mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 06:55:58 +08:00
feat: add --egress-session-multiplexing option to accountModify
This commit is contained in:
parent
733e67ef1d
commit
4ef9c6ddde
|
@ -398,6 +398,50 @@ foreach my $tuple (@modify) {
|
|||
}
|
||||
}
|
||||
}
|
||||
elsif ($key eq 'egress-session-multiplexing') {
|
||||
osh_info "Changing the egress ControlMaster/ControlPath options for this account...";
|
||||
my $controlPath;
|
||||
my $controlMaster;
|
||||
if ($value eq 'default') {
|
||||
# keep both vars undef, which will remove them from the account config file
|
||||
;
|
||||
}
|
||||
elsif ($value eq 'yes') {
|
||||
$controlMaster = 'auto';
|
||||
# '~' is handled by ssh_config as the account's home directory
|
||||
# '%C' is a hash of local hostname, remote host, remote user, remote port
|
||||
$controlPath = "~/tmp/ssh_egress_%C";
|
||||
}
|
||||
elsif ($value eq 'no') {
|
||||
# never create a master connection
|
||||
$controlMaster = 'no';
|
||||
# 'none' is understood specifically for ssh_config as 'never try to use a master connection'
|
||||
$controlPath = 'none';
|
||||
}
|
||||
else {
|
||||
osh_warn "Invalid parameter '$value', skipping";
|
||||
$result{$jsonkey} = R('ERR_INVALID_PARAMETER');
|
||||
}
|
||||
$fnret = OVH::Bastion::account_ssh_config_set(
|
||||
account => $account,
|
||||
key => "ControlMaster",
|
||||
value => $controlMaster,
|
||||
);
|
||||
if ($fnret) {
|
||||
$fnret = OVH::Bastion::account_ssh_config_set(
|
||||
account => $account,
|
||||
key => "ControlPath",
|
||||
value => $controlPath,
|
||||
);
|
||||
}
|
||||
$result{$jsonkey} = $fnret;
|
||||
if ($fnret) {
|
||||
osh_info "... modification done";
|
||||
}
|
||||
else {
|
||||
osh_warn "... error while setting policy: $fnret";
|
||||
}
|
||||
}
|
||||
elsif ($key eq 'personal-egress-mfa-required') {
|
||||
osh_info
|
||||
"Changing the MFA policy for egress connections using the personal access (and keys) of the account...";
|
||||
|
|
|
@ -19,6 +19,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|||
"pam-auth-bypass=s" => \$modify{'pam-auth-bypass'},
|
||||
"always-active=s" => \$modify{'always-active'},
|
||||
"egress-strict-host-key-checking=s" => \$modify{'egress-strict-host-key-checking'},
|
||||
"egress-session-multiplexing=s" => \$modify{'egress-session-multiplexing'},
|
||||
"personal-egress-mfa-required=s" => \$modify{'personal-egress-mfa-required'},
|
||||
"idle-ignore=s" => \$modify{'idle-ignore'},
|
||||
"max-inactive-days=i" => \$modify{'max-inactive-days'},
|
||||
|
@ -47,6 +48,10 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
|
|||
This effectively suppress the host key checking entirely. Please don't enable this blindly.
|
||||
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
|
||||
All the other policies carry the same meaning that what is documented in `man ssh_config`.
|
||||
--egress-session-multiplexing POLICY Modify the egress SSH behavior of this account regarding ``ControlMaster`` and ``ControlPath``. POLICY can be:
|
||||
'yes', setting ``ControlMaster`` to 'auto' and setting ``ControlPath`` properly for session sharing,
|
||||
'no', setting ``ControlMaster`` to 'no' and ``ControlPath`` to 'none',
|
||||
'default', removing this account ``ControlMaster`` and ``ControlPath`` overrides altogether.
|
||||
--personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
|
||||
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
|
||||
--always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
|
||||
|
@ -110,6 +115,12 @@ if ($modify{'personal-egress-mfa-required'} && !grep { $modify{'personal-egress-
|
|||
osh_exit 'ERR_INVALID_PARAMETER',
|
||||
"Expected option 'password', 'totp', 'any', 'none' to --personal-egress-mfa-required";
|
||||
}
|
||||
if ($modify{'egress-session-multiplexing'} && !grep { $modify{'egress-session-multiplexing'} eq $_ }
|
||||
qw{ yes no default })
|
||||
{
|
||||
help();
|
||||
osh_exit 'ERR_INVALID_PARAMETER', "Expected option 'yes', 'no' or 'default' --egress-session-multiplexing";
|
||||
}
|
||||
if ($modify{'max-inactive-days'} && $modify{'max-inactive-days'} !~ /^(?:\d+|-1)$/) {
|
||||
help();
|
||||
osh_exit "ERR_INVALID_PARAMETER",
|
||||
|
|
|
@ -1570,6 +1570,10 @@ push @details_json, @previous_bastion_details if @previous_bastion_details;
|
|||
# then convert to json:
|
||||
$ENV{'LC_BASTION_DETAILS'} = encode_json(\@details_json);
|
||||
|
||||
# make sure $home/tmp exists, as it might be used for egress ssh connection multiplexing.
|
||||
# just attempt to create it instead of check+create, as it's not faster to do otherwise.
|
||||
mkdir "$home/tmp", 0700;
|
||||
|
||||
# here is a nice hack to drastically improve the memory footprint of a
|
||||
# heavily used bastion. we exec() another script that is way lighter, see
|
||||
# comments in the connect.pl file for more information.
|
||||
|
|
|
@ -46,6 +46,13 @@ Modify an account configuration
|
|||
This effectively suppress the host key checking entirely. Please don't enable this blindly.
|
||||
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
|
||||
All the other policies carry the same meaning that what is documented in `man ssh_config`.
|
||||
.. option:: --egress-session-multiplexing POLICY
|
||||
|
||||
Modify the egress SSH behavior of this account regarding ``ControlMaster`` and ``ControlPath``. POLICY can be:
|
||||
|
||||
'yes', setting ``ControlMaster`` to 'auto' and setting ``ControlPath`` properly for session sharing,
|
||||
'no', setting ``ControlMaster`` to 'no' and ``ControlPath`` to 'none',
|
||||
'default', removing this account ``ControlMaster`` and ``ControlPath`` overrides altogether.
|
||||
.. option:: --personal-egress-mfa-required POLICY
|
||||
|
||||
Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
|
||||
|
|
|
@ -35,6 +35,7 @@
|
|||
- /home/*/*.log
|
||||
- /home/*/*.gz
|
||||
- /home/*/lastlog
|
||||
- /home/*/tmp/
|
||||
- /home/*/.ssh/known_hosts
|
||||
|
||||
+ /home/*/***
|
||||
|
|
Loading…
Reference in a new issue