# DESC: this will be the name advertised in the aliases admins will give to bastion users, you can see it as a friendly name everybody will use to refer to this machine (try to avoid using the full hostname here)
# DESC: the ssh command to launch to connect to this bastion as a user. This will be printed on accountCreate, so that the new user knows how to connect. Magic values are ACCOUNT (replaced at runtime by the account name), BASTIONNAME (replaced at runtime by the name defined in `bastionName'), HOSTNAME (replaced at runtime by the hostname of the system, namely what is returned by `perl -MSys::Hostname -e 'print hostname'`). Note that previous magic values where USER (=ACCOUNT) and CACHENAME (=BASTIONNAME), they're still supported.
# DEFAULT: ssh USER@HOSTNAME -t --
"bastionCommand": "ssh USER@HOSTNAME -t -- ",
#
# debug (boolean-int, i.e. 0 or 1)
# DESC: enables or disables debug GLOBALLY. Discouraged. Prefer using the dev/debug_toggle.sh tool to enable/disable per account. Mostly useful for bastion developer on bastion dev machine only.
# DEFAULT: 0
"debug": 0,
#
# defaultLogin (string)
# DESC: The default remote user to use for egress ssh connections where no user has been specified by our caller. If set to "", will default to the account name of the caller. Some legacy bastions had "root" as a default, which is somehow discouraged but depends on your infrastructure policy.
# DEFAULT: ""
"defaultLogin": "",
#
# adminAccounts (list of accounts names), deprecated alias: adminLogins
# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Rule of thumb: only add here people that have root@localhost access to the bastion
# DESC: The list of accounts that are considered as "Super Group Owners". They can run all group administrative commands, exactly as if they were owners of all the groups. Super Owners are only here as a last resort when the owners/gatekeepers/aclkeepers of a group are not available. Every command run by a Super Owner that would have failed if the account was not a Super Owner is logged explicitly as "Super Owner Override". You can see it as a "sudo" for group management. Don't add here accounts that are bastion Admins, they already inherit the Super Owner role.
# DESC: Restricts egress connection attempts to those listed networks only. This is enforced at all times and can NOT be overridden by users. It's probably a good idea to list the prefixes of your ASN here.
# DEFAULT: empty, which means no restriction
"allowedNetworks": [],
#
# forbiddenNetworks (list of IPs and/or prefixes)
# DESC: Prevents egress connection to the listed networks, even if they match configured allowed networks. This can be used to prevent connection to some hosts or subnets in a broadly allowed prefix. This is enforced at all times and can NOT be overridden by users.
# DEFAULT: empty, which means no restriction
"forbiddenNetworks": [],
#
# ingressToEgressRules (array of arrays of rules, a rule being a 3-uple of {array, array, string})
# DESC: Fine-grained rules (a la netfilter) to apply global restrictions to possible egress destinations given ingress IPs. Rules here are enforced at all times and can NOT be overridden by users or admins.
# DETAILS: A rule is a 3-uple of {array of ingress networks, array of egress networks, policy to apply}.
# Each rule will be processed IN ORDER. The first rule to match will be applied and no other rule will be checked.
# If no rule matches, the default is to apply no restriction.
# The "policy to apply" item can have 3 values:
# - ALLOW, which means that if the ingress IP matches one of the ingress networks specified in the rule, and the egress IP matches one of the egress networks specified, no restriction will be applied (all rights-check of groups and personal accesses still apply)
# - DENY, which means that if the ingress IP matches one of the ingress networks specified in the rule, and the egress IP matches one of the egress networks specified, access will be denied even before checking any group or personal accesses
# - ALLOW-EXCLUSIVE, which means that if the ingress IP matches one of the ingress networks specified in the rule, but the egress IP DOES NOT match any of the egress network specified, access will be denied. Access will still be allowed if the egress IP matches one of the egress networks specified. This is an easy way to exclusively allow a list of egress networks given a list of ingress networks, and deny any other access otherwise, for those ingress networks.
# - All the other networks can access any other network (including egress 10.20.0.0/16 or egress 192.168.0.0/16)
# In any case, all the personal and group accesses still apply in addition to these global rules
"ingressToEgressRules": [],
#
# egressKeysFrom (list of IPs and/or prefixes), deprecated alias: personalKeyFrom
# DESC: These IPs will be added to the from="..." of the personal account keys and the group keys. Typically you want to specify only the bastions IP here (including all the slaves).
# DEFAULT: if NOT set at all or set to the empty array, will default to autodetection at runtime (legacy behavior, discouraged)
"egressKeysFrom": [],
#
# ingressKeysFrom (list of IPs and/or prefixes), deprecated alias: ipWhiteList
# DESC: This array of IPs (or prefixes, such as 10.20.30.0/24) will be used to build the from="" in front of the ingress account public keys used to connect to the bastion (in accountCreate or selfAddIngressKey). If the array is empty, then NO from="" is added.
# DEFAULT: []
"ingressKeysFrom": [],
#
# ingressKeysFromAllowOverride (boolean-int, i.e. 0 or 1), aliases: ipWhiteListAllowOverride (deprecated)
# DESC: If set to 0 (false), any from="..." specified in user keys (selfAddIngressKey or accountCreate) are ignored and replaced by the IPs in the ingressKeysFrom configuration option (if any).
# If set to 1 (true), any from="..." specified in user keys (selfAddIngressKey or accountCreate) will override the value set in ingressKeysFrom (if any). When no user-specified from="..." appears, the value of ingressKeysFrom is still used, regardless of this option.
# DEFAULT: 0
"ingressKeysFromAllowOverride": 1,
#
# accountUidMin (int)
# DESC: minimum allowed UID for accounts on this bastion. Hardcoded > 1000 even if configured for less
# DEFAULT: 2000
"accountUidMin": 2000,
#
# accountUidMax (int)
# DESC: maximum allowed UID for accounts on this bastion.
# DEFAULT: 99999
"accountUidMax": 99999,
#
# ttyrecGroupIdOffset (int)
# DESC: offset to apply on user group uid to create -tty group, should be > accountUidMax
# DEFAULT: 100000
"ttyrecGroupIdOffset": 100000,
#
# accountExternalValidationProgram (path to a binary)
# DESC: Binary or script that will be called by the bastion, with the account name in parameter, to check whether this account should be allowed to connect to the bastion. If empty, this check is skipped. $BASEDIR is a magic value that is replaced by where the bastion code lives (usually, /opt/bastion). You can use this configuration parameter to counter-verify all accounts against an external system, for example an LDAP, right when they're connecting to the bastion (on the ingress side). However, it is advised to avoid calling an external system in the flow of an incoming connection (this violates the "the bastion must be working at all times, regardless of the status of the other components of the company's infrastructure" rule). Instead, you should have a cronjob to periodically fetch all the allowed accounts from said external system, and store this list somewhere on the bastion, then write a simple script that will be called by the bastion to verify whether the connecting account is present on this locally cached list. An account present in this list, is called an "active account", in the bastion's jargon. An inactive account is an account existing on the bastion, but not in this list, and won't be able to connect. Note that for security reasons, inactive bastions administrators would be denied as any other account. The result is interpreted from the program's exit code. If the program return 0, the account is deemed active. If the program returns 1, the account is deemed inactive. A return code of 2, 3 or 4 indicates a failure of the program in determining the activeness of the account. In this case, the decision to allow or deny the access is determined by the option below. Status code 3 additionally logs the stderr of the program *silently* to the syslog (this can be used to warn admins of a problem without leaking information to the user). Status code 4 does the same, but the stderr is also shown directly to the user. Any other return code deems the account inactive (same behavior that return code 1).
# DESC: If we can't validate an account using the above configured program, for example because the path doesn't exist, the file is not executable, or because the program returns the exit code 4 (see above for more information), this configuration option indicates whether we should deny or allow access. Note that the bastion admins will always be allowed if the accountExternalValidationProgram doesn't work correctly, because they're expected to be able to fix it. They would be denied, as any other account, if accountExternalValidationProgram works correctly and denies them access, however. If you're still testing your account validation procedure, and don't want to break your users workflow while you're not 100% sure it works correctly, you can say 0 ("false") here, and return 4 instead of 1 in your accountExternalValidationProgram when you would want to deny access.
# DESC: List of accounts which should NOT be checked against the accountExternalValidationProgram mechanism above (for example bot accounts). This can also be set per-account at account creation time or later with the accountModify plugin's '--always-active' flag.
# DEFAULT: []
"alwaysActiveAccounts": [],
#
# allowedIngressSshAlgorithms (array of algorithm names), deprecated alias: allowedSshAlgorithms
# DESC: the algorithms authorized for ingress ssh public keys added to this bastion. possible values: dsa, rsa, ecdsa, ed25519, note that some of those might not be supported by your current version of OpenSSH, unsupported algorithms are automatically omitted at runtime
# allowedEgressSshAlgorithms (array of algorithm names), deprecated alias: allowedSshAlgorithms
# aliases: allowedSshAlgorithms (deprecated)
# DESC: the algorithms authorized for egress ssh public keys generated on this bastion. possible values: dsa, rsa, ecdsa, ed25519, note that some of those might not be supported by your current version of OpenSSH, unsupported algorithms are automatically omitted at runtime
# DESC: The minimum allowed size for ingress RSA keys (user->bastion). Sane values range from 2048 to 4096.
# DEFAULT: 2048
"minimumIngressRsaKeySize": 4096,
#
# maximumIngressRsaKeySize (int)
# DESC: The maximum allowed size for ingress RSA keys (user->bastion). Too big values (>8192) are extremely CPU intensive and don't really add that much security.
# DESC: The minimum allowed size for egress RSA keys (bastion->server). Sane values range from 2048 to 4096.
# DEFAULT: 2048
"minimumEgressRsaKeySize": 4096,
#
# maximumEgressRsaKeySize (int)
# DESC: The maximum allowed size for ingress RSA keys (bastion->server). Too big values (>8192) are extremely CPU intensive and don't really add that much security.
# DEFAULT: 8192
"maximumEgressRsaKeySize": 8192,
#
# defaultAccountEgressKeyAlgorithm (string)
# DESC: the default algorithm to use to create the egress key of a newly created account
# DEFAULT: rsa
"defaultAccountEgressKeyAlgorithm": "rsa",
#
# defaultAccountEgressKeySize (int)
# DESC: the default size to use to create the egress key of a newly created account (also see defaultAccountEgressKeyAlgorithm)
# DEFAULT: 4096
"defaultAccountEgressKeySize": 4096,
#
# sshClientHasOptionE (boolean-int, i.e. 0 or 1)
# DESC: Set to 1 if your ssh client supports the -E option and you want to use it to log debug info on opened sessions. Discouraged, has some annoying side effects (some ssh errors then go silent from the user perspective)
# DEFAULT: 0
"sshClientHasOptionE": 0,
#
# sshClientDebugLevel (int, 0 to 3)
# DESC: Indicates the number of -v that will be added to the ssh client command line when starting a session. Probably a bad idea unless you want to annoy your users.
# DEFAULT: 0
"sshClientDebugLevel": 0,
#
# displayLastLogin (int)
# DESC: If != 0, display last login information on connection.
# DEFAULT: 1
"displayLastLogin": 1,
#
# accountMaxInactiveDays (int)
# DESC: If != 0, deny access to accounts that didn't log in since at least that many days. A value of 0 means that this functionality is disabled (will never deny access).
# DEFAULT: 0
"accountMaxInactiveDays": 0,
#
# accountExpiredMessage (string)
# DESC: If non-empty, customizes the message that will be printed to a user attempting to connect with an expired account (see accountMaxInactiveDays above). When empty, defaults to the standard message "Sorry, but your account has expired (#DAYS# days), access denied by policy.".
# DEFAULT: ""
"accountExpiredMessage": "",
#
# accountCreateSupplementaryGroups (array)
# DESC: List of groups to add a new account to. Can be useful to grant some restricted commands by default to new accounts. For example osh-selfAddPersonalAccess, osh-selfDelPersonalAccess, etc.
# DEFAULT: []
"accountCreateSupplementaryGroups": [],
#
# accountCreateDefaultPersonalAccesses (list of IPs and/or prefixes), deprecated alias: accountCreateDefaultPrivateAccesses
# DESC: List of strings of the form USER@IP or USER@IP:PORT or IP or IP:PORT, with IP being IP or prefix (such as 1.2.3.0/24). This is the list of accesses to add to the personal access list of newly created accounts. The special value ACCOUNT is replaced by the name of the account being created. This can be useful to grant some accesses by default to new accounts (for example ACCOUNT@0.0.0.0/0)
# DEFAULT: []
"accountCreateDefaultPersonalAccesses": [],
#
# accountMFAPolicy (enum)
# DESC: Set a MFA policy for the bastion accounts, see OPTIONS below for the supported policies list
# DEFAULT: enabled
# OPTIONS:
# disabled: the commands to setup TOTP and UNIX account password are disabled, nobody can setup MFA for himself or others. Already configured MFA still applies, unless the sshd configuration is modified to no longer call PAM on the authentication phase
# password-required: for all accounts, a UNIX account password is required in addition to the ingress SSH public key. On first connection with his SSH key, the user is forced to setup a password for his account, and can't disable it afterwards
# totp-required: for all accounts, a TOTP is required in addition to the ingress SSH public key. On first connection with his SSH key, the user is forced to setup a TOTP for his account, and can't disable it afterwards
# any-required: for all accounts, either a TOTP or an UNIX account password is required in addition to the ingress SSH public key. On first connection with his SSH key, the user is forced to setup either of those, as he sees fit, and can't disable it afterwards
# enabled: for all accounts, TOTP and UNIX account password are available as opt-in features as the users see fit. Some accounts can be forced to setup either TOTP or password-based MFA if they're flagged accordingly (with the accountModify command)
"accountMFAPolicy": "enabled",
#
# MFAPasswordMinDays (int >= 0)
# DESC: For the PAM UNIX password MFA, sets the minimum amount of days between two password changes (see `chage -m')
# DEFAULT: 0
"MFAPasswordMinDays": 0,
#
# MFAPasswordMaxDays (int >= 0)
# DESC: For the PAM UNIX password MFA, sets the maximum amount of days after which the password must be changed (see `chage -M')
# DESC: For the PAM UNIX password MFA, sets the number of days before expiration on which the user will be warned to change his password (see `chage -W')
# DESC: For the PAM UNIX password MFA, the account will be blocked after the password is expired (and not renewed) for this amount of days (see `chage -E'). -1 disables this feature. Note that this is different from the accountMaxInactiveDays option above, that is handled by the bastion software itself instead of PAM
# DEFAULT: -1
"MFAPasswordInactiveDays": -1,
#
# MFAPostCommand (string)
# DESC: When using JIT MFA (i.e. not directly by calling PAM from SSHD's configuration, but using pamtester from within the code), execute this command on success.
# This can be used for example if you're using pam_tally2 in your PAM MFA configuration, pamtester can't reset the counter to zero because this is usually done in the account_mgmt PAM phase. You can use a script to reset it here.
# The magic value %ACCOUNT% will be replaced by the account name.
# DESC: If set to 0, will not escape simple quotes in remote commands by default. Leave it to 0 if possible. Will escape simple quotes otherwise (legacy "broken" behavior). Can be overridden at runtime with --never-escape and --always-escape
# DESC: If set to 0, this bastion will work in standalone mode, or will be the master in a master/slave mode. If set to 1, this'll be the slave which means all plugins that modify groups, accounts, or access rights will be disabled, and the master bastion will push its modifications using inotify/rsync, please refer do the documentation to set this up
# DEFAULT: 0
"readOnlySlaveMode": 0,
#
# interactiveModeAllowed (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, --interactive mode is allowed. Otherwise, this feature is disabled.
# DEFAULT: 0
"interactiveModeAllowed": 1,
#
# interactiveModeTimeout (int, in seconds)
# DESC: The number of idle seconds after which the user is disconnected from the bastion when in interactive mode. A value of 0 will disable this feature (user will never be disconnected for idle timeout)
# DESC: If true (1), drops the user to interactive mode if nothing is specified on the command line. If false (0), displays the help and exits with an error. Note that for `true' to have the expected effect, interactive mode must be enabled (see the `ìnteractiveModeAllowed' option above).
# DESC: If set to 0, syslog will be disabled. If set to 1, we'll send logs through syslog (don't forget to setup your syslogd)
# DEFAULT: 1
"enableSyslog": 1,
#
# syslogFacility (string)
# DESC: Sets the facility that will be used for syslog
# DEFAULT: local7
"syslogFacility": "local7",
#
# syslogDescription (string)
# DESC: Sets the description that will be used for syslog
# DEFAULT: bastion
"syslogDescription": "bastion",
#
# enableGlobalAccessLog (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, all accesses will still be logged in the old /home/osh.log (never rotated, world-writable -> discouraged). If set to 0, we'll no longer log there (modern way is syslog, see above)
# DEFAULT: 1
"enableGlobalAccessLog": 1,
#
# enableAccountAccessLog (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, all accesses will still be logged in the user's home /home/USER/USER-log-YYYYMM.log. If set to 0, we won't log there.
# DEFAULT: 1
"enableAccountAccessLog": 1,
#
# enableGlobalSqlLog (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, all accesses will be logged (in a short SQL format) in /home/logkeeper/*.sqlite. If set to 0, we won't log there.
# DEFAULT: 1
"enableGlobalSqlLog": 1,
#
# enableAccountSqlLog (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, all accesses will be logged (in a detailed SQL format) in the user's home /home/USER/USER-log-YYYYMM.sqlite. Otherwise, we won't log there.
# DEFAULT: 1
"enableAccountSqlLog": 1,
#
# moshAllowed (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, mosh usage is allowed (mosh needs to be installed on serverside, obviously). Otherwise, this feature is disabled.
# DEFAULT: 0
"moshAllowed": 0,
#
# moshTimeoutNetwork (int, >0)
# DESC: Number of seconds of inactivity (network-wise) after a mosh-server will exit. By design even if the client is disconnected "for good", mosh-server would wait forever. If mosh is meant to handle shaky connections but not mobility, you can set this to a low value. It sets the MOSH_SERVER_NETWORK_TMOUT envvar for mosh, see `man mosh-server' for more information (mosh 1.2.6+)
# DEFAULT: 86400
"moshTimeoutNetwork": 86400,
#
# moshTimeoutSignal (int, >0)
# DESC: Number of seconds of inactivity (network-wise) a mosh-server will wait after receiving a SIGUSR1 before exiting. It sets the MOSH_SERVER_SIGNAL_TMOUT envvar for mosh, see `man mosh-server' for more information (mosh 1.2.6+)
# DEFAULT: 30
"moshTimeoutSignal": 30,
#
# moshCommandLine (string)
# DESC: Additional parameters that will be passed as-is to mosh-server. See `man mosh-server', you should at least add the -p option to specify a fixed number of ports (easier for firewall configuration)
# DEFAULT: ""
# EXAMPLE: "-s -p 40000:49999"
"moshCommandLine": "",
#
# keyboardInteractiveAllowed (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, will allow keyboard-interactive authentication when publickey auth is requested for egress connections, this is needed e.g. for 2FA
# DEFAULT: 0
"keyboardInteractiveAllowed": 1,
#
# passwordAllowed (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, will allow password authentication for egress ssh, so that user can type his remote password interactively
# DEFAULT: 0
"passwordAllowed": 0,
#
# telnetAllowed (boolean-int, i.e. 0 or 1)
# DESC: If set to 1, will allow telnet egress connections (-e / --telnet),
# DEFAULT: 0
"telnetAllowed": 0,
#
# idleLockTimeout (int, >=0)
# DESC: If set to a positive value >0, the number of seconds of input idle time after which the session is locked. If 0, disabled.
# DEFAULT: 0
"idleLockTimeout": 0,
#
# idleKillTimeout (int, >=0)
# DESC: If set to a positive value >0, the number of seconds of input idle time after which the session is killed. If 0, disabled. If idleLockTimeout is set, this value must be higher (obviously).
# DEFAULT: 0
"idleKillTimeout": 0,
#
# warnBeforeLockSeconds (int, >=0)
# DESC: If set to a positive value >0, the number of seconds before idleLockTimeout where the user will receive a warning message telling him about the upcoming lock of his session.
# DEFAULT: 0
"warnBeforeLockSeconds": 0,
#
# warnBeforeKillSeconds (int, >=0)
# DESC: If set to a positive value >0, the number of seconds before idleKillTimeout where the user will receive a warning message telling him about the upcoming kill of his session.
# DEFAULT: 0
"warnBeforeKillSeconds": 0,
#
# ttyrecFilenameFormat (string)
# DESC: Sets the filename format of the output files of ttyrec for a given session. Magic tokens are: &bastionname, &uniqid, &account, &ip, &port, &user (they'll be replaced by the corresponding values of the current session). Then, this string (automatically prepended with the correct folder) will be passed to ttyrec's -F parameter, which uses strftime() to expand it, so the usual character conversions will be done (%Y for the year, %H for the hour, etc., see man strftime). Note that in a addition to the usual strftime() conversion specifications, ttyrec also supports #usec#, to be replaced by the current microsecond value of the time.
# DESC: Additional parameters you want to pass to ttyrec invocation. Useful, for example, to enable on-the-fly compression, disable cheatcodes, or set/unset any other ttyrec option. This is an ARRAY, not a string. e.g. ["-s", "This is a message with spaces", "--zstd"]
# DEFAULT: []
"ttyrecAdditionalParameters": [],
#
# documentationURL (string)
# DESC: The URL of the documentation where users will be pointed to, for example when displaying help. If you have some internal documentation about the bastion, you might want to advertise it here.
