ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-27 07:14:45 +08:00
Code Issues Projects Releases Packages Wiki Activity

chore: tidy after merge, adjust & regen doc

Browse source
This commit is contained in:
Stéphane Lesimple 2020-12-16 13:37:09 +00:00
parent 9c370b8ac1
commit 4a45df4432
No known key found for this signature in database
GPG key ID: 4B4A3289E9D35658
3 changed files with 53 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
doc/sphinx/administration/bastion_conf.rst
View file

@ -229,7 +229,7 @@ The algorithms authorized for egress ssh public keys generated on this bastion.
minimumIngressRsaKeySize
************************
:Type: ``int``
:Type: ``int > 0``
:Default: ``2048``
@ -240,7 +240,7 @@ The minimum allowed size for ingress RSA keys (user->bastion). Sane values range
maximumIngressRsaKeySize
************************
:Type: ``int``
:Type: ``int > 0``
:Default: ``8192``
@ -251,7 +251,7 @@ The maximum allowed size for ingress RSA keys (user->bastion). Too big values (>
minimumEgressRsaKeySize
***********************
:Type: ``int``
:Type: ``int > 0``
:Default: ``2048``
@ -262,7 +262,7 @@ The minimum allowed size for egress RSA keys (bastion->server). Sane values rang
maximumEgressRsaKeySize
***********************
:Type: ``int``
:Type: ``int > 0``
:Default: ``8192``
@ -284,7 +284,7 @@ The default algorithm to use to create the egress key of a newly created account
defaultAccountEgressKeySize
***************************
:Type: ``int``
:Type: ``int > 0``
:Default: ``4096``
@ -493,7 +493,7 @@ ttyrecFilenameFormat
:Type: ``string``
:Default: ``"%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.ttyrec"``
:Default: ``"%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.&account.&user.&ip.&port.ttyrec"``
Sets the filename format of the output files of ttyrec for a given session. Magic tokens are: ``&bastionname``, ``&uniqid``, ``&account``, ``&ip``, ``&port``, ``&user`` (they'll be replaced by the corresponding values of the current session). Then, this string (automatically prepended with the correct folder) will be passed to ttyrec's ``-F`` parameter, which uses ``strftime()`` to expand it, so the usual character conversions will be done (``%Y`` for the year, ``%H`` for the hour, etc., see ``man strftime``). Note that in a addition to the usual ``strftime()`` conversion specifications, ttyrec also supports ``#usec#``, to be replaced by the current microsecond value of the time.
@ -531,7 +531,7 @@ ingressKeysFromAllowOverride
:Type: ``boolean``
:Default: ``true``
:Default: ``false``
If set to ``false``, any user-specified ``from="..."`` prefix on keys in commands such as ``selfAddIngressKey`` or ``accountCreate`` are silently ignored and replaced by the IPs in the ``ingressKeysFrom`` configuration option (if any).
If set to ``true``, any user-specified ``from="..."`` will override the value set in ``ingressKeysFrom`` (if any).
@ -625,7 +625,7 @@ If set to ``true``, ``--interactive`` mode is allowed. Otherwise, this feature i
interactiveModeTimeout
**********************
:Type: ``int (seconds)``
:Type: ``int >= 0 (seconds)``
:Default: ``60``
@ -647,7 +647,7 @@ If ``true``, drops the user to interactive mode if nothing is specified on the c
idleLockTimeout
***************
:Type: ``int >= 0``
:Type: ``int >= 0 (seconds)``
:Default: ``0``
@ -658,7 +658,7 @@ If set to a positive value >0, the number of seconds of input idle time after wh
idleKillTimeout
***************
:Type: ``int >= 0``
:Type: ``int >= 0 (seconds)``
:Default: ``0``
@ -669,7 +669,7 @@ If set to a positive value >0, the number of seconds of input idle time after wh
warnBeforeLockSeconds
*********************
:Type: ``int >= 0``
:Type: ``int >= 0 (seconds)``
:Default: ``0``
@ -680,7 +680,7 @@ If set to a positive value >0, the number of seconds before ``idleLockTimeout``
warnBeforeKillSeconds
*********************
:Type: ``int >= 0``
:Type: ``int >= 0 (seconds)``
:Default: ``0``
@ -737,7 +737,7 @@ Account policies
accountMaxInactiveDays
**********************
:Type: ``int``
:Type: ``int >= 0 (days)``
:Default: ``0``
@ -799,7 +799,7 @@ Set a MFA policy for the bastion accounts, the supported values are:
MFAPasswordMinDays
******************
:Type: ``int >= 0``
:Type: ``int >= 0 (days)``
:Default: ``0``
@ -810,7 +810,7 @@ For the PAM UNIX password MFA, sets the min amount of days between two password
MFAPasswordMaxDays
******************
:Type: ``int >= 0``
:Type: ``int >= 0 (days)``
:Default: ``90``
@ -821,7 +821,7 @@ For the PAM UNIX password MFA, sets the max amount of days after which the passw
MFAPasswordWarnDays
*******************
:Type: ``int >= 0``
:Type: ``int >= 0 (days)``
:Default: ``15``
@ -832,11 +832,11 @@ For the PAM UNIX password MFA, sets the number of days before expiration on whic
MFAPasswordInactiveDays
***********************
:Type: ``int >= -1``
:Type: ``int >= -1 (days)``
:Default: ``-1``
For the PAM UNIX password MFA, the account will be blocked after the password is expired (and not renewed) for this amount of days (see ``chage -E``). -1 disables this feature. Note that this is different from the accountMaxInactiveDays option above, that is handled by the bastion software itself instead of PAM
For the PAM UNIX password MFA, the account will be blocked after the password is expired (and not renewed) for this amount of days (see ``chage -E``). -1 disables this feature. Note that this is different from the ``accountMaxInactiveDays`` option above, that is handled by the bastion software itself instead of PAM
.. _bastion_conf_MFAPostCommand:
@ -861,7 +861,7 @@ Other options
accountUidMin
*************
:Type: ``int``
:Type: ``int >= 100``
:Default: ``2000``
@ -872,7 +872,7 @@ Minimum allowed UID for accounts on this bastion. Hardcoded > 100 even if config
accountUidMax
*************
:Type: ``int``
:Type: ``int > 0``
:Default: ``99999``
@ -883,7 +883,7 @@ Maximum allowed UID for accounts on this bastion.
ttyrecGroupIdOffset
*******************
:Type: ``int``
:Type: ``int > 0``
:Default: ``100000``

38
etc/bastion/bastion.conf.dist
View file

@ -56,22 +56,22 @@
# DEFAULT: [ "rsa", "ecdsa", "ed25519" ]
"allowedEgressSshAlgorithms": [ "rsa", "ecdsa", "ed25519" ],
#
# minimumIngressRsaKeySize (int)
# minimumIngressRsaKeySize (int > 0)
# DESC: The minimum allowed size for ingress RSA keys (user->bastion). Sane values range from 2048 to 4096.
# DEFAULT: 2048
"minimumIngressRsaKeySize": 2048,
#
# maximumIngressRsaKeySize (int)
# maximumIngressRsaKeySize (int > 0)
# DESC: The maximum allowed size for ingress RSA keys (user->bastion). Too big values (>8192) are extremely CPU intensive and don't really add that much security.
# DEFAULT: 8192
"maximumIngressRsaKeySize": 8192,
#
# minimumEgressRsaKeySize (int)
# minimumEgressRsaKeySize (int > 0)
# DESC: The minimum allowed size for egress RSA keys (bastion->server). Sane values range from 2048 to 4096.
# DEFAULT: 2048
"minimumEgressRsaKeySize": 2048,
#
# maximumEgressRsaKeySize (int)
# maximumEgressRsaKeySize (int > 0)
# DESC: The maximum allowed size for ingress RSA keys (bastion->server). Too big values (>8192) are extremely CPU intensive and don't really add that much security.
# DEFAULT: 8192
"maximumEgressRsaKeySize": 8192,
@ -81,7 +81,7 @@
# DEFAULT: "rsa"
"defaultAccountEgressKeyAlgorithm": "rsa",
#
# defaultAccountEgressKeySize (int)
# defaultAccountEgressKeySize (int > 0)
# DESC: The default size to use to create the egress key of a newly created account (also see ``defaultAccountEgressKeyAlgorithm``)
# DEFAULT: 4096
"defaultAccountEgressKeySize": 4096,
@ -267,7 +267,7 @@
# DEFAULT: true
"interactiveModeAllowed": true,
#
# interactiveModeTimeout (int (seconds))
# interactiveModeTimeout (int >= 0 (seconds))
# DESC: The number of idle seconds after which the user is disconnected from the bastion when in interactive mode. A value of 0 will disable this feature (user will never be disconnected for idle timeout).
# DEFAULT: 60
"interactiveModeTimeout": 60,
@ -277,22 +277,22 @@
# DEFAULT: true
"interactiveModeByDefault": true,
#
# idleLockTimeout (int >= 0)
# idleLockTimeout (int >= 0 (seconds))
# DESC: If set to a positive value >0, the number of seconds of input idle time after which the session is locked. If ``false``, disabled.
# DEFAULT: 0
"idleLockTimeout": 0,
#
# idleKillTimeout (int >= 0)
# idleKillTimeout (int >= 0 (seconds))
# DESC: If set to a positive value >0, the number of seconds of input idle time after which the session is killed. If ``false``, disabled. If ``idleLockTimeout`` is set, this value must be higher (obviously).
# DEFAULT: 0
"idleKillTimeout": 0,
#
# warnBeforeLockSeconds (int >= 0)
# warnBeforeLockSeconds (int >= 0 (seconds))
# DESC: If set to a positive value >0, the number of seconds before ``idleLockTimeout`` where the user will receive a warning message telling him about the upcoming lock of his session.
# DEFAULT: 0
"warnBeforeLockSeconds": 0,
#
# warnBeforeKillSeconds (int >= 0)
# warnBeforeKillSeconds (int >= 0 (seconds))
# DESC: If set to a positive value >0, the number of seconds before ``idleKillTimeout`` where the user will receive a warning message telling him about the upcoming kill of his session.
# DEFAULT: 0
"warnBeforeKillSeconds": 0,
@ -325,7 +325,7 @@
# > Account policies
# >> Policies applying to the bastion accounts themselves
#
# accountMaxInactiveDays (int)
# accountMaxInactiveDays (int >= 0 (days))
# DESC: If > 0, deny access to accounts that didn't log in since at least that many days. A value of 0 means that this functionality is disabled (we will never deny access for inactivity reasons).
# DEFAULT: 0
"accountMaxInactiveDays": 0,
@ -357,23 +357,23 @@
# DEFAULT: "enabled"
"accountMFAPolicy": "enabled",
#
# MFAPasswordMinDays (int >= 0)
# MFAPasswordMinDays (int >= 0 (days))
# DESC: For the PAM UNIX password MFA, sets the min amount of days between two password changes (see ``chage -m``)
# DEFAULT: 0
"MFAPasswordMinDays": 0,
#
# MFAPasswordMaxDays (int >= 0)
# MFAPasswordMaxDays (int >= 0 (days))
# DESC: For the PAM UNIX password MFA, sets the max amount of days after which the password must be changed (see ``chage -M``)
# DEFAULT: 90
"MFAPasswordMaxDays": 90,
#
# MFAPasswordWarnDays (int >= 0)
# MFAPasswordWarnDays (int >= 0 (days))
# DESC: For the PAM UNIX password MFA, sets the number of days before expiration on which the user will be warned to change his password (see ``chage -W``)
# DEFAULT: 15
"MFAPasswordWarnDays": 15,
#
# MFAPasswordInactiveDays (int >= -1)
# DESC: For the PAM UNIX password MFA, the account will be blocked after the password is expired (and not renewed) for this amount of days (see ``chage -E``). -1 disables this feature. Note that this is different from the accountMaxInactiveDays option above, that is handled by the bastion software itself instead of PAM
# MFAPasswordInactiveDays (int >= -1 (days))
# DESC: For the PAM UNIX password MFA, the account will be blocked after the password is expired (and not renewed) for this amount of days (see ``chage -E``). -1 disables this feature. Note that this is different from the ``accountMaxInactiveDays`` option above, that is handled by the bastion software itself instead of PAM
# DEFAULT: -1
"MFAPasswordInactiveDays": -1,
#
@ -389,17 +389,17 @@
# > Other options
# >> These options are either discouraged (in which case this is explained in the description) or rarely need to be modified.
#
# accountUidMin (int)
# accountUidMin (int >= 100)
# DESC: Minimum allowed UID for accounts on this bastion. Hardcoded > 100 even if configured for less.
# DEFAULT: 2000
"accountUidMin": 2000,
#
# accountUidMax (int)
# accountUidMax (int > 0)
# DESC: Maximum allowed UID for accounts on this bastion.
# DEFAULT: 99999
"accountUidMax": 99999,
#
# ttyrecGroupIdOffset (int)
# ttyrecGroupIdOffset (int > 0)
# DESC: Offset to apply on user group uid to create its ``-tty`` group, should be > ``accountUidMax - accountUidMin`` to ensure there is no overlap.
# DEFAULT: 100000
"ttyrecGroupIdOffset": 100000,

25
lib/perl/OVH/Bastion/configuration.inc
View file

@ -124,16 +124,16 @@ sub load_configuration {
# 1/6) Options that are strings, and must match given regex. Always include capturing parens in regex for untainting.
foreach my $o (
{name => 'bastionName', default => 'fix-my-config-please-missing-bastion-name', validre => qr/^([a-zA-Z0-9_.-]+)$/},
{name => 'bastionCommand', default => "ssh ACCOUNT\@HOSTNAME -t -- ", validre => qr/^(.+)$/},
{name => 'defaultLogin', default => "", validre => qr/^([a-zA-Z0-9_.-]*)$/, emptyok => 1},
{name => 'moshCommandLine', default => "", validre => qr/^(.*)$/, emptyok => 1},
{name => 'documentationURL', default => "https://ovh.github.io/the-bastion/", validre => qr'^([a-zA-Z0-9:/@&=",;_.-]+)$'},
{name => 'syslogFacility', default => 'local7', validre => qr/^([a-zA-Z0-9_]+)$/},
{name => 'syslogDescription', default => 'bastion', validre => qr/^([a-zA-Z0-9_.-]+)$/},
{name => 'ttyrecFilenameFormat', default => '%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.&account.&user.&ip.&port.ttyrec', validre => qr/^([a-zA-Z0-9%&#_.-]+)$/},
{name => 'accountExpiredMessage', default => '', validre => qr/^(.*)$/, emptyok => 1},
{name => 'accountExternalValidationProgram', default => '', validre => qr'^([a-zA-Z0-9/$_.-]*)$', emptyok => 1},
{name => 'bastionName', default => 'fix-my-config-please-missing-bastion-name', validre => qr/^([a-zA-Z0-9_.-]+)$/},
{name => 'bastionCommand', default => "ssh ACCOUNT\@HOSTNAME -t -- ", validre => qr/^(.+)$/},
{name => 'defaultLogin', default => "", validre => qr/^([a-zA-Z0-9_.-]*)$/, emptyok => 1},
{name => 'moshCommandLine', default => "", validre => qr/^(.*)$/, emptyok => 1},
{name => 'documentationURL', default => "https://ovh.github.io/the-bastion/", validre => qr'^([a-zA-Z0-9:/@&=",;_.-]+)$'},
{name => 'syslogFacility', default => 'local7', validre => qr/^([a-zA-Z0-9_]+)$/},
{name => 'syslogDescription', default => 'bastion', validre => qr/^([a-zA-Z0-9_.-]+)$/},
{name => 'ttyrecFilenameFormat', default => '%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.&account.&user.&ip.&port.ttyrec', validre => qr/^([a-zA-Z0-9%&#_.-]+)$/},
{name => 'accountExpiredMessage', default => '', validre => qr/^(.*)$/, emptyok => 1},
{name => 'accountExternalValidationProgram', default => '', validre => qr'^([a-zA-Z0-9/$_.-]*)$', emptyok => 1},
)
{
if (!$C->{$o->{'name'}} && !$o->{'emptyok'}) {
@ -216,7 +216,8 @@ sub load_configuration {
}
# 3/6) Booleans. Standard true/false values should be used in the JSON config file, but we normalize non-bool values here.
# We cast the strings "no", "false", "disabled" to false. The JSON null value is also false.
# We cast the strings "no", "false", "disabled" to false. The JSON null value is the same as omitting the option entirely,
# hence forcing the bastion to use the default value for this option.
# For all other values, standard Perl applies: 0, "0", "" are false, everything else is true.
# We warn where we have to cast, except for 0/1/"0"/"1" for backwards compatibility.
foreach my $tuple (
@ -243,7 +244,7 @@ sub load_configuration {
{
foreach my $o (@{$tuple->{'options'}}) {
# if not defined, set to default value
# if not defined (option missing or set to null), set to default value
if (not defined $C->{$o}) {
$C->{$o} = $tuple->{'default'};
push @errors, "Configuration error: missing option '$o', defaulting to " . ($tuple->{'default'} ? 'true' : 'false') if $test;