ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-10 17:30:51 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/bin/plugin/restricted/accountGeneratePassword

84 lines
3.1 KiB
Text
Raw Normal View History

Initial commit
2020-10-16 00:32:37 +08:00
#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::generatePassword;
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => "generating a new egress password for the account",
options => {
"size=i" => \my $size,
"account=s" => \my $account,
"do-it" => \my $doIt,
},
helptext => <<'EOF'
Generate a new egress password for an account
Usage: --osh SCRIPT_NAME --account ACCOUNT [--size SIZE] --do-it
--account ACCOUNT Specify which account you want to generate a password for
--size SIZE Specify the number of characters of the password to generate
--do-it Required for the password to actually be generated, BEWARE: please read the note below
This plugin generates a new egress password to be used for ssh or telnet
NOTE: this is only needed for devices that don't support key-based SSH,
in most cases you should ignore this command completely, unless you
know that devices you need to access only support telnet or password-based SSH.
BEWARE: once a new password is generated this way, it'll be set as the new
egress password to use right away for the account, for any access that requires it.
A fallback mechanism exists that will auto-try the previous password if this one
doesn't work, but please ensure that this new password is deployed on the remote
devices as soon as possible.
EOF
);
# code
my $fnret;
$size = 16 if not defined $size;
if (not $account) {
help();
osh_exit 'ERR_MISSING_PARAMETER', "Expected an --account argument";
}
$fnret = OVH::Bastion::Plugin::generatePassword::preconditions(self => $self, context => 'account', account => $account, size => $size);
$fnret or osh_exit($fnret);
# get returned untainted value
$account = $fnret->value->{'account'};
$fnret = OVH::Bastion::plugin_config(plugin => $scriptName, key => "minPasswordSize");
if ($fnret && $fnret->value && $size < $fnret->value) {
osh_exit('ERR_INVALID_PARAMETER', "The minimum allowed password size defined by policy is " . $fnret->value . " characters, you asked only $size");
}
if (not $doIt) {
help();
osh_exit('ERR_MISSING_PARAMETER', "Missing mandatory parameter: please read the BEWARE note above.");
}
my @command = qw{ sudo -n -u };
push @command, $account;
push @command, qw{ -- /usr/bin/env perl -T };
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountGeneratePassword';
push @command, "--account", $account, "--size", $size;
$fnret = OVH::Bastion::helper(cmd => \@command);
$fnret or osh_exit($fnret);
osh_info "Generated a new password of length $size for account $account, hashes follow:";
osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n";
osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n";
osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n";
osh_info "This new password will now be used by default.";
osh_exit $fnret;
Reference in a new issue Copy permalink