ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 06:55:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add --egress-session-multiplexing option to accountModify

Browse source
This commit is contained in:
Stéphane Lesimple 2024-09-12 10:37:36 +00:00 committed by Stéphane Lesimple
parent 733e67ef1d
commit 4ef9c6ddde
5 changed files with 67 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
bin/helper/osh-accountModify
View file

@ -398,6 +398,50 @@ foreach my $tuple (@modify) {
}
}
}
elsif ($key eq 'egress-session-multiplexing') {
osh_info "Changing the egress ControlMaster/ControlPath options for this account...";
my $controlPath;
my $controlMaster;
if ($value eq 'default') {
# keep both vars undef, which will remove them from the account config file
;
}
elsif ($value eq 'yes') {
$controlMaster = 'auto';
# '~' is handled by ssh_config as the account's home directory
# '%C' is a hash of local hostname, remote host, remote user, remote port
$controlPath = "~/tmp/ssh_egress_%C";
}
elsif ($value eq 'no') {
# never create a master connection
$controlMaster = 'no';
# 'none' is understood specifically for ssh_config as 'never try to use a master connection'
$controlPath = 'none';
}
else {
osh_warn "Invalid parameter '$value', skipping";
$result{$jsonkey} = R('ERR_INVALID_PARAMETER');
}
$fnret = OVH::Bastion::account_ssh_config_set(
account => $account,
key => "ControlMaster",
value => $controlMaster,
);
if ($fnret) {
$fnret = OVH::Bastion::account_ssh_config_set(
account => $account,
key => "ControlPath",
value => $controlPath,
);
}
$result{$jsonkey} = $fnret;
if ($fnret) {
osh_info "... modification done";
}
else {
osh_warn "... error while setting policy: $fnret";
}
}
elsif ($key eq 'personal-egress-mfa-required') {
osh_info
"Changing the MFA policy for egress connections using the personal access (and keys) of the account...";

11
bin/plugin/restricted/accountModify
View file

@ -19,6 +19,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
"pam-auth-bypass=s" => \$modify{'pam-auth-bypass'},
"always-active=s" => \$modify{'always-active'},
"egress-strict-host-key-checking=s" => \$modify{'egress-strict-host-key-checking'},
"egress-session-multiplexing=s" => \$modify{'egress-session-multiplexing'},
"personal-egress-mfa-required=s" => \$modify{'personal-egress-mfa-required'},
"idle-ignore=s" => \$modify{'idle-ignore'},
"max-inactive-days=i" => \$modify{'max-inactive-days'},
@ -47,6 +48,10 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
This effectively suppress the host key checking entirely. Please don't enable this blindly.
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
All the other policies carry the same meaning that what is documented in `man ssh_config`.
--egress-session-multiplexing POLICY Modify the egress SSH behavior of this account regarding ``ControlMaster`` and ``ControlPath``. POLICY can be:
'yes', setting ``ControlMaster`` to 'auto' and setting ``ControlPath`` properly for session sharing,
'no', setting ``ControlMaster`` to 'no' and ``ControlPath`` to 'none',
'default', removing this account ``ControlMaster`` and ``ControlPath`` overrides altogether.
--personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
--always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
@ -110,6 +115,12 @@ if ($modify{'personal-egress-mfa-required'} && !grep { $modify{'personal-egress-
osh_exit 'ERR_INVALID_PARAMETER',
"Expected option 'password', 'totp', 'any', 'none' to --personal-egress-mfa-required";
}
if ($modify{'egress-session-multiplexing'} && !grep { $modify{'egress-session-multiplexing'} eq $_ }
qw{ yes no default })
{
help();
osh_exit 'ERR_INVALID_PARAMETER', "Expected option 'yes', 'no' or 'default' --egress-session-multiplexing";
}
if ($modify{'max-inactive-days'} && $modify{'max-inactive-days'} !~ /^(?:\d+|-1)$/) {
help();
osh_exit "ERR_INVALID_PARAMETER",

4
bin/shell/osh.pl
View file

@ -1570,6 +1570,10 @@ push @details_json, @previous_bastion_details if @previous_bastion_details;
# then convert to json:
$ENV{'LC_BASTION_DETAILS'} = encode_json(\@details_json);
# make sure $home/tmp exists, as it might be used for egress ssh connection multiplexing.
# just attempt to create it instead of check+create, as it's not faster to do otherwise.
mkdir "$home/tmp", 0700;
# here is a nice hack to drastically improve the memory footprint of a
# heavily used bastion. we exec() another script that is way lighter, see
# comments in the connect.pl file for more information.

7
doc/sphinx/plugins/restricted/accountModify.rst
View file

@ -46,6 +46,13 @@ Modify an account configuration
This effectively suppress the host key checking entirely. Please don't enable this blindly.
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
All the other policies carry the same meaning that what is documented in `man ssh_config`.
.. option:: --egress-session-multiplexing POLICY
Modify the egress SSH behavior of this account regarding ``ControlMaster`` and ``ControlPath``. POLICY can be:
'yes', setting ``ControlMaster`` to 'auto' and setting ``ControlPath`` properly for session sharing,
'no', setting ``ControlMaster`` to 'no' and ``ControlPath`` to 'none',
'default', removing this account ``ControlMaster`` and ``ControlPath`` overrides altogether.
.. option:: --personal-egress-mfa-required POLICY
Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server

1
etc/bastion/osh-sync-watcher.rsyncfilter.dist
View file

@ -35,6 +35,7 @@
- /home/*/*.log
- /home/*/*.gz
- /home/*/lastlog
- /home/*/tmp/
- /home/*/.ssh/known_hosts
+ /home/*/***