": 1 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountGeneratePassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountGeneratePassword" , {"ac" : ["--account"]}, 4 | "accountGeneratePassword +--account" , {"ac" : [""]}, 5 | "accountGeneratePassword +--account +\\S+" , {"ac" : ["--size",""]}, 6 | "accountGeneratePassword +--account +\\S+ +--size" , {"pr" : [""]}, 7 | "accountGeneratePassword +--account +\\S+ +--size +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true, 10 | "terminal_mode": "noecho" 11 | } 12 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountGrantCommand.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountGrantCommand" , {"ac" : ["--account"]}, 4 | "accountGrantCommand +--account" , {"ac" : [""]}, 5 | "accountGrantCommand +--account +\\S+" , {"ac" : ["--command"]}, 6 | "accountGrantCommand +--account +\\S+ +--command" , {"ac" : [""]}, 7 | "accountGrantCommand +--account +\\S+ +--command +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": true 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountInfo.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountInfo" , {"ac" : ["--account"]}, 4 | "accountInfo +--account" , {"ac" : [""]}, 5 | "accountInfo +--account +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountList.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountList" , {"ac" : ["--inactive-only","--realm-only","--account"]}, 4 | "accountList +--account" , {"ac" : [""]}, 5 | "accountList +--account +\\S+" , {"pr" : [""]}, 6 | "accountList +--inactive-only" , {"pr" : [""]}, 7 | "accountList +--realm-only" , {"pr" : [""]} 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountListAccesses.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountListAccesses" , {"ac" : ["--account"]}, 4 | "accountListAccesses +--account" , {"ac" : [""]}, 5 | "accountListAccesses +--account +\\S+" , {"ac" : ["", "--hide-groups", "--reverse-dns"]}, 6 | "accountListAccesses +--account +\\S+ +--hide-groups" , {"ac" : ["", "--reverse-dns"]}, 7 | "accountListAccesses +--account +\\S+ +--reverse-dns" , {"ac" : ["", "--hide-groups"]}, 8 | "accountListAccesses +--account +\\S+ +--(reverse-dns|hide-groups) +--(reverse-dns|hide-groups)" , {"pr" : [""]} 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountListEgressKeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountListEgressKeys" , {"ac" : ["--account"]}, 4 | "accountListEgressKeys +--account" , {"ac" : [""]}, 5 | "accountListEgressKeys +--account +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountListIngressKeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountListIngressKeys" , {"ac" : ["--account"]}, 4 | "accountListIngressKeys +--account" , {"ac" : [""]}, 5 | "accountListIngressKeys +--account +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountListPasswords.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountListPasswords" , {"ac" : ["--account"]}, 4 | "accountListPasswords +--account" , {"ac" : [""]}, 5 | "accountListPasswords +--account +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountMFAResetPassword: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "remove the UNIX password of an account (MFA)", 14 | options => { 15 | "account=s" => \my $account, 16 | }, 17 | helptext => <<'EOF' 18 | Remove the UNIX password of an account 19 | 20 | Usage: --osh SCRIPT_NAME --account ACCOUNT 21 | 22 | --account ACCOUNT Specify which account you want to remove the UNIX password of 23 | 24 | Note that if doesn't remove the account UNIX password requirement, if set (see ``accountModify`` for this) 25 | EOF 26 | ); 27 | 28 | my $fnret; 29 | 30 | if (not $account) { 31 | help(); 32 | osh_exit 'ERR_MISSING_PARAMETER', "Expected an --account argument"; 33 | } 34 | 35 | $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account); 36 | $fnret or osh_exit $fnret; 37 | $account = $fnret->value->{'account'}; 38 | 39 | my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; 40 | push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountMFAResetPassword'; 41 | push @command, "--account", $account; 42 | 43 | osh_exit(OVH::Bastion::helper(cmd => \@command)); 44 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountMFAResetPassword.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountMFAResetPassword" , {"ac" : ["--account"]}, 4 | "accountMFAResetPassword +--account" , {"ac" : [""]}, 5 | "accountMFAResetPassword +--account +\\S+" , {"pr" : [""]} 6 | ], 7 | "master_only": true 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountMFAResetTOTP: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "remove the TOTP configuration of an account (MFA)", 14 | options => { 15 | "account=s" => \my $account, 16 | }, 17 | helptext => <<'EOF' 18 | Remove the TOTP configuration of an account 19 | 20 | Usage: --osh SCRIPT_NAME --account ACCOUNT 21 | 22 | --account ACCOUNT Specify which account you want to remove the TOTP configuration of 23 | 24 | Note that if doesn't remove the TOTP requirement, if set (see ``accountModify`` for this). 25 | EOF 26 | ); 27 | 28 | my $fnret; 29 | 30 | if (not $account) { 31 | help(); 32 | osh_exit 'ERR_MISSING_PARAMETER', "Expected an --account argument"; 33 | } 34 | 35 | $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account); 36 | $fnret or osh_exit $fnret; 37 | $account = $fnret->value->{'account'}; 38 | 39 | my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; 40 | push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountMFAResetTOTP'; 41 | push @command, "--account", $account; 42 | 43 | osh_exit(OVH::Bastion::helper(cmd => \@command)); 44 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountMFAResetTOTP.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountMFAResetTOTP" , {"ac" : ["--account"]}, 4 | "accountMFAResetTOTP +--account" , {"ac" : [""]}, 5 | "accountMFAResetTOTP +--account +\\S+" , {"pr" : [""]} 6 | ], 7 | "master_only": true 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountPIV.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountPIV" , {"ac": ["--account"]}, 4 | "accountPIV +--account" , {"ac": [""]}, 5 | "accountPIV +--account +\\S+" , {"ac": ["--policy"]}, 6 | "accountPIV +--account +\\S+ +--policy" , {"ac": ["default","enforce","never","grace"]}, 7 | "accountPIV +--account +\\S+ +--policy +(default|enforce|never|grace)" , {"pr": [""]}, 8 | "accountPIV +--account +\\S+ +--policy +grace" , {"ac": ["--ttl"]}, 9 | "accountPIV +--account +\\S+ +--policy +grace +--ttl" , {"pr": [""]}, 10 | "accountPIV +--account +\\S+ +--policy +grace +--ttl +(.*)" , {"pr": [""]} 11 | ], 12 | "master_only": 1 13 | } 14 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountRevokeCommand.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountRevokeCommand" , {"ac" : ["--account"]}, 4 | "accountRevokeCommand +--account" , {"ac" : [""]}, 5 | "accountRevokeCommand +--account +\\S+" , {"ac" : ["--command"]}, 6 | "accountRevokeCommand +--account +\\S+ +--command" , {"ac" : [""]}, 7 | "accountRevokeCommand +--account +\\S+ +--command +\\S+" , {"pr" : [""]} 8 | ], 9 | "master_only": 1 10 | } 11 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountUnexpire.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountUnexpire" , {"ac" : ["--account"]}, 4 | "accountUnexpire +--account" , {"ac" : [""]}, 5 | "accountUnexpire +--account +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountUnfreeze: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "unfreeze a previously frozen account", 14 | options => {"account=s" => \my $account}, 15 | helptext => <<'EOF', 16 | Unfreeze a frozen account 17 | 18 | Usage: --osh SCRIPT_NAME --account ACCOUNT 19 | 20 | --account ACCOUNT Account to unfreeze 21 | EOF 22 | ); 23 | 24 | my $fnret; 25 | 26 | if (not $account) { 27 | help(); 28 | osh_exit 'ERR_MISSING_PARAMETER', "Missing 'account' parameter"; 29 | } 30 | 31 | # Here we parse account name 32 | $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account); 33 | $fnret or osh_exit $fnret; 34 | $account = $fnret->value->{'account'}; 35 | 36 | my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; 37 | push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountFreezeToggle', '--action', 'unfreeze'; 38 | push @command, ('--account', $account); 39 | 40 | osh_exit(OVH::Bastion::helper(cmd => \@command)); 41 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountUnfreeze.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountUnfreeze" , {"ac" : ["--account"]}, 4 | "accountUnfreeze +--account" , {"ac" : [""]}, 5 | "accountUnfreeze +--account +\\S+" , {"pr" : [""]} 6 | ], 7 | "master_only": 1 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountUnlock: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | use Term::ANSIColor qw{ colored }; 5 | use POSIX qw{ strftime }; 6 | use File::Basename; 7 | use lib dirname(__FILE__) . '/../../../lib/perl'; 8 | use OVH::Result; 9 | use OVH::Bastion; 10 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 11 | my ($account); 12 | OVH::Bastion::Plugin::begin( 13 | argv => \@ARGV, 14 | header => "unlock an account", 15 | options => { 16 | "account=s" => \$account 17 | }, 18 | helptext => <<'EOF', 19 | Unlock an account locked by pam_tally, pam_tally2 or pam_faillock 20 | 21 | Usage: --osh SCRIPT_NAME --account ACCOUNT 22 | 23 | --account ACCOUNT Account to work on 24 | EOF 25 | ); 26 | # 27 | # code 28 | # 29 | my $fnret; 30 | if (not $account) { 31 | help(); 32 | osh_exit 'ERR_MISSING_PARAMETER', "Missing 'account' parameter"; 33 | } 34 | 35 | # Here we parse account name 36 | $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account); 37 | $fnret 38 | or osh_exit $fnret; 39 | $account = $fnret->value->{'account'}; 40 | my @command = qw{ sudo -n -u root -- }; 41 | push @command, qw{ /usr/bin/env perl -T }; 42 | push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountUnlock'; 43 | push @command, ('--account', $account); 44 | osh_exit( 45 | OVH::Bastion::helper( 46 | cmd => \@command 47 | ) 48 | ); 49 | -------------------------------------------------------------------------------- /bin/plugin/restricted/accountUnlock.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "accountUnlock" , {"ac" : ["--account"]}, 4 | "accountUnlock +--account" , {"ac" : [""]}, 5 | "accountUnlock +--account +\\S+" , {"pr" : [""]} 6 | ], 7 | "master_only": 1 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/restricted/groupCreate.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupCreate" , {"ac" : ["--group"]}, 4 | "groupCreate +--group" , {"pr" : [""]}, 5 | "groupCreate +--group +\\S+" , {"ac" : ["--owner"]}, 6 | "groupCreate +--group +\\S+ +--owner" , {"ac" : [""]}, 7 | "groupCreate +--group +\\S+ +--owner +\\S+" , {"ac" : ["--algo"]}, 8 | "groupCreate +--group +\\S+ +--owner +\\S+ +--algo" , {"ac" : ["rsa", "ecdsa", "ed25519"]}, 9 | "groupCreate +--group +\\S+ +--owner +\\S+ +--algo +\\S+" , {"ac" : ["--size"]}, 10 | "groupCreate +--group +\\S+ +--owner +\\S+ +--algo +\\S+ +--size" , {"pr" : [""]}, 11 | "groupCreate +--group +\\S+ +--owner +\\S+ +--algo +\\S+ +--size +\\d+" , {"ac" : ["", "--encrypted"]}, 12 | "groupCreate +--group +\\S+ +--owner +\\S+ +--algo +\\S+ +--size +\\d+ +--encrypted" , {"pr" : [""]} 13 | ], 14 | "master_only": true, 15 | "terminal_mode": "raw" 16 | } 17 | -------------------------------------------------------------------------------- /bin/plugin/restricted/groupDelete.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "groupDelete" , {"ac" : ["--group"]}, 4 | "groupDelete +--group" , {"ac" : [""]}, 5 | "groupDelete +--group +\\S+" , {"pr" : ""} 6 | ], 7 | "master_only": true, 8 | "terminal_mode": "raw" 9 | } 10 | -------------------------------------------------------------------------------- /bin/plugin/restricted/realmCreate.json: -------------------------------------------------------------------------------- 1 | { 2 | "master_only": true 3 | } 4 | -------------------------------------------------------------------------------- /bin/plugin/restricted/realmDelete.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "realmDelete" , {"ac" : ["--realm"]}, 4 | "realmDelete +--realm" , {"ac" : [""]}, 5 | "realmDelete +--realm +\\S+" , {"pr" : [""]} 6 | ], 7 | "master_only": true 8 | } 9 | -------------------------------------------------------------------------------- /bin/plugin/restricted/realmInfo.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "realmInfo" , {"ac" : ["--realm"]}, 4 | "realmInfo +--realm" , {"ac" : [""]}, 5 | "realmInfo +--realm +\\S+" , {"pr" : [""]} 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /bin/plugin/restricted/realmList: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | 5 | use File::Basename; 6 | use lib dirname(__FILE__) . '/../../../lib/perl'; 7 | use OVH::Result; 8 | use OVH::Bastion; 9 | use OVH::Bastion::Plugin qw( :DEFAULT help ); 10 | 11 | my $remainingOptions = OVH::Bastion::Plugin::begin( 12 | argv => \@ARGV, 13 | header => "list bastion realms", 14 | options => { 15 | "realm=s" => \my $pRealm, 16 | }, 17 | helptext => <<'EOF', 18 | List the bastions realms 19 | 20 | Usage: --osh SCRIPT_NAME [--realm REALM] 21 | 22 | --realm REALM Only list the specified realm (mainly: check if it exists) 23 | EOF 24 | ); 25 | 26 | my $fnret; 27 | if ($pRealm) { 28 | $pRealm =~ s{^realm_}{}; 29 | $fnret = OVH::Bastion::get_realm_list(realms => [$pRealm]); 30 | } 31 | else { 32 | $fnret = OVH::Bastion::get_realm_list(); 33 | } 34 | $fnret or osh_exit $fnret; 35 | my $realms = $fnret->value; 36 | 37 | my $result_hash = {}; 38 | foreach my $realm (sort keys %$realms) { 39 | $result_hash->{$realm}{'name'} = $realm; 40 | 41 | osh_info $realm; 42 | } 43 | if (not %$realms) { 44 | osh_info "No realm found"; 45 | } 46 | 47 | osh_ok $result_hash; 48 | -------------------------------------------------------------------------------- /bin/plugin/restricted/rootListIngressKeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "rootListIngressKeys" , {"pr" : [""]} 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /bin/plugin/restricted/selfDelPersonalAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "selfDelPersonalAccess" , {"ac" : ["--host"]}, 4 | "selfDelPersonalAccess +--host" , {"pr" : ["", "", ""]}, 5 | "selfDelPersonalAccess +--host +\\S+" , {"ac" : ["", "--user", "--port"]}, 6 | "selfDelPersonalAccess +--host +\\S+ +.*--user" , {"pr" : [""]}, 7 | "selfDelPersonalAccess +--host +\\S+ +.*--port" , {"pr" : [""]}, 8 | "selfDelPersonalAccess +--host +\\S+ +--user +\\S+" , {"ac" : ["", "--port"]}, 9 | "selfDelPersonalAccess +--host +\\S+ +--port +\\S+" , {"ac" : ["", "--user"]}, 10 | "selfDelPersonalAccess +--host +\\S+ +--(port|user) +\\S+ +--(port|user) +\\S+" , {"pr" : [""]} 11 | ], 12 | "master_only": true 13 | } 14 | -------------------------------------------------------------------------------- /bin/plugin/restricted/whoHasAccessTo.json: -------------------------------------------------------------------------------- 1 | { 2 | "interactive": [ 3 | "whoHasAccessTo" , {"ac" : ["--host"]}, 4 | "whoHasAccessTo +--host" , {"pr" : [""]}, 5 | "whoHasAccessTo +--host +\\S+ +(.*--(user|port|ignore-group) +\\S+| +.*--(ignore-wildcard|ignore-private))?$" , {"ac" : ["--user","--port","--ignore-wildcard","--ignore-private","--ignore-group",""]}, 6 | "whoHasAccessTo +--host +\\S+ +.*--user" , {"pr" : [""]}, 7 | "whoHasAccessTo +--host +\\S+ +.*--port" , {"pr" : [""]}, 8 | "whoHasAccessTo +--host +\\S+ +.*--ignore-group" , {"ac" : [""]} 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /bin/shell/bastion-sync-helper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | if [ "$USER" != "bastionsync" ]; then 4 | echo "Unexpected user, aborting" >&2 5 | exit 2 6 | fi 7 | if [ -z "$SSH_CONNECTION" ]; then 8 | echo "Bad environment, aborting" >&2 9 | exit 3 10 | fi 11 | if [ "$1" != "-c" ]; then 12 | echo "Interactive session denied, aborting" >&2 13 | exit 4 14 | fi 15 | shift 16 | # shellcheck disable=SC2068 17 | set -- $@ 18 | if [ "$1 $2" != "rsync --server" ]; then 19 | echo "Only rsync is allowed, aborting" >&2 20 | exit 5 21 | fi 22 | shift 23 | shift 24 | if ! cd /; then 25 | echo "Failed to chdir /, aborting" >&2 26 | exit 6 27 | fi 28 | exec /usr/bin/sudo -- /usr/bin/rsync --server "$@" 29 | -------------------------------------------------------------------------------- /bin/shell/pam_exec_pwd_info.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | # 4 | # this script can be called by pam during sshd login, when negotiating MFA. 5 | # it'll show in how many days the user password will expire. 6 | # it can be called this way: 7 | # 8 | #auth optional pam_exec.so quiet debug stdout /opt/bastion/bin/shell/pam_exec_pwd_info.sh 9 | 10 | [ -n "$PAM_USER" ] || exit 0 11 | exp_date=$(chage -l "$PAM_USER" 2>/dev/null | grep 'Password expires' | cut -d: -f2-) 12 | exp_date=$(date -d "$exp_date" +'%Y/%m/%d' 2>/dev/null) 13 | [ -n "$exp_date" ] || exit 0 14 | exp=$(date -d "$exp_date" +'%s') 15 | now=$(date +'%s') 16 | daysleft=$(( (exp - now) / 86400 )) 17 | echo "Your password expires on $exp_date, in $daysleft days" 18 | -------------------------------------------------------------------------------- /contrib/nrpe/README.md: -------------------------------------------------------------------------------- 1 | NRPE Probes 2 | =========== 3 | 4 | A few NRPE probes are available in the ``probes/`` subdirectory. 5 | 6 | Some of these probes might need to have elevated rights, an example of sudoers file is included. 7 | 8 | You might want to also use the nice ``check_logfiles`` probe, courtesy of 9 | Consol Labs (https://labs.consol.de/nagios/check_logfiles/index.html), to ensure 10 | that the cron scripts behave correctly and that no error is happening during the backup process, 11 | the encrypt & rsync process, the HA synchronization daemon, etc. 12 | 13 | The configuration of the ``check_logfiles`` probe can be found in ``etc/nagios/plugins.d``. 14 | 15 | The bastion-side NRPE daemon configuration for these probes can be found in the ``etc/nagios/nrpe.d``. 16 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_bastion_healthcheck.cfg: -------------------------------------------------------------------------------- 1 | command[check_bastion_healthcheck]=/usr/bin/sudo -u healthcheck /opt/bastion/contrib/nrpe/probes/bastion-healthcheck --host 127.0.0.1 --port 22 --account healthcheck --keyfile /home/healthcheck/.ssh/id_healthcheck 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_bastion_http_proxy.cfg: -------------------------------------------------------------------------------- 1 | command[check_bastion_http_proxy]=/opt/bastion/contrib/nrpe/probes/bastion-http-proxy --host 127.0.0.1 --port 8443 --disabled-ok 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_bastion_locked.cfg: -------------------------------------------------------------------------------- 1 | command[check_bastion_locked]=/opt/bastion/contrib/nrpe/probes/bastion-locked 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_bastion_root_connected_too_long.cfg: -------------------------------------------------------------------------------- 1 | command[check_bastion_root_connected_too_long]=/opt/bastion/contrib/nrpe/probes/bastion-root-connected-too-long --warn-after-minutes 60 --crit-after-minutes 180 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_bastion_sync_daemon.cfg: -------------------------------------------------------------------------------- 1 | command[check_bastion_sync_daemon]=/usr/lib/nagios/plugins/check_dummy 0 'osh-sync-watcher is not intended to run on slave bastions' 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_bastion_version.cfg: -------------------------------------------------------------------------------- 1 | command[check_bastion_version]=/opt/bastion/contrib/nrpe/probes/bastion-version 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_backup.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_backup]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_backup 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_encrypt_rsync.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_encrypt_rsync]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_encrypt_rsync 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_guest_key_cleanup.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_guest_key_cleanup]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_guest_key_cleanup 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_misc.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_misc]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_misc 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_orphaned_homedir.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_orphaned_homedir]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_orphaned_homedir 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_piv_grace.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_piv_grace]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_piv_grace 2 | -------------------------------------------------------------------------------- /contrib/nrpe/etc/nagios/nrpe.d/check_log_bastion_secondaries_sync.cfg: -------------------------------------------------------------------------------- 1 | command[check_log_bastion_secondaries_sync]=/usr/bin/sudo -u root /usr/lib/nagios/check_logfiles -f /etc/nagios/plugins.d/ovh/check_logfiles.cfg --searches=bastion_secondaries_sync 2 | -------------------------------------------------------------------------------- /contrib/nrpe/sudoers.example: -------------------------------------------------------------------------------- 1 | # This is a sudoers example file for The Bastion contrib NRPE probes. Adjust to your system. 2 | 3 | nagios ALL=(healthcheck) NOPASSWD: /opt/bastion/contrib/nrpe/probes/bastion-healthcheck 4 | nagios ALL=(root) NOPASSWD: /opt/bastion/contrib/nrpe/probes/bastion-version 5 | 6 | -------------------------------------------------------------------------------- /doc/INSTALL.md: -------------------------------------------------------------------------------- 1 | # Install instructions 2 | 3 | Please refer to proper section of the [documentation](https://ovh.github.io/the-bastion/installation/basic.html). 4 | 5 | It can also be found offline, in the ``doc/sphinx/installation/basic.rst`` text file. 6 | -------------------------------------------------------------------------------- /doc/UPGRADE.md: -------------------------------------------------------------------------------- 1 | # General upgrade instructions 2 | 3 | Please refer to proper section of the [documentation](https://ovh.github.io/the-bastion/installation/upgrading.html). 4 | 5 | It can also be found offline, in the ``doc/sphinx/installation/upgrading.rst`` text file. 6 | 7 | # Specific upgrade instructions 8 | 9 | Each version might have specific upgrade instructions, please refer to the proper section of the [documentation](https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions). 10 | 11 | It can also be found offline, in the ``doc/sphinx/installation/upgrading.rst`` text file. 12 | -------------------------------------------------------------------------------- /doc/release-notes/v3.00.00.md: -------------------------------------------------------------------------------- 1 | This is the first public release! 2 | -------------------------------------------------------------------------------- /doc/release-notes/v3.00.01.md: -------------------------------------------------------------------------------- 1 | - feat: add OpenSUSE 15.2 to the officially supported distros 2 | - enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise 3 | - enh: packages-check.sh: add qrencode-libs for RHEL/CentOS 4 | - enh: provide a separated Dockerfile for the sandbox, squashing useless layers 5 | - doc: a lot of fixes here and there 6 | - chore: remove spurious config files 7 | - chore: a few GitHub actions workflow fixes 8 | -------------------------------------------------------------------------------- /doc/release-notes/v3.00.02.md: -------------------------------------------------------------------------------- 1 | - feat: add more archs to dockerhub sandbox, it is now available for `linux/386`, `linux/amd64`, `linux/arm/v6`, `linux/arm/v7`, `linux/arm64`, `linux/ppc64le` and `linux/s390x`. 2 | - fix: `adminSudo`: allow called plugins to read from stdin 3 | - fix: add missing `echo` in the entrypoint of the sandbox 4 | - chore: `install-ttyrec.sh`: adapt for multiarch 5 | -------------------------------------------------------------------------------- /doc/release-notes/v3.01.01.md: -------------------------------------------------------------------------------- 1 | **Changelog:** 2 | - fix: interactive mode: mark non-printable chars as such to avoid readline quirks 3 | - fix: osh-encrypt-rsync: remove `logfile` as a mandatory parameter 4 | - fix: typo in `MFAPasswordWarnDays` parameter in `bastion.conf.dist` 5 | - enh: interactive mode: better autocompletion for `accountCreate` and `adminSudo` 6 | - enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly 7 | - doc: add information about `puppet-thebastion` and `yubico-piv-checker` + some adjustments 8 | - chore: tests: fail the tests when code is not tidy 9 | 10 | [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html) 11 | -------------------------------------------------------------------------------- /doc/release-notes/v3.01.02.md: -------------------------------------------------------------------------------- 1 | **Changelog:** 2 | - feat: support CentOS 8.3 3 | - fix: is_valid_remote_user: extend allowed size from 32 to 128 4 | - doc: `bastions.conf.dist`: wrong options values in `accountMFAPolicy` comments 5 | - chore: packages-check: remove unused packages 6 | 7 | Now we're supporting (and automatically testing) the last 3 point releases of CentOS 7 and CentOS 8, to allow for a smoother upgrade path. Previously, we would only test the latest point release. 8 | 9 | [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html) 10 | -------------------------------------------------------------------------------- /doc/release-notes/v3.01.03.md: -------------------------------------------------------------------------------- 1 | - fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86) 2 | - fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket) 3 | - fix: osh.pl: plugin_config 'disabled' key is a boolean 4 | - chore: speedup tests by ~20% 5 | - chore: osh-accountDelete: fix typo 6 | -------------------------------------------------------------------------------- /doc/release-notes/v3.01.99-rc2.md: -------------------------------------------------------------------------------- 1 | This is a **release-candidate**. 2 | 3 | As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released. 4 | 5 | The following changes have been done since the previous rc: 6 | - fix: re-introduce the ttyrecfile field (fixes #114) 7 | - fix: logs: sql dbname was not properly passed through the update logs func (fixes #114) 8 | - doc: upgrade: add a note about config normalization 9 | -------------------------------------------------------------------------------- /doc/release-notes/v3.01.99-rc3.md: -------------------------------------------------------------------------------- 1 | This is a **release-candidate**. 2 | 3 | As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released. 4 | This rc (rc3) is expected to be the last before the release. 5 | 6 | The following changes have been done since the previous rc: 7 | - feat: `rootListIngressKeys`: look for all well-known authkeys files 8 | - feat: add `--(in|ex)clude` filters to `groupList` and `accountList` 9 | - enh: `groupList`: use cache to speedup calls 10 | - enh: config: detect `warnBefore`/`idleTimeout` misconfiguration (#125) 11 | - fix: scripts: `(( ))` returns 1 if evaluated to zero, hence failing under `set -e` 12 | - fix: config: be more permissive for `documentationURL` regex 13 | - fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper 14 | - fix: confusing error messages in `groupDelServer` 15 | - chore: tests: also update totalerrors while tests are running 16 | -------------------------------------------------------------------------------- /doc/release-notes/v3.01.99-rc4.md: -------------------------------------------------------------------------------- 1 | This is a release-candidate. 2 | 3 | As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released. 4 | This rc (rc4) is expected to be the last before the release. 5 | 6 | The following changes have been done since the previous rc: 7 | 8 | - fix: admins no longer inherited superowner powers 9 | -------------------------------------------------------------------------------- /doc/release-notes/v3.03.01.md: -------------------------------------------------------------------------------- 1 | Changes: 2 | 3 | - enh: `osh-orphaned-homedir.sh`: add more security checks to ensure we don't archive still-used home dirs 4 | - enh: install.inc: try harder to hit GitHub API in CI 5 | - fix: `fixrights.sh`: 'chmod --' not supported under FreeBSD 6 | - fix: `packages-check.sh`: centos: ensure cache is up to date before trying to install packages 7 | - fix: `groupDelServer`: missing autocompletion in interactive mode 8 | - fix: `install-yubico-piv-checker`: ppc64le installation was broken 9 | - fix: `scp`: abort early if host is not found to avoid a warn() 10 | - fix: `osh-backup-acl-keys`: detect file removed transient error 11 | - fix: add a case to the ignored perl panic race condition 12 | - chore: `mkdir -p` doesn't fail if dir already exists 13 | - chore: tests: support multiple unit-test files 14 | 15 | **General upgrade instructions:** [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html) 16 | 17 | **Specific upgrade instructions:** none 18 | -------------------------------------------------------------------------------- /doc/release-notes/v3.05.01.md: -------------------------------------------------------------------------------- 1 | # :bulb: Highlights 2 | 3 | A few minor features appear in this revision, if you don't need these you might skip this update. 4 | 5 | - It is now possible to sign the backups in addition to encryption 6 | 7 | - The interactive mode now supports an ``mfa`` command, to proactively request an MFA challenge that will be valid for a configured amount of time. The ``--proactive-mfa`` parameter is the equivalent for non-interactive mode, e.g. to be used along with `--osh clush` or `--osh batch` 8 | 9 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log. 10 | 11 | # :pushpin: Changes 12 | 13 | - feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209) 14 | - feat: ``--proactive-mfa`` and ``mfa``/``nofa`` interactive commands 15 | - doc: add help about the interactive builtin commands (#227) 16 | 17 | # :fast_forward: Upgrading 18 | 19 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 20 | - [Specific upgrade instructions for v3.05.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-05-01-2021-09-22) 21 | -------------------------------------------------------------------------------- /doc/release-notes/v3.06.00.md: -------------------------------------------------------------------------------- 1 | # :bulb: Highlights 2 | 3 | The main new feature of this version is the `--pubkey-auth-optional` option to `accountModify`, to tag some accounts so that they don't need a public key for the ingress connection, but only a password (and maybe a TOTP). Of course, as passwords are always less secure than public-key authentication, please only use it for specific use cases you may have. #237 for more details, along with the specific upgrade instructions (see below). 4 | 5 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log. 6 | 7 | # :pushpin: Changes 8 | 9 | - feat: `accountModify`: add `--pubkey-auth-optional` (#237, thanks @madchrist) 10 | - fix: `accountPIV`: fix bad autocompletion rule 11 | - fix: groupdel: false positive in lock contention detection 12 | - doc: `bastion.conf`: add superowner system group requirement 13 | 14 | # :fast_forward: Upgrading 15 | 16 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 17 | - [Specific upgrade instructions for v3.06.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-06-00-2021-10-15) 18 | -------------------------------------------------------------------------------- /doc/release-notes/v3.08.01.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known security issues: `v3.00.00` (first public version) 5 | 6 | # :bulb: Highlights 7 | 8 | The main change of this version is: 9 | 10 | - A new system script, [osh-remove-empty-folders.sh](https://ovh.github.io/the-bastion/administration/configuration/osh-remove-empty-folders_conf.html), called by cron and responsible for cleaning up the ``ttyrec/`` directory of users homes, which may contain a high amount of empty folders for busy users tonnecting to a lot of different servers, as we create one folder per destination IP. 11 | 12 | An exhaustive list of changes can be found below. 13 | 14 | # :pushpin: Changes 15 | 16 | - feat: add `osh-remove-empty-folders.sh` script 17 | - enh: better errror detection and logging in `accountDelete` & `groupDelete` 18 | 19 | # :fast_forward: Upgrading 20 | 21 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 22 | - [Specific upgrade instructions for v3.08.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-08-01-2022-01-19) 23 | -------------------------------------------------------------------------------- /doc/release-notes/v3.09.00-rc2.md: -------------------------------------------------------------------------------- 1 | # :warning: This is a release candidate 2 | 3 | Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate. 4 | 5 | This version will go stable in a few days if no regression is found. 6 | 7 | # :zap: Security 8 | 9 | - No security fixes since previous release 10 | - Oldest release with no known security issues: `v3.00.00` (first public version) 11 | 12 | # :bulb: Highlights 13 | 14 | Please refer to the `rc1` changelog. 15 | 16 | # :pushpin: Changes 17 | 18 | since `rc1`: 19 | 20 | - enh: MFA: specify account name in message 21 | - enh: print_public_key: better formatter 22 | - enh: move some code from get_hashes_list() to a new get_password_file() 23 | - doc: osh-encrypt-rsync.conf: add verbose 24 | 25 | # :fast_forward: Upgrading 26 | 27 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 28 | - [Specific upgrade instructions for v3.09.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-00-2022-07-xx) 29 | -------------------------------------------------------------------------------- /doc/release-notes/v3.09.02.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known security issues: `v3.00.00` (first public version) 5 | 6 | # :bulb: Highlights 7 | 8 | Previous version (v3.09.01) was tagged but not released, main change since last released version is a speedup of the internal `execute()` function, speeding up several portions of the code. 9 | 10 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log. 11 | 12 | # :pushpin: Changes 13 | - fix: basic mitigation for ``scp``'s CVE-2020-15778 (upstream doesn't consider it a bug) 14 | - fix: ``batch``: don't attempt to read if STDIN is closed 15 | - enh: make ``execute()`` way WAY faster 16 | 17 | # :fast_forward: Upgrading 18 | 19 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 20 | - [Specific upgrade instructions for v3.09.02](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-02-2022-11-15) 21 | -------------------------------------------------------------------------------- /doc/release-notes/v3.10.00.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known security issues: `v3.00.00` (first public version) 5 | 6 | # :bulb: Highlights 7 | 8 | Main changes from the previous version are: 9 | - Two new restricted commands: `accountFreeze` and `accountUnfreeze,` to temporarily disable an account, in a reversible way. 10 | - New options to the `accountInfo` commands: `--no-password-info` and `--no-output,` to get a speed boost when those informations are not needed by the caller 11 | 12 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log. 13 | 14 | # :pushpin: Changes 15 | - feat: add `accountFreeze`/`accountUnfreeze` commands 16 | - enh: `accountInfo`: add `--no-password-info` and `--no-output options` 17 | - enh: more precise matching of ssh client error messages 18 | - enh: osh.pl: add the account name on each error message 19 | - fix: invalid suffixed account creation (#357) 20 | 21 | # :fast_forward: Upgrading 22 | 23 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 24 | - [Specific upgrade instructions for v3.10.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-10-00-2023-02-17) 25 | -------------------------------------------------------------------------------- /doc/release-notes/v3.11.01.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known security issues: `v3.00.00` (first public version) 5 | 6 | # :bulb: Highlights 7 | 8 | This is a hotfix release, the only fixed issue is a display issue introduced in `v3.11.00` in the `groupInfo` command, which would always display an empty list for the gatekeepers of a group, along with "?" instead of the number of accesses for each guest. 9 | Note that the JSON output was correct, only the human-readable output of `groupInfo` was impacted. 10 | 11 | # :fast_forward: Upgrading 12 | 13 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 14 | -------------------------------------------------------------------------------- /doc/release-notes/v3.13.00.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known security issues: `v3.00.00` (first public version) 5 | 6 | # :bulb: Highlights 7 | 8 | The change from the previous version is: 9 | 10 | - The plugins output is now recorded using `ttyrec`, as the egress connections are, instead of being stored in `sqlite` format 11 | within the home folder of the account. This helps avoiding the sqlite databases growing too much in size when 12 | accounts are using `--osh` commands very intensively. 13 | 14 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log. 15 | 16 | # :pushpin: Changes 17 | - enh: use `ttyrec` instead of `sqlite` to record plugin output 18 | - fix: `selfMFASetupPassword`: restore default sighandlers to avoid being zombified 19 | 20 | # :fast_forward: Upgrading 21 | 22 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 23 | - [Specific upgrade instructions for v3.13.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-13-00-2023-07-28) 24 | -------------------------------------------------------------------------------- /doc/release-notes/v3.14.00.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known security issues: `v3.00.00` (first public version) 5 | 6 | # :bulb: Highlights 7 | 8 | This release fixes a possibly problematic behavior introduced in `v3.13.00` when replacing `sqlite` logging of plugins output by `ttyrec` where the `scp` and `sftp` plugins, when downloading a file (from the remote server to the local machine through the bastion) would save the binary stream as part of the ttyrec file, possibly taking a lot of space when these plugins are often used. 9 | 10 | Another, somehow niche, new feature is the support of so-called `type8` and `type9` hash types for egress passwords, mainly used by network devices. More information is available in the specific upgrade instructions link below. 11 | 12 | # :pushpin: Changes 13 | 14 | - feat: add type8 and type9 password hashes 15 | - feat: add `stealth_stderr`/`stdout` `ttyrec` support, enable it for `scp` & `sftp` 16 | 17 | # :fast_forward: Upgrading 18 | 19 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 20 | - [Specific upgrade instructions for v3.14.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-00-2023-09-19) 21 | -------------------------------------------------------------------------------- /doc/release-notes/v3.16.01.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08) 5 | 6 | # :bulb: Highlights 7 | 8 | This release only has minor changes. It has been tagged back in April but the formal GitHub Release was missing! 9 | 10 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.00...v3.16.01). 11 | 12 | # :pushpin: Changes 13 | - enh: info plugin: removed `uname` dependency, added configuration 14 | - chg: bastion-sync-helper.sh: use `sh` instead of `bash` 15 | - fix: alive plugin: don't mask signals 16 | 17 | # :fast_forward: Upgrading 18 | 19 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 20 | - [Specific upgrade instructions for v3.16.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-01-2024-04-17) 21 | -------------------------------------------------------------------------------- /doc/release-notes/v3.16.99-rc3.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08) 5 | 6 | # :bulb: Highlights 7 | 8 | Please read the ``rc2`` changes that are also included in this pre-release. 9 | 10 | This release, the ``rc3``, expected to be the last release candidate, fixes a regression introduced in the ``rc1``. 11 | 12 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.01...v3.16.99-rc3). 13 | 14 | # :pushpin: Changes 15 | - fix: regression introduced by https://github.com/ovh/the-bastion/commit/932e72eb839c6d248704d217b305b2d34818bd01 for stealth stdout in ssh 16 | 17 | # :fast_forward: Upgrading 18 | 19 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 20 | - [Specific upgrade instructions for v3.16.99-rc3](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-99-rc3-2024-09-25) 21 | -------------------------------------------------------------------------------- /doc/release-notes/v3.17.01.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08) 5 | 6 | # :bulb: Highlights 7 | 8 | No specific highlight, as this release addresses a few issues and minor enhancements. 9 | 10 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.17.00...v3.17.01). 11 | 12 | # :pushpin: Changes 13 | - enh: interactive: handle CTRL+C nicely (fix #497) 14 | - fix: osh.pl: remove a warning on interactive mode timeout 15 | - fix: allow ssh-as in connect.pl 16 | - chore: fix bad scpup/scpupload scp/scpdownload references in help and doc (thanks @TomRicci!) 17 | 18 | # :fast_forward: Upgrading 19 | 20 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 21 | - [Specific upgrade instructions for v3.17.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-17-01-2024-10-23) 22 | -------------------------------------------------------------------------------- /doc/release-notes/v3.19.01.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08) 5 | 6 | # :bulb: Highlights 7 | 8 | This release adds the possibility to allow plain HTTP on the egress side of the bastion HTTPS proxy. 9 | 10 | Of course, this feature is disabled by default, and you must allow it explicitely if your business constraints force you to. To this effect, you may specify the [allowed_egress_protocols](https://ovh.github.io/the-bastion/administration/configuration/osh-http-proxy_conf.html#allowed-egress-protocols) option of the ``osh-http-proxy.conf`` file. 11 | 12 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.19.00...v3.19.01). 13 | 14 | # :pushpin: Changes 15 | - feat: httpproxy: optional support for plain http on egress 16 | - fix: selfPlaySession: warn in syslog properly 17 | - chore: github actions: replace ubuntu 20.04 by 24.04 (EOL) 18 | 19 | # :fast_forward: Upgrading 20 | 21 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 22 | - [Specific upgrade instructions for v3.19.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-19-01-2025-03-04) 23 | -------------------------------------------------------------------------------- /doc/release-notes/v3.20.00.md: -------------------------------------------------------------------------------- 1 | # :zap: Security 2 | 3 | - No security fixes since previous release 4 | - Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08) 5 | 6 | # :bulb: Highlights 7 | 8 | This release drops official support for Ubuntu 18.04. Consequently, we upped the minimum required version of Perl to v5.26 (released in 2017). 9 | 10 | The main change is the support of arbitrary binary data passed through the HTTPS proxy, hence if you use it, restarting the daemon after the upgrade is important. 11 | 12 | A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.19.01...v3.20.00). 13 | 14 | # :pushpin: Changes 15 | - chg: deprecate Ubuntu 18.04, up required perl version to v5.26 16 | - enh: ensure JSON streams are purely us-ascii 17 | - fix: httpproxy: allow binary data to be passed through unmodified 18 | - chore: dockerhub: remove i386 build, no longer supported by yubico-piv-checker builds 19 | - chore: fix yubico-piv-checker package name since 1.0.2 20 | - chore: workflows: allow manual launch of distro tests 21 | 22 | # :fast_forward: Upgrading 23 | 24 | - [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) 25 | - [Specific upgrade instructions for v3.20.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-20-00-2025-03-25) 26 | -------------------------------------------------------------------------------- /doc/sphinx-plugins-override/help.rst: -------------------------------------------------------------------------------- 1 | Displays help about the available plugins callable with ``--osh``. 2 | 3 | If you need help on a specific plugin, you can use ``--osh PLUGIN --help``, replacing ``PLUGIN`` with the actual plugin name. 4 | 5 | Note that if you want some help about the bastion (and not specifically about the plugins), you should use ``--help`` (without ``--osh``). 6 | 7 | Colors 8 | ====== 9 | 10 | You'll notice that plugins are highlighted in different colors, these indicate the access level needed to run the plugin. Note that plugins you don't have access to are simply omitted. 11 | 12 | - green (``open``): these plugins can be called by anybody 13 | - blue (``restricted``): these plugins can only be called by users having the specific right to call them. This right is granted per plugin by the ``accountGrantCommand`` plugin 14 | - orange (``group-gatekeeper`` and ``group-aclkeeper``): these plugins can either be called by group gatekeepers or group aclkeepers. For clarity, the same color has been used for both cases 15 | - purple (``group-owner``): these plugins can only be called by group owners 16 | - red (``admin``): these plugins can only be called by bastion admins 17 | -------------------------------------------------------------------------------- /doc/sphinx-plugins-override/lock.rst: -------------------------------------------------------------------------------- 1 | This command will lock all your current sessions on this bastion instance. Note that this only applies to the bastion instance you're launching this command on, not on the whole bastion cluster (if you happen to have one). 2 | 3 | To undo this action, you can use ``--osh unlock`` on the same instance. 4 | -------------------------------------------------------------------------------- /doc/sphinx-plugins-override/nc.rst: -------------------------------------------------------------------------------- 1 | Note that this is not a full-featured ``netcat``, we just test whether a remote port is open. There is no way to exchange data using this command. 2 | -------------------------------------------------------------------------------- /doc/sphinx-plugins-override/rsync.override.rst: -------------------------------------------------------------------------------- 1 | Transfer files from/to remote servers using rsync through the bastion 2 | ===================================================================== 3 | 4 | .. note:: 5 | 6 | This plugin should not be called manually, but passed as the --rsh option to rsync. 7 | 8 | Usage examples 9 | -------------- 10 | 11 | To transfer all files from ``/srcdir`` to the ``remotehost``'s ``/dest/`` directory:: 12 | 13 | rsync -va --rsh "ssh -T BASTION_USER@BASTION_HOST -p BASTION_PORT -- --osh rsync --" /srcdir remoteuser@remotehost:/dest/ 14 | 15 | The ``-va`` options are just examples, you can use any option of ``rsync`` that you see fit. 16 | 17 | To transfer all remote files from ``/srcdir`` to the local ``/dest`` directory:: 18 | 19 | rsync -va --rsh "ssh -T BASTION_USER@BASTION_HOST -p BASTION_PORT -- --osh rsync --" remoteuser@remotehost:/srcdir /dest/ 20 | 21 | Please note that you need to be granted for uploading or downloading files 22 | with ``rsync`` to/from the remote host, in addition to having the right to SSH to it. 23 | For a group, the right should be added with ``--protocol rsync`` of the :doc:`/plugins/group-aclkeeper/groupAddServer` command. 24 | For a personal access, the right should be added with ``--protocol rsync`` of the :doc:`/plugins/restricted/selfAddPersonalAccess` command. 25 | :doc:`/plugins/open/selfListEgressKeys` 26 | 27 | You'll find more information and examples in :doc:`/using/sftp_scp_rsync`. 28 | -------------------------------------------------------------------------------- /doc/sphinx-reference-headers/osh-encrypt-rsync.conf.header: -------------------------------------------------------------------------------- 1 | ====================== 2 | osh-encrypt-rsync.conf 3 | ====================== 4 | 5 | .. note:: 6 | 7 | The osh-encrypt-rsync script is called by cron and is responsible for encrypting 8 | and optionally pushing the recorded ``ttyrec`` files to a distant server, along 9 | with the user logs (``/home/*/*.log``) and user sqlite files (``/home/*/*.sqlite``). 10 | The global log and sqlite files are also handled (located in ``/home/logkeeper/``). 11 | Note that logs sent through syslog are NOT managed by this script. 12 | 13 | .. warning:: 14 | 15 | If left unconfigured, this script won't do anything, and the recorded ``ttyrec`` files, 16 | along with the log and sqlite files won't be encrypted or moved out from the server. 17 | This might not be a problem for low-traffic bastions or if you have plenty of storage available, though. 18 | 19 | Option List 20 | =========== 21 | -------------------------------------------------------------------------------- /doc/sphinx/_static/css/thebastion.css: -------------------------------------------------------------------------------- 1 | @import 'theme.css'; 2 | 3 | .cmdusage .last { 4 | font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace; 5 | white-space: nowrap; 6 | font-size: 75%; 7 | } 8 | 9 | .wy-nav-content { 10 | max-width: 1000px; 11 | } 12 | -------------------------------------------------------------------------------- /doc/sphinx/administration/configuration/index.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | Configuration files 3 | =================== 4 | 5 | Main configuration files 6 | ======================== 7 | 8 | These config files should be reviewed and adapted for the environment in which 9 | you're deploying The Bastion. The doc:`bastion_conf` is the only one that is 10 | mandatory to get you started. You should however review the other ones before 11 | going into production. 12 | 13 | .. toctree:: 14 | :maxdepth: 1 15 | 16 | bastion_conf 17 | osh-backup-acl-keys_conf 18 | osh-encrypt-rsync_conf 19 | osh-sync-watcher_sh 20 | osh-http-proxy_conf 21 | 22 | Configuration files for satellite scripts 23 | ========================================= 24 | 25 | These config files govern the behavior of satellite scripts that handle 26 | background tasks of The Bastion. Most of the time, there is no need to alter 27 | the configuration as sane defaults are already built in. 28 | 29 | .. toctree:: 30 | :maxdepth: 1 31 | 32 | osh-piv-grace-reaper_conf 33 | osh-remove-empty-folders_conf 34 | osh-cleanup-guest-key-access_conf 35 | osh-lingering-sessions-reaper_conf 36 | osh-orphaned-homedir_conf 37 | -------------------------------------------------------------------------------- /doc/sphinx/administration/configuration/osh-piv-grace-reaper_conf.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | osh-piv-grace-reaper.conf 3 | ========================= 4 | 5 | .. note:: 6 | 7 | This script is called by cron and is responsible for removing temporary 8 | grace periods on PIV policies, once they expire. If you don't use PIV keys, 9 | this script won't do anything (see :doc:`/using/piv`). 10 | 11 | Option List 12 | =========== 13 | 14 | Logging & activation options 15 | ---------------------------- 16 | 17 | Script logging configuration and script activation 18 | 19 | - `syslog_facility`_ 20 | - `enabled`_ 21 | 22 | Option Reference 23 | ================ 24 | 25 | Logging & activation 26 | -------------------- 27 | 28 | syslog_facility 29 | *************** 30 | 31 | :Type: ``string`` 32 | 33 | :Default: ``local6`` 34 | 35 | The syslog facility to use for logging the script output. 36 | If set to the empty string, we'll not log through syslog at all. 37 | If this configuration option is missing from your config file altogether, 38 | the default value will be used (local6), which means that we'll log to syslog. 39 | 40 | enabled 41 | ******* 42 | 43 | :Type: ``bool`` 44 | 45 | :Default: ``true`` 46 | 47 | If not set to `true` (or a true value), the script will not run. 48 | 49 | -------------------------------------------------------------------------------- /doc/sphinx/administration/security_advisories.rst: -------------------------------------------------------------------------------- 1 | Security Advisories 2 | =================== 3 | 4 | This section contains all the security advisories since The Bastion has been published. 5 | 6 | If you find any behavior or bug that you suspect might have a security impact, please 7 | `report it here `_. 8 | 9 | .. toctree:: 10 | :maxdepth: 1 11 | :caption: CVE List 12 | 13 | security_advisories/cve_2023_45140.rst 14 | -------------------------------------------------------------------------------- /doc/sphinx/img/group_roles.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/img/group_roles.png -------------------------------------------------------------------------------- /doc/sphinx/img/groups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/img/groups.png -------------------------------------------------------------------------------- /doc/sphinx/img/locked_session.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/img/locked_session.png -------------------------------------------------------------------------------- /doc/sphinx/plugins/admin/adminMaintenance.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | adminMaintenance 3 | ================= 4 | 5 | Manage the bastion maintenance mode 6 | =================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh adminMaintenance <--lock [--message "'reason for maintenance'"]|--unlock> 13 | 14 | .. program:: adminMaintenance 15 | 16 | 17 | .. option:: --lock 18 | 19 | Set maintenance mode: new logins will be disallowed 20 | 21 | .. option:: --unlock 22 | 23 | Unset maintenance mode: new logins are allowed and the bastion functions normally 24 | 25 | .. option:: --message MESSAGE 26 | 27 | Optionally set a maintenance reason, if you're in a shell, quote it twice. 28 | 29 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/admin/adminSudo.rst: -------------------------------------------------------------------------------- 1 | ========== 2 | adminSudo 3 | ========== 4 | 5 | Impersonate another user 6 | ======================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh adminSudo -- --sudo-as ACCOUNT <--sudo-cmd PLUGIN -- [PLUGIN specific options...]> 13 | 14 | .. program:: adminSudo 15 | 16 | 17 | .. option:: --sudo-as ACCOUNT 18 | 19 | Specify which bastion account we want to impersonate 20 | 21 | .. option:: --sudo-cmd PLUGIN 22 | 23 | --osh command we want to launch as the user (see --osh help) 24 | 25 | 26 | Example:: 27 | 28 | --osh adminSudo -- --sudo-as user12 --sudo-cmd info -- --name somebodyelse 29 | 30 | Don't forget the double-double-dash as seen in the example above: one after the plugin name, 31 | and another one to separate adminSudo options from the options of the plugin to be called. 32 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/admin/index.rst: -------------------------------------------------------------------------------- 1 | ============== 2 | admin plugins 3 | ============== 4 | 5 | .. toctree:: 6 | 7 | adminMaintenance 8 | adminSudo 9 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-aclkeeper/groupSetServers.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | groupSetServers 3 | ================ 4 | 5 | Replace a group's current ACL by a new list 6 | =========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupSetServers --group GROUP [OPTIONS] 13 | 14 | .. program:: groupSetServers 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Specify which group to modify the ACL of 20 | 21 | .. option:: --dry-run 22 | 23 | Don't actually modify the ACL, just report whether the input contains errors 24 | 25 | .. option:: --skip-errors 26 | 27 | Don't abort on STDIN parsing errors, just skip the non-parseable lines 28 | 29 | 30 | The list of the assets to constitute the new ACL should then be given on ``STDIN``, 31 | respecting the following format: ``[USER@]HOST[:PORT][ COMMENT]``, with ``USER`` and ``PORT`` being optional, 32 | and ``HOST`` being either a hostname, an IP, or an IP block in CIDR notation. The ``COMMENT`` is also optional, 33 | and may contain spaces. 34 | 35 | Example of valid lines to be fed through ``STDIN``:: 36 | 37 | server12.example.org 38 | logs@server 39 | 192.0.2.21 40 | host1.example.net:2222 host1 on secondary sshd with alternate port 41 | root@192.0.2.0/24 production database cluster 42 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-aclkeeper/index.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | group-aclkeeper plugins 3 | ======================== 4 | 5 | .. toctree:: 6 | 7 | groupAddServer 8 | groupDelServer 9 | groupSetServers 10 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-gatekeeper/groupAddMember.rst: -------------------------------------------------------------------------------- 1 | =============== 2 | groupAddMember 3 | =============== 4 | 5 | Add an account to the member list 6 | ================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupAddMember --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupAddMember 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to set ACCOUNT as a member of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to set as a member of GROUP 24 | 25 | 26 | The specified account will be able to access all present and future servers 27 | pertaining to this group. 28 | If you need to give a specific and/or temporary access instead, 29 | see ``groupAddGuestAccess`` 30 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-gatekeeper/groupDelMember.rst: -------------------------------------------------------------------------------- 1 | =============== 2 | groupDelMember 3 | =============== 4 | 5 | Remove an account from the members list 6 | ======================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDelMember --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupDelMember 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to remove ACCOUNT as a member of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to remove as a member of GROUP 24 | 25 | 26 | The specified account will no longer be able to access all present and future servers 27 | pertaining to this group. 28 | Note that if this account also had specific guest accesses to this group, they may 29 | still apply, see ``groupListGuestAccesses`` 30 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-gatekeeper/groupListGuestAccesses.rst: -------------------------------------------------------------------------------- 1 | ======================= 2 | groupListGuestAccesses 3 | ======================= 4 | 5 | List the guest accesses to servers of a group specifically granted to an account 6 | ================================================================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupListGuestAccesses --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupListGuestAccesses 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Look for accesses to servers of this GROUP 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | Which account to check 24 | 25 | .. option:: --reverse-dns 26 | 27 | Attempt to resolve the reverse hostnames (SLOW!) 28 | 29 | .. option:: --include PATTERN 30 | 31 | Only include servers matching the given PATTERN (see below) 32 | 33 | This option can be used multiple times to refine results 34 | .. option:: --exclude PATTERN 35 | 36 | Omit servers matching the given PATTERN (see below) 37 | 38 | This option can be used multiple times. 39 | Note that --exclude takes precedence over --include 40 | 41 | **Note:** PATTERN supports the ``*`` and ``?`` wildcards. 42 | If PATTERN is a simple string without wildcards, then names containing this string will be considered. 43 | The matching is done on the text output of the command. 44 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-gatekeeper/index.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | group-gatekeeper plugins 3 | ========================= 4 | 5 | .. toctree:: 6 | 7 | groupAddGuestAccess 8 | groupAddMember 9 | groupDelGuestAccess 10 | groupDelMember 11 | groupListGuestAccesses 12 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupAddAclkeeper.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | groupAddAclkeeper 3 | ================== 4 | 5 | Add the group aclkeeper role to an account 6 | ========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupAddAclkeeper --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupAddAclkeeper 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to set ACCOUNT as an aclkeeper of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to set as an aclkeeper of GROUP 24 | 25 | 26 | The specified account will be able to manage the server list of this group 27 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupAddGatekeeper.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | groupAddGatekeeper 3 | =================== 4 | 5 | Add the group gatekeeper role to an account 6 | =========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupAddGatekeeper --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupAddGatekeeper 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to set ACCOUNT as a gatekeeper of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to set as a gatekeeper of GROUP 24 | 25 | 26 | The specified account will be able to manage the members list of this group, 27 | along with the guests list 28 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupAddOwner.rst: -------------------------------------------------------------------------------- 1 | ============== 2 | groupAddOwner 3 | ============== 4 | 5 | Add the group owner role to an account 6 | ====================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupAddOwner --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupAddOwner 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to set ACCOUNT as an owner of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to set as an owner of GROUP 24 | 25 | 26 | The specified account will be able to manage the owner, gatekeeper 27 | and aclkeeper list of this group. In other words, this account will 28 | have all possible rights to manage the group and delegate some or all 29 | of the rights to other accounts 30 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupDelAclkeeper.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | groupDelAclkeeper 3 | ================== 4 | 5 | Remove the group aclkeeper role from an account 6 | =============================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDelAclkeeper --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupDelAclkeeper 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to remove ACCOUNT as an aclkeeper of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to remove as an aclkeeper of GROUP 24 | 25 | 26 | The specified account will no longer be able to manage the server list of this group 27 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupDelEgressKey.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | groupDelEgressKey 3 | ================== 4 | 5 | Remove a bastion group egress key 6 | ================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDelEgressKey <--group GROUP> <--id ID> 13 | 14 | .. program:: groupDelEgressKey 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Name of the group to delete the egress key from 20 | 21 | .. option:: --id ID 22 | 23 | Specify the key ID to delete, you can get it with groupInfo 24 | 25 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupDelGatekeeper.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | groupDelGatekeeper 3 | =================== 4 | 5 | Remove the group gatekeeper role from an account 6 | ================================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDelGatekeeper --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupDelGatekeeper 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to remove ACCOUNT as a gatekeeper of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to remove as a gatekeeper of GROUP 24 | 25 | 26 | The specified account will no longer be able to manager the members nor 27 | the guest list of this group 28 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupDelOwner.rst: -------------------------------------------------------------------------------- 1 | ============== 2 | groupDelOwner 3 | ============== 4 | 5 | Remove the group owner role from an account 6 | =========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDelOwner --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupDelOwner 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to set ACCOUNT as an owner of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to set as an owner of GROUP 24 | 25 | 26 | The specified account will no longer be able to manage the owner, 27 | gatekeeper and aclkeeper lists of this group 28 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupDestroy.rst: -------------------------------------------------------------------------------- 1 | ============= 2 | groupDestroy 3 | ============= 4 | 5 | Delete a group 6 | ============== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDestroy --group GROUP 13 | 14 | .. program:: groupDestroy 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Group name to delete 20 | 21 | .. option:: --no-confirm 22 | 23 | Skip group name confirmation, but blame yourself if you deleted the wrong group! 24 | 25 | 26 | This command is able to delete any group you're an owner of. 27 | Granted users to the sibling restricted command `groupDelete` can delete any group. 28 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst: -------------------------------------------------------------------------------- 1 | ======================= 2 | groupGenerateEgressKey 3 | ======================= 4 | 5 | Create a new public + private key pair for a group 6 | ================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupGenerateEgressKey --group GROUP --algo ALGO --size SIZE [--encrypted] 13 | 14 | .. program:: groupGenerateEgressKey 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Group name to generate a new egress key for. 20 | 21 | 22 | .. option:: --algo ALGO 23 | 24 | Specifies the algo of the key, either rsa, ecdsa or ed25519. 25 | 26 | 27 | .. option:: --size SIZE 28 | 29 | Specifies the size of the key to be generated. 30 | 31 | For RSA, choose between 2048 and 8192 (4096 is good). 32 | For ECDSA, choose either 256, 384 or 521. 33 | For Ed25519, size is always 256. 34 | 35 | .. option:: --encrypted 36 | 37 | If specified, a passphrase will be prompted for the new key 38 | 39 | 40 | 41 | A quick overview of the different algorithms: 42 | 43 | .. code-block:: none 44 | 45 | Ed25519 : robustness[###] speed[###] 46 | ECDSA : robustness[##.] speed[###] 47 | RSA : robustness[#..] speed[#..] 48 | 49 | This table is meant as a quick cheat-sheet, you're warmly advised to do 50 | your own research, as other constraints may apply to your environment. 51 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupGeneratePassword.rst: -------------------------------------------------------------------------------- 1 | ====================== 2 | groupGeneratePassword 3 | ====================== 4 | 5 | Generate a new egress password for the group 6 | ============================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupGeneratePassword --group GROUP [--size SIZE] --do-it 13 | 14 | .. program:: groupGeneratePassword 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Specify which group you want to generate a password for 20 | 21 | .. option:: --size SIZE 22 | 23 | Specify the number of characters of the password to generate 24 | 25 | .. option:: --do-it 26 | 27 | Required for the password to actually be generated, BEWARE: please read the note below 28 | 29 | 30 | Generate a new egress password to be used for ssh or telnet 31 | 32 | NOTE: this is only needed for devices that don't support key-based SSH, 33 | in most cases you should ignore this command completely, unless you 34 | know that devices you need to access only support telnet or password-based SSH. 35 | 36 | BEWARE: once a new password is generated this way, it'll be set as the new 37 | egress password to use right away for the group, for any access that requires it. 38 | A fallback mechanism exists that will auto-try the previous password if this one 39 | doesn't work, but please ensure that this new password is deployed on the remote 40 | devices as soon as possible. 41 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/groupTransmitOwnership.rst: -------------------------------------------------------------------------------- 1 | ======================= 2 | groupTransmitOwnership 3 | ======================= 4 | 5 | Transmit your group ownership to somebody else 6 | ============================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupTransmitOwnership --group GROUP --account ACCOUNT 13 | 14 | .. program:: groupTransmitOwnership 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | which group to set ACCOUNT as an owner of 20 | 21 | .. option:: --account ACCOUNT 22 | 23 | which account to set as an owner of GROUP 24 | 25 | 26 | Note that this command has the same net effect than using ``groupAddOwner`` 27 | to add ACCOUNT as an owner, then removing yourself with ``groupDelOwner`` 28 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/group-owner/index.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | group-owner plugins 3 | ==================== 4 | 5 | .. toctree:: 6 | 7 | groupAddAclkeeper 8 | groupAddGatekeeper 9 | groupAddOwner 10 | groupDelAclkeeper 11 | groupDelEgressKey 12 | groupDelGatekeeper 13 | groupDelOwner 14 | groupDestroy 15 | groupGenerateEgressKey 16 | groupGeneratePassword 17 | groupModify 18 | groupTransmitOwnership 19 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/alive.rst: -------------------------------------------------------------------------------- 1 | ====== 2 | alive 3 | ====== 4 | 5 | Ping a host and exit as soon as it answers 6 | ========================================== 7 | 8 | 9 | This command can be used to monitor a host that is expected to go back online soon. 10 | Note that if you want to ssh to it afterwards, you can simply use the ``--wait`` main option. 11 | 12 | .. admonition:: usage 13 | :class: cmdusage 14 | 15 | --osh alive [--host] HOSTNAME 16 | 17 | .. program:: alive 18 | 19 | 20 | .. option:: --host HOSTNAME 21 | 22 | hostname or IP to ping 23 | 24 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/batch.rst: -------------------------------------------------------------------------------- 1 | ====== 2 | batch 3 | ====== 4 | 5 | Run a batch of osh commands fed through STDIN 6 | ============================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh batch 13 | 14 | .. program:: batch 15 | 16 | 17 | **Examples:** 18 | 19 | (replace ``bssh`` by your bastion alias) 20 | 21 | - run 3 simple commands in a oneliner: 22 | 23 | :: 24 | 25 | printf "%b\n%b\n%b" info selfListIngressKeys selfListEgressKeys | bssh --osh batch 26 | 27 | - run a lot of commands written out line by line in a file: 28 | 29 | :: 30 | 31 | bssh --osh batch < cmdlist.txt 32 | 33 | - add 3 users to a group: 34 | 35 | :: 36 | 37 | for i in user1 user2 user3; do echo "groupAddMember --account $i --group grp4"; done | bssh --osh batch 38 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/clush.rst: -------------------------------------------------------------------------------- 1 | ====== 2 | clush 3 | ====== 4 | 5 | Launch a remote command on several machines sequentially (clush-like) 6 | ===================================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh clush [OPTIONS] --command '"remote command"' 13 | 14 | .. program:: clush 15 | 16 | 17 | .. option:: --list HOSTLIST 18 | 19 | Comma-separated list of the hosts (hostname or IP) to run the command on 20 | 21 | .. option:: --user USER 22 | 23 | Specify which remote user should we use to connect (default: BASTION_ACCOUNT) 24 | 25 | .. option:: --port PORT 26 | 27 | Specify which port to connect to (default: 22) 28 | 29 | .. option:: --step-by-step 30 | 31 | Pause before running the command on each host 32 | 33 | .. option:: --no-pause-on-failure 34 | 35 | Don't pause if the remote command failed (returned exit code != 0) 36 | 37 | .. option:: --no-confirm 38 | 39 | Skip confirmation of the host list and command 40 | 41 | .. option:: --command '"remote cmd"' 42 | 43 | Command to be run on the remote hosts. If you're in a shell, quote it twice as shown. 44 | 45 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/groupList.rst: -------------------------------------------------------------------------------- 1 | ========== 2 | groupList 3 | ========== 4 | 5 | List the groups available on this bastion 6 | ========================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupList [--all] [--exclude|--include PATTERN [--exclude|--include PATTERN ..]] 13 | 14 | .. program:: groupList 15 | 16 | 17 | .. option:: --all 18 | 19 | List all groups, even those to which you don't have access 20 | 21 | .. option:: --include PATTERN 22 | 23 | Only list groups that match the given PATTERN (see below) 24 | 25 | This option can be used multiple times to refine results 26 | .. option:: --exclude PATTERN 27 | 28 | Omit groups that match the given PATTERN string (see below) 29 | 30 | This option can be used multiple times. 31 | Note that --exclude takes precedence over --include 32 | 33 | **Note:** PATTERN supports the ``*`` and ``?`` wildcards. 34 | If PATTERN is a simple string without wildcards, then names containing this string will be considered. 35 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/groupListPasswords.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | groupListPasswords 3 | =================== 4 | 5 | List the hashes and metadata of egress passwords of a group 6 | =========================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupListPasswords --group GROUP 13 | 14 | .. program:: groupListPasswords 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Show the data for this group 20 | 21 | 22 | The passwords corresponding to these hashes are only needed for devices that don't support key-based SSH 23 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/groupListServers.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | groupListServers 3 | ================= 4 | 5 | List the servers (IPs and IP blocks) pertaining to a group 6 | ========================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupListServers --group GROUP [--reverse-dns] 13 | 14 | .. program:: groupListServers 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | List the servers of this group 20 | 21 | .. option:: --reverse-dns 22 | 23 | Attempt to resolve the reverse hostnames (SLOW!) 24 | 25 | .. option:: --include PATTERN 26 | 27 | Only include servers matching the given PATTERN (see below) 28 | 29 | This option can be used multiple times to refine results 30 | .. option:: --exclude PATTERN 31 | 32 | Omit servers matching the given PATTERN (see below) 33 | 34 | This option can be used multiple times. 35 | Note that --exclude takes precedence over --include 36 | 37 | **Note:** PATTERN supports the ``*`` and ``?`` wildcards. 38 | If PATTERN is a simple string without wildcards, then names containing this string will be considered. 39 | The matching is done on the text output of the command. 40 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/help.rst: -------------------------------------------------------------------------------- 1 | ===== 2 | help 3 | ===== 4 | 5 | I'm So Meta, Even This Acronym 6 | ============================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh help 13 | 14 | .. program:: help 15 | 16 | Displays help about the available plugins callable with ``--osh``. 17 | 18 | If you need help on a specific plugin, you can use ``--osh PLUGIN --help``, replacing ``PLUGIN`` with the actual plugin name. 19 | 20 | Note that if you want some help about the bastion (and not specifically about the plugins), you should use ``--help`` (without ``--osh``). 21 | 22 | Colors 23 | ====== 24 | 25 | You'll notice that plugins are highlighted in different colors, these indicate the access level needed to run the plugin. Note that plugins you don't have access to are simply omitted. 26 | 27 | - green (``open``): these plugins can be called by anybody 28 | - blue (``restricted``): these plugins can only be called by users having the specific right to call them. This right is granted per plugin by the ``accountGrantCommand`` plugin 29 | - orange (``group-gatekeeper`` and ``group-aclkeeper``): these plugins can either be called by group gatekeepers or group aclkeepers. For clarity, the same color has been used for both cases 30 | - purple (``group-owner``): these plugins can only be called by group owners 31 | - red (``admin``): these plugins can only be called by bastion admins 32 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/index.rst: -------------------------------------------------------------------------------- 1 | ============= 2 | open plugins 3 | ============= 4 | 5 | .. toctree:: 6 | 7 | alive 8 | batch 9 | clush 10 | groupInfo 11 | groupList 12 | groupListPasswords 13 | groupListServers 14 | help 15 | info 16 | lock 17 | mtr 18 | nc 19 | ping 20 | rsync 21 | scp 22 | selfAddIngressKey 23 | selfDelIngressKey 24 | selfForgetHostKey 25 | selfGenerateEgressKey 26 | selfGeneratePassword 27 | selfGenerateProxyPassword 28 | selfListAccesses 29 | selfListEgressKeys 30 | selfListIngressKeys 31 | selfListPasswords 32 | selfListSessions 33 | selfMFAResetPassword 34 | selfMFAResetTOTP 35 | selfMFASetupPassword 36 | selfMFASetupTOTP 37 | selfPlaySession 38 | sftp 39 | unlock 40 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/lock.rst: -------------------------------------------------------------------------------- 1 | ===== 2 | lock 3 | ===== 4 | 5 | Manually lock all your current sessions 6 | ======================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh lock 13 | 14 | .. program:: lock 15 | 16 | This command will lock all your current sessions on this bastion instance. Note that this only applies to the bastion instance you're launching this command on, not on the whole bastion cluster (if you happen to have one). 17 | 18 | To undo this action, you can use ``--osh unlock`` on the same instance. 19 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/mtr.rst: -------------------------------------------------------------------------------- 1 | ==== 2 | mtr 3 | ==== 4 | 5 | Runs the mtr tool to traceroute a host 6 | ====================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh mtr [--host] HOST [--report] 13 | 14 | .. program:: mtr 15 | 16 | 17 | .. option:: --report 18 | 19 | Don't run mtr interactively, output a text report once done 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/nc.rst: -------------------------------------------------------------------------------- 1 | === 2 | nc 3 | === 4 | 5 | Check whether a remote TCP port is open 6 | ======================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh nc [--host] HOST [--port] PORT [-w TIMEOUT] 13 | 14 | .. program:: nc 15 | 16 | 17 | .. option:: --host HOST 18 | 19 | Host or IP to attempt to connect to 20 | 21 | .. option:: --port PORT 22 | 23 | TCP port to attempt to connect to 24 | 25 | .. option:: -w SECONDS 26 | 27 | Timeout in seconds (default: 3) 28 | 29 | Note that this is not a full-featured ``netcat``, we just test whether a remote port is open. There is no way to exchange data using this command. 30 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/ping.rst: -------------------------------------------------------------------------------- 1 | ===== 2 | ping 3 | ===== 4 | 5 | Ping a remote host from the bastion 6 | =================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh ping [--host HOST] [-c COUNT] [-s PKTSZ] [-t TTL] [-w TIMEOUT] 13 | 14 | .. program:: ping 15 | 16 | 17 | .. option:: --host HOST 18 | 19 | Remote host to ping 20 | 21 | .. option:: -c COUNT 22 | 23 | Number of pings to send (default: infinite) 24 | 25 | .. option:: -s SIZE 26 | 27 | Specify the packet size to send 28 | 29 | .. option:: -t TTL 30 | 31 | TTL to set in the ICMP packet (default: OS dependent) 32 | 33 | .. option:: -w TIMEOUT 34 | 35 | Exit unconditionally after this amount of seconds (default & max: 86400) 36 | 37 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfAddIngressKey.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | selfAddIngressKey 3 | ================== 4 | 5 | Add a new ingress public key to your account 6 | ============================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfAddIngressKey [--public-key '"ssh key text"'] [--piv] 13 | 14 | .. program:: selfAddIngressKey 15 | 16 | 17 | .. option:: --public-key KEY 18 | 19 | Your new ingress public SSH key to deposit on the bastion, use double-quoting if your're under a shell. 20 | 21 | If this option is not specified, you'll be prompted interactively for your public SSH key. Note that you 22 | can also pass it through STDIN directly. If the policy of this bastion allows it, you may prefix the key 23 | with a 'from="IP1,IP2,..."' snippet, a la authorized_keys. However the policy might force a configured 24 | 'from' prefix that will override yours, or be used if you don't specify it yourself. 25 | .. option:: --piv 26 | 27 | Add a public SSH key from a PIV-compatible hardware token, along with its attestation certificate and key 28 | 29 | certificate, both in PEM format. If you specified --public-key, then the attestation and key certificate are 30 | expected on STDIN only, otherwise the public SSH key, the attestation and key certificate are expected on STDIN. 31 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfDelIngressKey.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | selfDelIngressKey 3 | ================== 4 | 5 | Remove an ingress public key from your account 6 | ============================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfDelIngressKey [--id-to-delete|-l ID] [--fingerprint-to-delete|-f FP] 13 | 14 | .. program:: selfDelIngressKey 15 | 16 | 17 | .. option:: -l, --id-to-delete ID 18 | 19 | Directly specify key id to delete (CAUTION!), you can get id with selfListIngressKeys 20 | 21 | .. option:: -f, --fingerprint-to-delete FP 22 | 23 | Directly specify the fingerprint of the key to delete (CAUTION!) 24 | 25 | 26 | If none of these options are specified, you'll be prompted interactively. 27 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfForgetHostKey.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | selfForgetHostKey 3 | ================== 4 | 5 | Forget a known host key from your bastion account 6 | ================================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfForgetHostKey [--host HOST] [--port PORT] 13 | 14 | .. program:: selfForgetHostKey 15 | 16 | 17 | .. option:: --host HOST 18 | 19 | Host to remove from the known_hosts file 20 | 21 | .. option:: --port PORT 22 | 23 | Port to look for in the known_hosts file (default: 22) 24 | 25 | 26 | This command is useful to remove the man-in-the-middle warning when a key has changed, 27 | however please verify that the host key change is legit before using this command. 28 | The warning SSH gives is there for a reason. 29 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfGenerateEgressKey.rst: -------------------------------------------------------------------------------- 1 | ====================== 2 | selfGenerateEgressKey 3 | ====================== 4 | 5 | Create a new public + private key pair on your bastion account 6 | ============================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfGenerateEgressKey --algo ALGO --size SIZE [--encrypted] 13 | 14 | .. program:: selfGenerateEgressKey 15 | 16 | 17 | .. option:: --algo ALGO 18 | 19 | Specifies the algo of the key, either rsa, ecdsa or ed25519. 20 | 21 | 22 | .. option:: --size SIZE 23 | 24 | Specifies the size of the key to be generated. 25 | 26 | For RSA, choose between 2048 and 8192 (4096 is good). 27 | For ECDSA, choose either 256, 384 or 521. 28 | For ED25519, size is always 256. 29 | 30 | .. option:: --encrypted 31 | 32 | if specified, a passphrase will be prompted for the new key 33 | 34 | 35 | 36 | A quick overview of the different algorithms: 37 | 38 | .. code-block:: none 39 | 40 | Ed25519 : robustness[###] speed[###] 41 | ECDSA : robustness[##.] speed[###] 42 | RSA : robustness[#..] speed[#..] 43 | 44 | This table is meant as a quick cheat-sheet, you're warmly advised to do 45 | your own research, as other constraints may apply to your environment. 46 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfGeneratePassword.rst: -------------------------------------------------------------------------------- 1 | ===================== 2 | selfGeneratePassword 3 | ===================== 4 | 5 | Generate a new egress password for your account 6 | =============================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfGeneratePassword [--size SIZE] --do-it 13 | 14 | .. program:: selfGeneratePassword 15 | 16 | 17 | .. option:: --size SIZE 18 | 19 | Specify the number of characters of the password to generate 20 | 21 | .. option:: --do-it 22 | 23 | Required for the password to actually be generated, BEWARE: please read the note below 24 | 25 | 26 | This plugin generates a new egress password to be used for ssh or telnet 27 | 28 | NOTE: this is only needed for devices that don't support key-based SSH, 29 | in most cases you should ignore this command completely, unless you 30 | know that devices you need to access only support telnet or password-based SSH. 31 | 32 | BEWARE: once a new password is generated this way, it'll be set as the new 33 | egress password to use right away for your account, for any access that requires it. 34 | A fallback mechanism exists that will auto-try the previous password if this one 35 | doesn't work, but please ensure that this new password is deployed on the remote 36 | devices as soon as possible. 37 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfGenerateProxyPassword.rst: -------------------------------------------------------------------------------- 1 | ========================== 2 | selfGenerateProxyPassword 3 | ========================== 4 | 5 | Generate a new ingress password to use the bastion HTTPS proxy 6 | ============================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfGenerateProxyPassword --do-it 13 | 14 | .. program:: selfGenerateProxyPassword 15 | 16 | 17 | .. option:: --do-it 18 | 19 | Required for the password to actually be generated, BEWARE: please read the note below 20 | 21 | 22 | This plugin generates a new ingress password to use the bastion HTTPS proxy. 23 | 24 | NOTE: this is only needed for devices that only support HTTPS API and not ssh, 25 | in most cases you should ignore this command completely, unless you 26 | know that devices you need to access are using an HTTPS API. 27 | 28 | BEWARE: once a new password is generated this way, it'll be set as the new 29 | HTTPS proxy ingress password to use right away for your account. 30 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfListAccesses.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | selfListAccesses 3 | ================= 4 | 5 | Show the list of servers you have access to 6 | =========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfListAccesses [--hide-groups] [--reverse-dns] 13 | 14 | .. program:: selfListAccesses 15 | 16 | 17 | .. option:: --hide-groups 18 | 19 | Don't show the machines you have access to through group rights. 20 | 21 | In other words, list only your personal accesses. 22 | .. option:: --reverse-dns 23 | 24 | Attempt to resolve the reverse hostnames (SLOW!) 25 | 26 | .. option:: --include PATTERN 27 | 28 | Only include accesses matching the given PATTERN (see below) 29 | 30 | This option can be used multiple times to refine results 31 | .. option:: --exclude PATTERN 32 | 33 | Omit accesses matching the given PATTERN (see below) 34 | 35 | This option can be used multiple times. 36 | Note that --exclude takes precedence over --include 37 | 38 | **Note:** PATTERN supports the ``*`` and ``?`` wildcards. 39 | If PATTERN is a simple string without wildcards, then names containing this string will be considered. 40 | The matching is done on the text output of the command. 41 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfListEgressKeys.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | selfListEgressKeys 3 | =================== 4 | 5 | List the public egress keys of your account 6 | =========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfListEgressKeys 13 | 14 | .. program:: selfListEgressKeys 15 | 16 | 17 | The keys listed are the public egress SSH keys tied to your account. 18 | They can be used to gain access to another machine from this bastion, 19 | by putting one of those keys in the remote machine's ``authorized_keys`` file, 20 | and adding yourself access to this machine with ``selfAddPersonalAccess``. 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfListIngressKeys.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | selfListIngressKeys 3 | ==================== 4 | 5 | List the public ingress keys of your account 6 | ============================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfListIngressKeys 13 | 14 | .. program:: selfListIngressKeys 15 | 16 | 17 | The keys listed are the public ingress SSH keys tied to your account. 18 | Their private counterpart should be detained only by you, and used 19 | to authenticate yourself to this bastion. 20 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfListPasswords.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | selfListPasswords 3 | ================== 4 | 5 | List the hashes and metadata of the egress passwords associated to your account 6 | =============================================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfListPasswords 13 | 14 | .. program:: selfListPasswords 15 | 16 | 17 | The passwords corresponding to these hashes are only needed for devices that don't support key-based SSH 18 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfMFAResetPassword.rst: -------------------------------------------------------------------------------- 1 | ===================== 2 | selfMFAResetPassword 3 | ===================== 4 | 5 | Remove the UNIX password of your account 6 | ======================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfMFAResetPassword 13 | 14 | .. program:: selfMFAResetPassword 15 | 16 | 17 | Note that if your password is set, you'll be prompted for it. 18 | Also note that this doesn't remove your UNIX password requirement, if set (see ``accountModify`` for this). 19 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfMFAResetTOTP.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | selfMFAResetTOTP 3 | ================= 4 | 5 | Remove the TOTP configuration of your account 6 | ============================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfMFAResetTOTP 13 | 14 | .. program:: selfMFAResetTOTP 15 | 16 | 17 | Note that if your TOTP is set, you'll be prompted for it. 18 | Also note that this doesn't remove your TOTP requirement, if set (see accountModify for this). 19 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfMFASetupPassword.rst: -------------------------------------------------------------------------------- 1 | ===================== 2 | selfMFASetupPassword 3 | ===================== 4 | 5 | Setup an additional credential (UNIX password) to access your account 6 | ===================================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfMFASetupPassword [--yes] 13 | 14 | .. program:: selfMFASetupPassword 15 | 16 | 17 | .. option:: --yes 18 | 19 | Don't ask for confirmation 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfMFASetupTOTP.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | selfMFASetupTOTP 3 | ================= 4 | 5 | Setup an additional credential (TOTP) to access your account 6 | ============================================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfMFASetupTOTP [--no-confirm] 13 | 14 | .. program:: selfMFASetupTOTP 15 | 16 | 17 | .. option:: --no-confirm 18 | 19 | Bypass the confirmation step for TOTP enrollment phase 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/selfPlaySession.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | selfPlaySession 3 | ================ 4 | 5 | Replay the ttyrec of a past session 6 | =================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh selfPlaySession --id ID 13 | 14 | .. program:: selfPlaySession 15 | 16 | 17 | .. option:: --id ID 18 | 19 | ID of the session to replay, use ``selfListSessions`` to find it. 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/open/unlock.rst: -------------------------------------------------------------------------------- 1 | ======= 2 | unlock 3 | ======= 4 | 5 | Unlock all your current sessions 6 | ================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh unlock 13 | 14 | .. program:: unlock 15 | 16 | 17 | This command will unlock all your current sessions on this bastion instance, 18 | that were either locked for inactivity timeout or manually locked by you with ``lock``. 19 | Note that this only applies to the bastion instance you're launching this 20 | command on, not on the whole bastion cluster (if you happen to have one). 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountDelete.rst: -------------------------------------------------------------------------------- 1 | ============== 2 | accountDelete 3 | ============== 4 | 5 | Delete an account from the bastion 6 | ================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountDelete --account ACCOUNT 13 | 14 | .. program:: accountDelete 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account name to delete 20 | 21 | .. option:: --no-confirm 22 | 23 | Don't ask for confirmation, and blame yourself if you deleted the wrong account 24 | 25 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountFreeze.rst: -------------------------------------------------------------------------------- 1 | ============== 2 | accountFreeze 3 | ============== 4 | 5 | Freeze an account, to prevent it from connecting 6 | ================================================ 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountFreeze --account ACCOUNT [--reason "'SOME REASON'"] 13 | 14 | .. program:: accountFreeze 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account to freeze 20 | 21 | .. option:: --reason "'SOME REASON'" 22 | 23 | Optional reason for the account to be frozen (will be displayed to the user), 24 | 25 | if you are in a shell (and not in interactive mode), quote it twice as shown. 26 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountGeneratePassword.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | accountGeneratePassword 3 | ======================== 4 | 5 | Generate a new egress password for an account 6 | ============================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountGeneratePassword --account ACCOUNT [--size SIZE] --do-it 13 | 14 | .. program:: accountGeneratePassword 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Specify which account you want to generate a password for 20 | 21 | .. option:: --size SIZE 22 | 23 | Specify the number of characters of the password to generate 24 | 25 | .. option:: --do-it 26 | 27 | Required for the password to actually be generated, BEWARE: please read the note below 28 | 29 | 30 | This plugin generates a new egress password to be used for ssh or telnet 31 | 32 | NOTE: this is only needed for devices that don't support key-based SSH, 33 | in most cases you should ignore this command completely, unless you 34 | know that devices you need to access only support telnet or password-based SSH. 35 | 36 | BEWARE: once a new password is generated this way, it'll be set as the new 37 | egress password to use right away for the account, for any access that requires it. 38 | A fallback mechanism exists that will auto-try the previous password if this one 39 | doesn't work, but please ensure that this new password is deployed on the remote 40 | devices as soon as possible. 41 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountGrantCommand.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | accountGrantCommand 3 | ==================== 4 | 5 | Grant access to a restricted command 6 | ==================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountGrantCommand --account ACCOUNT --command COMMAND 13 | 14 | .. program:: accountGrantCommand 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Bastion account to work on 20 | 21 | .. option:: --command COMMAND 22 | 23 | The name of the OSH plugin to grant (omit to get the list) 24 | 25 | 26 | Note that accountGrantCommand being a restricted command as any other, you can grant it to somebody else, 27 | but then they'll be able to grant themselves or anybody else to this or any other restricted command. 28 | 29 | A specific command that can be granted is ``auditor``, it is not an osh plugin per-se, but activates 30 | more verbose output for several other commands, suitable to audit rights or grants without needing 31 | to be granted (e.g. to groups). 32 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountListEgressKeys.rst: -------------------------------------------------------------------------------- 1 | ====================== 2 | accountListEgressKeys 3 | ====================== 4 | 5 | List the public egress keys of an account 6 | ========================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountListEgressKeys --account ACCOUNT 13 | 14 | .. program:: accountListEgressKeys 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account to display the public egress keys of 20 | 21 | 22 | The keys listed are the public egress SSH keys tied to this account. 23 | They can be used to gain access to another machine from this bastion, 24 | by putting one of those keys in the remote machine's ``authorized_keys`` file, 25 | and adding this account access to this machine with ``accountAddPersonalAccess``. 26 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountListIngressKeys.rst: -------------------------------------------------------------------------------- 1 | ======================= 2 | accountListIngressKeys 3 | ======================= 4 | 5 | List the public ingress keys of an account 6 | ========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountListIngressKeys --account ACCOUNT 13 | 14 | .. program:: accountListIngressKeys 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account to list the keys of 20 | 21 | 22 | The keys listed are the public ingress SSH keys tied to this account. 23 | Their private counterpart should be detained only by this account's user, 24 | so that they can to authenticate themselves to this bastion. 25 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountListPasswords.rst: -------------------------------------------------------------------------------- 1 | ===================== 2 | accountListPasswords 3 | ===================== 4 | 5 | List the hashes and metadata of the egress passwords associated to an account 6 | ============================================================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountListPasswords --account ACCOUNT 13 | 14 | .. program:: accountListPasswords 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | The account name to work on 20 | 21 | 22 | The passwords corresponding to these hashes are only needed for devices that don't support key-based SSH 23 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountMFAResetPassword.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | accountMFAResetPassword 3 | ======================== 4 | 5 | Remove the UNIX password of an account 6 | ====================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountMFAResetPassword --account ACCOUNT 13 | 14 | .. program:: accountMFAResetPassword 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Specify which account you want to remove the UNIX password of 20 | 21 | 22 | Note that if doesn't remove the account UNIX password requirement, if set (see ``accountModify`` for this) 23 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountMFAResetTOTP.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | accountMFAResetTOTP 3 | ==================== 4 | 5 | Remove the TOTP configuration of an account 6 | =========================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountMFAResetTOTP --account ACCOUNT 13 | 14 | .. program:: accountMFAResetTOTP 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Specify which account you want to remove the TOTP configuration of 20 | 21 | 22 | Note that if doesn't remove the TOTP requirement, if set (see ``accountModify`` for this). 23 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountRevokeCommand.rst: -------------------------------------------------------------------------------- 1 | ===================== 2 | accountRevokeCommand 3 | ===================== 4 | 5 | Revoke access to a restricted command 6 | ===================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountRevokeCommand --account ACCOUNT --command COMMAND 13 | 14 | .. program:: accountRevokeCommand 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Bastion account to work on 20 | 21 | .. option:: --command COMMAND 22 | 23 | The name of the OSH plugin to revoke access to (omit to get the list) 24 | 25 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountUnexpire.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | accountUnexpire 3 | ================ 4 | 5 | Unexpire an inactivity-expired account 6 | ====================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountUnexpire --account ACCOUNT 13 | 14 | .. program:: accountUnexpire 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account to work on 20 | 21 | 22 | When the bastion is configured to expire accounts that haven't been seen in a while, 23 | this command can be used to activate them back. 24 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountUnfreeze.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | accountUnfreeze 3 | ================ 4 | 5 | Unfreeze a frozen account 6 | ========================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountUnfreeze --account ACCOUNT 13 | 14 | .. program:: accountUnfreeze 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account to unfreeze 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/accountUnlock.rst: -------------------------------------------------------------------------------- 1 | ============== 2 | accountUnlock 3 | ============== 4 | 5 | Unlock an account locked by pam_tally, pam_tally2 or pam_faillock 6 | ================================================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh accountUnlock --account ACCOUNT 13 | 14 | .. program:: accountUnlock 15 | 16 | 17 | .. option:: --account ACCOUNT 18 | 19 | Account to work on 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/assetForgetHostKey.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | assetForgetHostKey 3 | =================== 4 | 5 | Remove the host key of a given asset from all accounts' known hosts 6 | =================================================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh assetForgetHostKey --host [--port ] 13 | 14 | .. program:: assetForgetHostKey 15 | 16 | 17 | .. option:: --host HOST|IP 18 | 19 | Asset whose host key should be removed 20 | 21 | .. option:: --port PORT 22 | 23 | Asset port serving SSH (default: 22) 24 | 25 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/groupDelete.rst: -------------------------------------------------------------------------------- 1 | ============ 2 | groupDelete 3 | ============ 4 | 5 | Delete a group 6 | ============== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh groupDelete --group GROUP 13 | 14 | .. program:: groupDelete 15 | 16 | 17 | .. option:: --group GROUP 18 | 19 | Group name to delete 20 | 21 | .. option:: --no-confirm 22 | 23 | Skip group name confirmation, but blame yourself if you deleted the wrong group! 24 | 25 | 26 | This restricted command is able to delete any group. Group owners can however delete 27 | their own groups using the sibling `groupDestroy` command. 28 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/index.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | restricted plugins 3 | =================== 4 | 5 | .. toctree:: 6 | 7 | accountAddPersonalAccess 8 | accountCreate 9 | accountDelPersonalAccess 10 | accountDelete 11 | accountFreeze 12 | accountGeneratePassword 13 | accountGrantCommand 14 | accountInfo 15 | accountList 16 | accountListAccesses 17 | accountListEgressKeys 18 | accountListIngressKeys 19 | accountListPasswords 20 | accountMFAResetPassword 21 | accountMFAResetTOTP 22 | accountModify 23 | accountPIV 24 | accountRevokeCommand 25 | accountUnexpire 26 | accountUnfreeze 27 | accountUnlock 28 | assetForgetHostKey 29 | groupCreate 30 | groupDelete 31 | realmCreate 32 | realmDelete 33 | realmInfo 34 | realmList 35 | rootListIngressKeys 36 | selfAddPersonalAccess 37 | selfDelPersonalAccess 38 | whoHasAccessTo 39 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/realmCreate.rst: -------------------------------------------------------------------------------- 1 | ============ 2 | realmCreate 3 | ============ 4 | 5 | Declare and create a new trusted realm 6 | ====================================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh realmCreate --realm REALM --from IP1,IP2 [OPTIONS] 13 | 14 | .. program:: realmCreate 15 | 16 | 17 | .. option:: --realm REALM 18 | 19 | Realm name to create 20 | 21 | .. option:: --comment STRING 22 | 23 | An optional comment when creating the realm. Double-quote if you're under a shell. 24 | 25 | .. option:: --from 26 | 27 | IP1,IP2 Comma-separated list of outgoing IPs used by the realm we're declaring (i.e. IPs used by the bastion(s) on the other side) 28 | 29 | the expected format is the one used by the from="" directive on SSH keys (IP and prefixes are supported) 30 | .. option:: --public-key KEY 31 | 32 | Public SSH key to deposit on the bastion to access this realm. If not present, 33 | 34 | you'll be prompted interactively for it. Use double-quoting if your're under a shell. 35 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/realmDelete.rst: -------------------------------------------------------------------------------- 1 | ============ 2 | realmDelete 3 | ============ 4 | 5 | Delete a bastion realm 6 | ====================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh realmDelete --realm REALM 13 | 14 | .. program:: realmDelete 15 | 16 | 17 | .. option:: --realm REALM 18 | 19 | Name of the realm to delete 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/realmInfo.rst: -------------------------------------------------------------------------------- 1 | ========== 2 | realmInfo 3 | ========== 4 | 5 | Display information about a bastion realm 6 | ========================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh realmInfo --realm REALM 13 | 14 | .. program:: realmInfo 15 | 16 | 17 | .. option:: --realm REALM 18 | 19 | Name of the realm to show info about 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/realmList.rst: -------------------------------------------------------------------------------- 1 | ========== 2 | realmList 3 | ========== 4 | 5 | List the bastions realms 6 | ======================== 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh realmList [--realm REALM] 13 | 14 | .. program:: realmList 15 | 16 | 17 | .. option:: --realm REALM 18 | 19 | Only list the specified realm (mainly: check if it exists) 20 | 21 | -------------------------------------------------------------------------------- /doc/sphinx/plugins/restricted/rootListIngressKeys.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | rootListIngressKeys 3 | ==================== 4 | 5 | List the public keys to connect as root on this bastion 6 | ======================================================= 7 | 8 | 9 | .. admonition:: usage 10 | :class: cmdusage 11 | 12 | --osh rootListIngressKeys 13 | 14 | .. program:: rootListIngressKeys 15 | 16 | 17 | This command is mainly useful for auditability purposes. 18 | As it gives some information as to who can be root on the underlying system, 19 | please grant this command only to accounts that need to have this information. 20 | -------------------------------------------------------------------------------- /doc/sphinx/presentation/principles.rst: -------------------------------------------------------------------------------- 1 | ========== 2 | Principles 3 | ========== 4 | 5 | .. note:: 6 | Most of the principles of The Bastion are well explained in the **Part 2** of the blog post 7 | that announced the release. The links are below. 8 | 9 | - `Part 1 - Genesis `_ 10 | - `Part 2 - Delegation Dizziness `_ 11 | - `Part 3 - Security at the Core `_ 12 | - `Part 4 - A new era `_ 13 | -------------------------------------------------------------------------------- /doc/sphinx/using/basics/index.rst: -------------------------------------------------------------------------------- 1 | ========== 2 | The basics 3 | ========== 4 | 5 | This section explains the basics you need to know to work with the bastion. 6 | It's advised to go through all the subsections. 7 | 8 | We make the assumption here that you already have a bastion account: 9 | 10 | - either you're one of the admins who just :doc:`installed<../../installation/basic>` it, or 11 | - one of the admins created an account for you, using :doc:`/plugins/restricted/accountCreate` 12 | 13 | .. toctree:: 14 | 15 | first_steps 16 | access_management 17 | -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/index.rst: -------------------------------------------------------------------------------- 1 | ============================== 2 | Specific SSH clients tutorials 3 | ============================== 4 | 5 | This section has a few howtos about using The Bastion with some specific SSH clients, 6 | mostly ones having a GUI, as the rest of the documentation assumes usage of the 7 | more widespread SSH CLI. 8 | 9 | .. toctree:: 10 | 11 | putty 12 | -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty1.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty10.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty2.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty3.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty4.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty5.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty6.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty7.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty8.png -------------------------------------------------------------------------------- /doc/sphinx/using/specific_ssh_clients_tutorials/putty9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/doc/sphinx/using/specific_ssh_clients_tutorials/putty9.png -------------------------------------------------------------------------------- /docker/Dockerfile.debian10: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] 15 | 16 | # handle locales 17 | RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen 18 | 19 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 20 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 21 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 22 | 23 | # at each modification of our code, we'll start from here thanks to build cache 24 | COPY . /opt/bastion 25 | 26 | # tests that the environment works 27 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 28 | 29 | # setup ssh/sshd config and setup bastion install 30 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 31 | 32 | # start at entrypoint 33 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 34 | 35 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 36 | -------------------------------------------------------------------------------- /docker/Dockerfile.debian11: -------------------------------------------------------------------------------- 1 | FROM debian:bullseye 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] 15 | 16 | # handle locales 17 | RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen 18 | 19 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 20 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 21 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 22 | 23 | # at each modification of our code, we'll start from here thanks to build cache 24 | COPY . /opt/bastion 25 | 26 | # tests that the environment works 27 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 28 | 29 | # setup ssh/sshd config and setup bastion install 30 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 31 | 32 | # start at entrypoint 33 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 34 | 35 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 36 | -------------------------------------------------------------------------------- /docker/Dockerfile.debian12: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] 15 | 16 | # handle locales 17 | RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen 18 | 19 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 20 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 21 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 22 | 23 | # at each modification of our code, we'll start from here thanks to build cache 24 | COPY . /opt/bastion 25 | 26 | # tests that the environment works 27 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 28 | 29 | # setup ssh/sshd config and setup bastion install 30 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 31 | 32 | # start at entrypoint 33 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 34 | 35 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 36 | -------------------------------------------------------------------------------- /docker/Dockerfile.rockylinux8: -------------------------------------------------------------------------------- 1 | FROM rockylinux:8 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"] 15 | 16 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 17 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 18 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 19 | 20 | # at each modification of our code, we'll start from here thanks to build cache 21 | COPY . /opt/bastion 22 | 23 | # tests that the environment works 24 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 25 | 26 | # setup ssh/sshd config and setup bastion install 27 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 28 | 29 | # start at entrypoint 30 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 31 | 32 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 33 | -------------------------------------------------------------------------------- /docker/Dockerfile.rockylinux9: -------------------------------------------------------------------------------- 1 | FROM rockylinux:9 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"] 15 | 16 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 17 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 18 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 19 | 20 | # at each modification of our code, we'll start from here thanks to build cache 21 | COPY . /opt/bastion 22 | 23 | # tests that the environment works 24 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 25 | 26 | # setup ssh/sshd config and setup bastion install 27 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 28 | 29 | # start at entrypoint 30 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 31 | 32 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 33 | -------------------------------------------------------------------------------- /docker/Dockerfile.tester: -------------------------------------------------------------------------------- 1 | FROM debian:bookworm 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # install prerequisites 5 | RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y jq netcat-traditional openssh-client procps bsdutils screen expect shellcheck libperl-critic-perl fping curl rsync 6 | 7 | # add our code 8 | COPY . /opt/bastion 9 | 10 | # start at entrypoint 11 | ENTRYPOINT /opt/bastion/tests/functional/docker/tester_role.sh 12 | -------------------------------------------------------------------------------- /docker/Dockerfile.ubuntu2004: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] 15 | 16 | # handle locales 17 | RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen 18 | 19 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 20 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 21 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 22 | 23 | # at each modification of our code, we'll start from here thanks to build cache 24 | COPY . /opt/bastion 25 | 26 | # tests that the environment works 27 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 28 | 29 | # setup ssh/sshd config and setup bastion install 30 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 31 | 32 | # start at entrypoint 33 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 34 | 35 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 36 | -------------------------------------------------------------------------------- /docker/Dockerfile.ubuntu2204: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] 15 | 16 | # handle locales 17 | RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen 18 | 19 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 20 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 21 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 22 | 23 | # at each modification of our code, we'll start from here thanks to build cache 24 | COPY . /opt/bastion 25 | 26 | # tests that the environment works 27 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 28 | 29 | # setup ssh/sshd config and setup bastion install 30 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 31 | 32 | # start at entrypoint 33 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 34 | 35 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 36 | -------------------------------------------------------------------------------- /docker/Dockerfile.ubuntu2404: -------------------------------------------------------------------------------- 1 | FROM ubuntu:24.04 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # cache builds efficiently: just copy the scripts to install packages first 5 | COPY bin/admin/install-ttyrec.sh \ 6 | bin/admin/install-yubico-piv-checker.sh \ 7 | bin/admin/install-mkhash-helper.sh \ 8 | bin/admin/packages-check.sh \ 9 | /opt/bastion/bin/admin/ 10 | COPY lib/shell /opt/bastion/lib/shell/ 11 | RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] 12 | RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] 13 | RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] 14 | RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] 15 | 16 | # handle locales 17 | RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen 18 | 19 | # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log 20 | RUN test -e /etc/syslog-ng/syslog-ng.conf && \ 21 | sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf 22 | 23 | # at each modification of our code, we'll start from here thanks to build cache 24 | COPY . /opt/bastion 25 | 26 | # tests that the environment works 27 | RUN ["/opt/bastion/bin/dev/perl-check.sh"] 28 | 29 | # setup ssh/sshd config and setup bastion install 30 | RUN ["/opt/bastion/bin/admin/install","--new-install"] 31 | 32 | # start at entrypoint 33 | ENTRYPOINT /opt/bastion/docker/entrypoint.sh 34 | 35 | # TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 36 | -------------------------------------------------------------------------------- /docker/devenv/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:24.04 2 | LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" 3 | 4 | # temporarily copy code, just to be able to install packages 5 | COPY . /tmp/bastion 6 | 7 | # install packages including dev-required packages ('-d') 8 | RUN ["/tmp/bastion/bin/admin/packages-check.sh", "-i", "-d"] 9 | 10 | # install packages needed for documentation generation 11 | RUN ["apt-get", "install", "-y", "python3-sphinx", "python3-sphinx-rtd-theme", "make"] 12 | 13 | # get rid of the code now 14 | RUN ["rm", "-rf", "/tmp/bastion"] 15 | 16 | # create empty dir for volume mount 17 | RUN ["mkdir", "/opt/bastion"] 18 | 19 | # just sleep 20 | ENTRYPOINT /bin/sleep 9999d 21 | -------------------------------------------------------------------------------- /docker/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | if [ "$(uname -s)" = Linux ] ; then 4 | test -x /etc/init.d/ssh && /etc/init.d/ssh start 5 | test -x /etc/init.d/syslog-ng && /etc/init.d/syslog-ng start 6 | else 7 | # for BSD 8 | test -x /etc/rc.d/sshd && /etc/rc.d/sshd onestart 9 | fi 10 | 11 | if [ "$1" = "--sandbox" ]; then 12 | echo "The Bastion sandbox container is running, you can now connect to its port 22 (probably remapped to another port on the host)" 13 | fi 14 | while : ; do 15 | sleep 3600 16 | done 17 | -------------------------------------------------------------------------------- /etc/bastion/luks-config.sh.dist: -------------------------------------------------------------------------------- 1 | # This file will be sourced, IT MUST BE A VALID SHELL SCRIPT 2 | # 3 | DEV_ENCRYPTED=/dev/disk/by-id/dm-name-vg0-home 4 | UNLOCKED_NAME=home 5 | MOUNTPOINT=/home 6 | 7 | -------------------------------------------------------------------------------- /etc/bastion/osh-sync-watcher.rsyncfilter.dist: -------------------------------------------------------------------------------- 1 | - /home/oldkeeper/ 2 | - /home/logkeeper/ 3 | - /home/.*/ 4 | - /home/backup*/ 5 | - /home/admin/ 6 | - /home/bastionsync/ 7 | - /home/lost+found/ 8 | - /home/allowkeeper/activeLogin.json 9 | - /home/allowkeeper/maintenance 10 | 11 | + / 12 | 13 | + /etc/ 14 | + /etc/passwd 15 | + /etc/group 16 | + /etc/shadow 17 | + /etc/gshadow 18 | + /etc/sudoers.d/ 19 | + /etc/sudoers.d/osh-* 20 | + /etc/bastion/ 21 | + /etc/bastion/mfa-token.conf 22 | + /etc/ssh/ 23 | + /etc/ssh/ssh_host_*_key 24 | + /etc/ssh/ssh_host_*_key.pub 25 | - /etc/** 26 | 27 | + /home/ 28 | 29 | + /home/*/ttyrec/ 30 | - /home/*/ttyrec/** 31 | - /home/*/.bash* 32 | - /home/*/*.db 33 | - /home/*/*.sqlite 34 | - /home/*/*.sqlite-* 35 | - /home/*/*.log 36 | - /home/*/*.gz 37 | - /home/*/lastlog 38 | - /home/*/tmp/ 39 | - /home/*/.ssh/known_hosts 40 | 41 | + /home/*/*** 42 | 43 | - * 44 | -------------------------------------------------------------------------------- /etc/cron.d/osh-backup-acl-keys.dist: -------------------------------------------------------------------------------- 1 | # Backup locally critical files (keys, passwords, ACLs) 2 | %RANDOM1%0:59% %RANDOM2%3:23% * * * root /opt/bastion/bin/cron/osh-backup-acl-keys.sh >/dev/null 3 | -------------------------------------------------------------------------------- /etc/cron.d/osh-cleanup-guest-key-access.dist: -------------------------------------------------------------------------------- 1 | # Check each 5 minutes that we don't have dangling guests still having access to keys 2 | */5 * * * * root /opt/bastion/bin/cron/osh-cleanup-guest-key-access.pl >/dev/null 3 | -------------------------------------------------------------------------------- /etc/cron.d/osh-encrypt-rsync-ttyrec.dist: -------------------------------------------------------------------------------- 1 | # Encrypt ttyrecs, and move them to a remote location when needed 2 | %RANDOM1%0:59% %RANDOM2%3:23% * * * root /opt/bastion/bin/cron/osh-encrypt-rsync.pl >/dev/null 3 | -------------------------------------------------------------------------------- /etc/cron.d/osh-lingering-sessions-reaper.dist: -------------------------------------------------------------------------------- 1 | # detect lingering sessions (for >1 day) with nobody on the other side (no tty), and kill them 2 | 15 5 * * * root /opt/bastion/bin/cron/osh-lingering-sessions-reaper.sh >/dev/null 3 | -------------------------------------------------------------------------------- /etc/cron.d/osh-orphaned-homedir.dist: -------------------------------------------------------------------------------- 1 | # On slaves, remove sparse orphaned directories in /home due to deleted accounts/groups 2 | */5 * * * * root /opt/bastion/bin/cron/osh-orphaned-homedir.sh >/dev/null 3 | -------------------------------------------------------------------------------- /etc/cron.d/osh-piv-grace-reaper.dist: -------------------------------------------------------------------------------- 1 | # Check each 5 minutes that we don't have any expired grace period for PIV enforcement 2 | */5 * * * * root /opt/bastion/bin/cron/osh-piv-grace-reaper.pl >/dev/null 3 | -------------------------------------------------------------------------------- /etc/cron.d/osh-remove-empty-folders.dist: -------------------------------------------------------------------------------- 1 | # remove empty directories in /home/*/ttyrec/ so that we don't end up with hundreds of thousands of directories 2 | # a weekly run is way enough 3 | %RANDOM1%0:59% %RANDOM2%4:7% * * 1 root /opt/bastion/bin/cron/osh-remove-empty-folders.sh >/dev/null 4 | -------------------------------------------------------------------------------- /etc/cron.d/osh-rotate-ttyrec.dist: -------------------------------------------------------------------------------- 1 | # Send a signal SIGUSR1 every day, to force rotation of ttyrec log 2 | 31 5 * * * root /opt/bastion/bin/cron/osh-rotate-ttyrec.sh >/dev/null 3 | # And to big ttyrec files to ensure a user cat'ing /dev/urandom won't fill up our drives 4 | */3 * * * * root /opt/bastion/bin/cron/osh-rotate-ttyrec.sh --big-only >/dev/null 5 | -------------------------------------------------------------------------------- /etc/logrotate.d/osh-backup-acl-keys.dist: -------------------------------------------------------------------------------- 1 | /var/log/bastion/osh-backup-acl-keys.log { 2 | notifempty 3 | missingok 4 | rotate 12 5 | monthly 6 | compress 7 | delaycompress 8 | create 0600 root root 9 | } 10 | 11 | -------------------------------------------------------------------------------- /etc/logrotate.d/osh-encrypt-rsync.dist: -------------------------------------------------------------------------------- 1 | /var/log/bastion/osh-encrypt-rsync.log { 2 | notifempty 3 | missingok 4 | rotate 12 5 | weekly 6 | compress 7 | delaycompress 8 | create 0600 root root 9 | } 10 | 11 | -------------------------------------------------------------------------------- /etc/logrotate.d/osh-http-proxy.dist: -------------------------------------------------------------------------------- 1 | /home/proxyhttp/access.log { 2 | notifempty 3 | missingok 4 | rotate 52 5 | weekly 6 | compress 7 | copytruncate 8 | dateext 9 | } 10 | 11 | -------------------------------------------------------------------------------- /etc/logrotate.d/osh-sync-watcher.dist: -------------------------------------------------------------------------------- 1 | /var/log/bastion/osh-sync-watcher.log { 2 | notifempty 3 | missingok 4 | rotate 52 5 | weekly 6 | compress 7 | create 0600 root root 8 | } 9 | 10 | -------------------------------------------------------------------------------- /etc/logrotate.d/osh-syslog.dist: -------------------------------------------------------------------------------- 1 | /var/log/bastion/bastion*.log { 2 | notifempty 3 | missingok 4 | rotate 365 5 | daily 6 | compress 7 | delaycompress 8 | create 0640 root adm 9 | dateext 10 | sharedscripts 11 | postrotate 12 | invoke-rc.d syslog-ng reload > /dev/null 13 | endscript 14 | } 15 | 16 | -------------------------------------------------------------------------------- /etc/pam.d/sshd.freebsd: -------------------------------------------------------------------------------- 1 | # PAM configuration for the Secure Shell service 2 | 3 | auth optional pam_echo.so Your account has Multi-Factor Authentication enabled, an additional authentication factor is required (password). 4 | auth optional pam_exec.so capture_stdout /opt/bastion/bin/shell/pam_exec_pwd_info.sh 5 | auth required pam_unix.so 6 | 7 | account required pam_nologin.so 8 | account required pam_login_access.so 9 | account required pam_unix.so 10 | 11 | session required pam_permit.so 12 | 13 | password required pam_unix.so no_warn try_first_pass 14 | -------------------------------------------------------------------------------- /etc/profile.d/luks-info.sh: -------------------------------------------------------------------------------- 1 | CONFIGFILE=/etc/bastion/luks-config.sh 2 | if [ -r $CONFIGFILE ] ; then 3 | . $CONFIGFILE 4 | if [ -n "$MOUNTPOINT" ] ; then 5 | export PROMPT_COMMAND="test -e $MOUNTPOINT/allowkeeper && LUKSINFO= || LUKSINFO='<>'" 6 | PS1='$LUKSINFO'"$PS1" 7 | fi 8 | fi 9 | 10 | 11 | -------------------------------------------------------------------------------- /etc/selinux/the-bastion.pp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ovh/the-bastion/2851d6f42c2afd31e7d578720bb1f33105b4ec95/etc/selinux/the-bastion.pp -------------------------------------------------------------------------------- /etc/selinux/the-bastion.te: -------------------------------------------------------------------------------- 1 | module the-bastion 1.0; 2 | 3 | require { 4 | type var_t; 5 | type sshd_t; 6 | type user_home_t; 7 | type user_home_dir_t; 8 | class file { create getattr rename setattr unlink open read write }; 9 | } 10 | 11 | # needed for user TOTP (~/.totp and ~/.totp~XXXXXX temporary file) 12 | allow sshd_t user_home_dir_t:file { create getattr rename setattr unlink open read write }; 13 | allow sshd_t user_home_t:file unlink; 14 | # needed for root TOTP (/var/otp/root and /var/otp/root~XXXXXX temporary file) 15 | allow sshd_t var_t:file { create getattr rename setattr unlink open read write }; 16 | -------------------------------------------------------------------------------- /etc/ssh/banner: -------------------------------------------------------------------------------- 1 | *------------------------------------------------------------------------------* 2 | |THIS IS A PRIVATE COMPUTER SYSTEM, UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.| 3 | |ALL CONNECTIONS ARE LOGGED. IF YOU ARE NOT AUTHORIZED, DISCONNECT NOW. | 4 | *------------------------------------------------------------------------------* 5 | -------------------------------------------------------------------------------- /etc/sudoers.account.template.d/100-header.sudoers: -------------------------------------------------------------------------------- 1 | ## sudoers file for account %ACCOUNT% 2 | -------------------------------------------------------------------------------- /etc/sudoers.account.template.d/500-base.sudoers: -------------------------------------------------------------------------------- 1 | # I need to be able to set my own UNIX account password 2 | %ACCOUNT% ALL=(root) NOPASSWD:/usr/bin/env perl -T %BASEPATH%/bin/helper/osh-selfMFASetupPassword --account %ACCOUNT% --step ? 3 | # I need to be able to enroll TOTP 4 | %ACCOUNT% ALL=(root) NOPASSWD:/usr/bin/env perl -T %BASEPATH%/bin/helper/osh-selfMFASetupTOTP --account %ACCOUNT% 5 | # I need to be able to reset my own UNIX account password and TOTP 6 | %ACCOUNT% ALL=(root) NOPASSWD:/usr/bin/env perl -T %BASEPATH%/bin/helper/osh-accountMFAResetPassword --account %ACCOUNT% 7 | %ACCOUNT% ALL=(root) NOPASSWD:/usr/bin/env perl -T %BASEPATH%/bin/helper/osh-accountMFAResetTOTP --account %ACCOUNT% 8 | -------------------------------------------------------------------------------- /etc/sudoers.account.template.d/600-pamtester.freebsd.sudoers: -------------------------------------------------------------------------------- 1 | # under FreeBSD, non-root accounts can't read /etc/spwd.db and there's no helper for pam_unix.so to authenticate users 2 | %ACCOUNT% ALL=(root) NOPASSWD:/usr/bin/env pamtester sshd %ACCOUNT% authenticate 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-bastion-config: -------------------------------------------------------------------------------- 1 | Defaults env_keep += "PLUGIN_DEBUG OSH_DEBUG ANSI_COLORS_DISABLED UNIQID OSH_KBD_INTERACTIVE OSH_IP_FROM SSH_CONNECTION" 2 | 3 | User_Alias SUPEROWNERS = %osh-admin, %osh-superowner 4 | 5 | # Prevent arbitrary code execution as your user when sudoing to another 6 | # user due to TTY hijacking via TIOCSTI ioctl. 7 | Defaults use_pty 8 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-bastion-http-proxy: -------------------------------------------------------------------------------- 1 | Defaults:proxyhttp env_keep += "PROXY_POST_DATA PROXY_ACCOUNT_PASSWORD REMOTE_ADDR REMOTE_PORT SERVER_ADDR SERVER_PORT REQUEST_URI HTTP_USER_AGENT" 2 | 3 | proxyhttp ALL=(%bastion-users) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/proxy/osh-http-proxy-worker * 4 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-bastion-sync: -------------------------------------------------------------------------------- 1 | bastionsync ALL=(root) NOPASSWD: /usr/bin/rsync --server * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountCreate: -------------------------------------------------------------------------------- 1 | %osh-accountCreate ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountCreate --type normal * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountDelete: -------------------------------------------------------------------------------- 1 | %osh-accountDelete ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountDelete --type normal * 2 | %osh-realmDelete ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountDelete --type realm * 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountFreezeToggle: -------------------------------------------------------------------------------- 1 | %osh-accountFreeze ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountFreezeToggle --action freeze --account * 2 | %osh-accountUnfreeze ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountFreezeToggle --action unfreeze --account * 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountGeneratePassword: -------------------------------------------------------------------------------- 1 | # to be able to generate an egress password for accounts 2 | %osh-accountGeneratePassword ALL=(%bastion-users) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountGeneratePassword * 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountGetPasswordInfo: -------------------------------------------------------------------------------- 1 | %osh-auditor ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountGetPasswordInfo * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountKillSessions: -------------------------------------------------------------------------------- 1 | %osh-accountFreeze ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountKillSessions * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountListEgressKeys: -------------------------------------------------------------------------------- 1 | %osh-accountListEgressKeys ALL=(keyreader) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountListEgressKeys * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountListIngressKeys: -------------------------------------------------------------------------------- 1 | %osh-accountListIngressKeys ALL=(keyreader) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountListIngressKeys * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountListPasswords: -------------------------------------------------------------------------------- 1 | %osh-accountListPasswords ALL=(%bastion-users) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountListPasswords * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountMFAResetPassword: -------------------------------------------------------------------------------- 1 | %osh-accountMFAResetPassword ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountMFAResetPassword --account * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountMFAResetTOTP: -------------------------------------------------------------------------------- 1 | %osh-accountMFAResetTOTP ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountMFAResetTOTP --account * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountModify: -------------------------------------------------------------------------------- 1 | # modify parameters/policy of an account 2 | %osh-accountModify ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModify * 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountModifyCommand: -------------------------------------------------------------------------------- 1 | # grant access to a command 2 | %osh-accountGrantCommand ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyCommand --action grant * 3 | # revoke access to a command 4 | %osh-accountRevokeCommand ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyCommand --action revoke * 5 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountModifyPersonalAccess: -------------------------------------------------------------------------------- 1 | %osh-selfAddPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target self --action add * 2 | %osh-accountAddPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target any --action add * 3 | %osh-selfDelPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target self --action del * 4 | %osh-accountDelPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target any --action del * 5 | 6 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountPIV: -------------------------------------------------------------------------------- 1 | # modify PIV policy of an account 2 | %osh-accountPIV ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountPIV --step 1 --account * 3 | %osh-accountPIV ALL=(%bastion-users) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountPIV --step 2 --account * 4 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountUnexpire: -------------------------------------------------------------------------------- 1 | %osh-accountUnexpire ALL=(%bastion-users) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountUnexpire * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-accountUnlock: -------------------------------------------------------------------------------- 1 | %osh-accountUnlock ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountUnlock * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-adminMaintenance: -------------------------------------------------------------------------------- 1 | # to be able to set/remove maintenance mode 2 | %osh-admin ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-adminMaintenance * 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-adminSudo: -------------------------------------------------------------------------------- 1 | %osh-admin ALL=(ALL) NOPASSWD:/usr/bin/env perl /opt/bastion/bin/shell/osh.pl -c * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-assetForgetHostKey: -------------------------------------------------------------------------------- 1 | # to modify all accounts' known_hosts we need to be root 2 | %osh-assetForgetHostKey ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-assetForgetHostKey * 3 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-groupCreate: -------------------------------------------------------------------------------- 1 | %osh-groupCreate ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-groupCreate * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-groupDelete: -------------------------------------------------------------------------------- 1 | %osh-groupDelete ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-groupDelete * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-realmCreate: -------------------------------------------------------------------------------- 1 | %osh-realmCreate ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountCreate --type realm * 2 | -------------------------------------------------------------------------------- /etc/sudoers.d/osh-plugin-rootListIngressKeys: -------------------------------------------------------------------------------- 1 | %osh-rootListIngressKeys ALL=(root) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountListIngressKeys --account root --all-files 2 | -------------------------------------------------------------------------------- /etc/sudoers.group.template.d/100-header.sudoers: -------------------------------------------------------------------------------- 1 | ## sudoers file for group %GROUP% 2 | -------------------------------------------------------------------------------- /etc/systemd/osh-http-proxy.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OVH::Bastion HTTP Proxy daemon 3 | 4 | [Service] 5 | ExecStart=/opt/bastion/bin/proxy/osh-http-proxy-daemon 6 | KillMode=process 7 | Restart=on-failure 8 | RestartSec=5s 9 | User=proxyhttp 10 | Group=proxyhttp 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /etc/systemd/osh-sync-watcher.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OVH::Bastion master-slave synchronization daemon 3 | 4 | [Service] 5 | ExecStart=/opt/bastion/bin/admin/osh-sync-watcher.sh 6 | KillMode=process 7 | Restart=on-failure 8 | RestartSec=5s 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /install/modules/README: -------------------------------------------------------------------------------- 1 | This directory may contain optional modules in the form of other directories 2 | containing at least an executable file named "install", which will be called 3 | by the main installation script of the bastion, if present. 4 | -------------------------------------------------------------------------------- /lib/shell/colors.inc: -------------------------------------------------------------------------------- 1 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 2 | # shellcheck shell=bash 3 | # shellcheck disable=SC2034 4 | 5 | RED=$(printf "%b" '\033[31m') 6 | GREEN=$(printf "%b" '\033[32m') 7 | YELLOW=$(printf "%b" '\033[33m') 8 | BLUE=$(printf "%b" '\033[34m') 9 | MAGENTA=$(printf "%b" '\033[35m') 10 | CYAN=$(printf "%b" '\033[36m') 11 | LIGHTGRAY=$(printf "%b" '\033[37m') 12 | DARKGRAY=$(printf "%b" '\033[90m') 13 | 14 | BOLD_CYAN=$(printf "%b" '\033[1;36m') 15 | 16 | WHITE_ON_RED=$(printf "%b" '\033[41m') 17 | WHITE_ON_BLUE=$(printf "%b" '\033[44m') 18 | BLACK_ON_GREEN=$(printf "%b" '\033[30m\033[42m') 19 | BLACK_ON_RED=$(printf "%b" '\033[1;30m\033[41m') 20 | 21 | NOC=$(printf "%b" '\033[0m') 22 | -------------------------------------------------------------------------------- /tests/functional/fake_ttyrec.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 3 | # shellcheck disable=SC2046 4 | set -- $(getopt -o 'ZcCupVhvanf:z:d:t:T:k:s:e:l:F:' -l "zstd,level:,verbose,append,cheatcodes,no-cheatcodes,shell-cmd:,dir:,output:,uuid:,no-openpty,lock-timeout:,kill-timeout:,msg:,count-bytes,term:,version,help,zstd-try,max-flush-time:,name-format:" -- "$@") 5 | while [ "$1" != "--" ]; do 6 | if [ "$1" = "-V" ]; then 7 | echo "fake-ttyrec v1.1.7.0" 8 | exit 0 9 | fi 10 | shift 11 | done 12 | shift 13 | eval "$*" 14 | -------------------------------------------------------------------------------- /tests/functional/tests.d/380-config-options.sh: -------------------------------------------------------------------------------- 1 | # vim: set filetype=sh ts=4 sw=4 sts=4 et: 2 | # shellcheck shell=bash 3 | # shellcheck disable=SC2317,SC2086,SC2016,SC2046 4 | # below: convoluted way that forces shellcheck to source our caller 5 | # shellcheck source=tests/functional/launch_tests_on_instance.sh 6 | . "$(dirname "${BASH_SOURCE[0]}")"/dummy 7 | 8 | testsuite_config_options() 9 | { 10 | configchg 's=^\\\\x22dnsSupportLevel\\\\x22.+=\\\\x22dnsSupportLevel\\\\x22:0,=' 11 | 12 | run a1_connect_nodns $a0 localhost 13 | retvalshouldbe 132 14 | json .error_code KO_DNS_DISABLED 15 | contain 'DNS resolving is disabled' 16 | } 17 | 18 | testsuite_config_options 19 | unset -f testsuite_config_options 20 | -------------------------------------------------------------------------------- /tests/functional/tests.d/dummy: -------------------------------------------------------------------------------- 1 | # empty file 2 | -------------------------------------------------------------------------------- /tests/unit/run-tests.pl: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env perl 2 | # vim: set filetype=perl ts=4 sw=4 sts=4 et: 3 | use common::sense; 4 | use TAP::Harness; 5 | 6 | use FindBin qw{ $RealDir }; 7 | 8 | my @testfiles = glob("$RealDir/tests/*.t"); 9 | print "Got " . @testfiles . " unit test files to run:\n"; 10 | 11 | my $harness = TAP::Harness->new( 12 | { 13 | verbosity => 0, 14 | failures => 1, 15 | color => 1, 16 | } 17 | ); 18 | exit($harness->runtests(@testfiles)->all_passed ? 0 : 1); 19 | --------------------------------------------------------------------------------