diff --git a/bin/shell/autologin b/bin/shell/autologin index 60e961a..71070cc 100755 --- a/bin/shell/autologin +++ b/bin/shell/autologin @@ -4,19 +4,20 @@ set ::env(TERM) "" # we need 6 arguments -if { [llength $argv] < 6 } { - puts "BASTION SAYS: autologin usage error, expected 5 args: [passthrough arguments to ssh or telnet]" +if { [llength $argv] < 7 } { + puts "BASTION SAYS: autologin usage error, expected 6 args: [passthrough arguments to ssh or telnet]" exit 1 } # name our arguments -set arg_prog [lindex $argv 0] -set arg_login [lindex $argv 1] -set arg_ip [lindex $argv 2] -set arg_port [lindex $argv 3] -set arg_file [lindex $argv 4] -set arg_timeout [lindex $argv 5] -set arg_remaining [lrange $argv 6 end] +set arg_prog [lindex $argv 0] +set arg_login [lindex $argv 1] +set arg_ip [lindex $argv 2] +set arg_port [lindex $argv 3] +set arg_file [lindex $argv 4] +set arg_timeout [lindex $argv 5] +set arg_fallback_delay [lindex $argv 6] +set arg_remaining [lrange $argv 7 end] # start the program if { $arg_prog == "ssh" } { @@ -40,11 +41,12 @@ set timeout $arg_timeout # if other non-critical error, return 101 # if critical error, exits proc attempt_to_login args { - set tryid [lindex $args 0] - set prog [lindex $args 1] - set login [lindex $args 2] - set file [lindex $args 3] - set spawn_args [lindex $args 4] + set tryid [lindex $args 0] + set prog [lindex $args 1] + set login [lindex $args 2] + set file [lindex $args 3] + set arg_fallback_delay [lindex $args 4] + set spawn_args [lindex $args 5] if { [file exists $file] == 0 } { if { $tryid == 0 } { puts "BASTION SAYS: file $file does not exist" } @@ -56,7 +58,8 @@ proc attempt_to_login args { } if { $tryid > 0 } { - puts "BASTION SAYS: trying with fallback password..." + puts "BASTION SAYS: trying with fallback password $tryid after sleeping for $arg_fallback_delay seconds..." + sleep $arg_fallback_delay } # reading password (256 chars max) @@ -102,10 +105,10 @@ proc attempt_to_login args { # try to login with the main password file set tryid 0 -set last_attempt [attempt_to_login $tryid $arg_prog $arg_login $arg_file $spawn_args] +set last_attempt [attempt_to_login $tryid $arg_prog $arg_login $arg_file $arg_fallback_delay $spawn_args] while { $last_attempt == 100 && $tryid < 10 } { # auth failed, might want to try with the fallback incr tryid - set last_attempt [attempt_to_login $tryid $arg_prog $arg_login "$arg_file.$tryid" $spawn_args] + set last_attempt [attempt_to_login $tryid $arg_prog $arg_login "$arg_file.$tryid" $arg_fallback_delay $spawn_args] } exit $last_attempt diff --git a/bin/shell/osh.pl b/bin/shell/osh.pl index 5534429..6db74de 100755 --- a/bin/shell/osh.pl +++ b/bin/shell/osh.pl @@ -344,33 +344,34 @@ else { my $remainingOptions; ($result, $remainingOptions) = GetOptionsFromString( $beforeOptions, - "port|p=i" => \my $optPort, - "verbose+" => \my $verbose, - "tty|t" => \my $tty, - "no-tty|T" => \my $notty, - "user|u=s" => \my $user, - "osh=s" => \my $osh_command, - "telnet|e" => \my $telnet, - "password=s" => \my $passwordFile, - "P" => \my $selfPassword, - "host|h=s" => \my $host, - "help" => \my $help, - "long-help" => \my $longHelp, - "quiet|q" => \my $quiet, - "timeout=i" => \my $timeout, - "bind=s" => \my $bind, - "debug" => \my $debug, - "json" => \my $json, - "json-greppable" => \my $json_greppable, - "json-pretty" => \my $json_pretty, - "always-escape" => \my $_dummy1, # not used as corresponding option has already been ninja-used above - "never-escape" => \my $_dummy2, # not used as corresponding option has already been ninja-used above - "interactive|i" => \my $interactive, - "netconf" => \my $netconf, - "wait" => \my $wait, - "ssh-as=s" => \my $sshAs, - "use-key=s" => \my $useKey, - "kbd-interactive" => \my $userKbdInteractive, + "port|p=i" => \my $optPort, + "verbose+" => \my $verbose, + "tty|t" => \my $tty, + "no-tty|T" => \my $notty, + "user|u=s" => \my $user, + "osh=s" => \my $osh_command, + "telnet|e" => \my $telnet, + "password=s" => \my $passwordFile, + "P" => \my $selfPassword, + "host|h=s" => \my $host, + "help" => \my $help, + "long-help" => \my $longHelp, + "quiet|q" => \my $quiet, + "timeout=i" => \my $timeout, + "bind=s" => \my $bind, + "debug" => \my $debug, + "json" => \my $json, + "json-greppable" => \my $json_greppable, + "json-pretty" => \my $json_pretty, + "always-escape" => \my $_dummy1, # not used as corresponding option has already been ninja-used above + "never-escape" => \my $_dummy2, # not used as corresponding option has already been ninja-used above + "interactive|i" => \my $interactive, + "netconf" => \my $netconf, + "wait" => \my $wait, + "ssh-as=s" => \my $sshAs, + "use-key=s" => \my $useKey, + "kbd-interactive" => \my $userKbdInteractive, + "fallback-password-delay=i" => \my $fallbackPasswordDelay, ); if (not defined $realOptions) { help(); @@ -1125,7 +1126,7 @@ if ($telnet) { $passwordFile = $fnretpass->value; osh_debug("going to use telnet with this password file : $passwordFile"); print " will use TELNET with password autologin\n\n" unless $quiet; - push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'telnet', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45); + push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'telnet', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45), ($fallbackPasswordDelay // 3); } # TELNET PASSWORD INTERACTIVE @@ -1152,8 +1153,7 @@ else { $passwordFile = $fnretpass->value; osh_debug("going to use ssh with this password file : $passwordFile"); print " will use SSH with password autologin\n\n" unless $quiet; - push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'ssh', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45); - + push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'ssh', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45), ($fallbackPasswordDelay // 3); } # SSH EGRESS KEYS (and maybe password interactive as a fallback if passwordAllowed) @@ -1531,13 +1531,14 @@ Usage (osh cmd): $bastionName --osh [OSH_COMMAND] [OSH_OPTIONS] that your shell will eat one level of quotes and backslashes. One working example: $bastionName srv1.example.org -- "perl -e 'use Data::Dumper; print Dumper(\\\@ARGV)' one 'two is 2' three" -[OPTIONS (ssh)] : - --verbose, -v Enable verbose ssh - --tty, -t Force tty allocation - --no-tty, -T Prevent tty allocation - --use-key FP Explicitly specify the fingerprint of the egress key you want to use - --kbd-interactive Enable the keyboard-interactive authentication scheme on egress connection - --netconf Request to use netconf subsystem +[OPTIONS (ssh)] + --verbose, -v Enable verbose ssh + --tty, -t Force tty allocation + --no-tty, -T Prevent tty allocation + --use-key FP Explicitly specify the fingerprint of the egress key you want to use + --kbd-interactive Enable the keyboard-interactive authentication scheme on egress connection + --netconf Request to use netconf subsystem + --fallback-password-delay S Amount of seconds to wait between subsequent tries in the SSH password autologin fallback mechanism (3). [OPTIONS (osh cmd)] --json Return data in json format between JSON_START and JSON_END tags