mirror of
https://github.com/ovh/the-bastion.git
synced 2025-09-06 21:14:15 +08:00
feat: add --fallback-password-delay (3) for ssh password autologin
This commit is contained in:
Stéphane Lesimple
Stéphane Lesimple
parent
5930775626
commit
56d4078605
2 changed files with 58 additions and 54 deletions
|
|
@ -4,8 +4,8 @@
|
|||
set ::env(TERM) ""
|
||||
|
||||
# we need 6 arguments
|
||||
if { [llength $argv] < 6 } {
|
||||
puts "BASTION SAYS: autologin usage error, expected 5 args: <ssh|telnet> <login> <ip> <port> <file_with_password> <timeout> [passthrough arguments to ssh or telnet]"
|
||||
if { [llength $argv] < 7 } {
|
||||
puts "BASTION SAYS: autologin usage error, expected 6 args: <ssh|telnet> <login> <ip> <port> <file_with_password> <timeout> <fallback_delay> [passthrough arguments to ssh or telnet]"
|
||||
exit 1
|
||||
}
|
||||
|
||||
|
|
@ -16,7 +16,8 @@ set arg_ip [lindex $argv 2]
|
|||
set arg_port [lindex $argv 3]
|
||||
set arg_file [lindex $argv 4]
|
||||
set arg_timeout [lindex $argv 5]
|
||||
set arg_remaining [lrange $argv 6 end]
|
||||
set arg_fallback_delay [lindex $argv 6]
|
||||
set arg_remaining [lrange $argv 7 end]
|
||||
|
||||
# start the program
|
||||
if { $arg_prog == "ssh" } {
|
||||
|
|
@ -44,7 +45,8 @@ proc attempt_to_login args {
|
|||
set prog [lindex $args 1]
|
||||
set login [lindex $args 2]
|
||||
set file [lindex $args 3]
|
||||
set spawn_args [lindex $args 4]
|
||||
set arg_fallback_delay [lindex $args 4]
|
||||
set spawn_args [lindex $args 5]
|
||||
|
||||
if { [file exists $file] == 0 } {
|
||||
if { $tryid == 0 } { puts "BASTION SAYS: file $file does not exist" }
|
||||
|
|
@ -56,7 +58,8 @@ proc attempt_to_login args {
|
|||
}
|
||||
|
||||
if { $tryid > 0 } {
|
||||
puts "BASTION SAYS: trying with fallback password..."
|
||||
puts "BASTION SAYS: trying with fallback password $tryid after sleeping for $arg_fallback_delay seconds..."
|
||||
sleep $arg_fallback_delay
|
||||
}
|
||||
|
||||
# reading password (256 chars max)
|
||||
|
|
@ -102,10 +105,10 @@ proc attempt_to_login args {
|
|||
|
||||
# try to login with the main password file
|
||||
set tryid 0
|
||||
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login $arg_file $spawn_args]
|
||||
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login $arg_file $arg_fallback_delay $spawn_args]
|
||||
while { $last_attempt == 100 && $tryid < 10 } {
|
||||
# auth failed, might want to try with the fallback
|
||||
incr tryid
|
||||
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login "$arg_file.$tryid" $spawn_args]
|
||||
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login "$arg_file.$tryid" $arg_fallback_delay $spawn_args]
|
||||
}
|
||||
exit $last_attempt
|
||||
|
|
|
|||
|
|
@ -371,6 +371,7 @@ my $remainingOptions;
|
|||
"ssh-as=s" => \my $sshAs,
|
||||
"use-key=s" => \my $useKey,
|
||||
"kbd-interactive" => \my $userKbdInteractive,
|
||||
"fallback-password-delay=i" => \my $fallbackPasswordDelay,
|
||||
);
|
||||
if (not defined $realOptions) {
|
||||
help();
|
||||
|
|
@ -1125,7 +1126,7 @@ if ($telnet) {
|
|||
$passwordFile = $fnretpass->value;
|
||||
osh_debug("going to use telnet with this password file : $passwordFile");
|
||||
print " will use TELNET with password autologin\n\n" unless $quiet;
|
||||
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'telnet', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45);
|
||||
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'telnet', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45), ($fallbackPasswordDelay // 3);
|
||||
}
|
||||
|
||||
# TELNET PASSWORD INTERACTIVE
|
||||
|
|
@ -1152,8 +1153,7 @@ else {
|
|||
$passwordFile = $fnretpass->value;
|
||||
osh_debug("going to use ssh with this password file : $passwordFile");
|
||||
print " will use SSH with password autologin\n\n" unless $quiet;
|
||||
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'ssh', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45);
|
||||
|
||||
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'ssh', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45), ($fallbackPasswordDelay // 3);
|
||||
}
|
||||
|
||||
# SSH EGRESS KEYS (and maybe password interactive as a fallback if passwordAllowed)
|
||||
|
|
@ -1531,13 +1531,14 @@ Usage (osh cmd): $bastionName --osh [OSH_COMMAND] [OSH_OPTIONS]
|
|||
that your shell will eat one level of quotes and backslashes. One working example:
|
||||
$bastionName srv1.example.org -- "perl -e 'use Data::Dumper; print Dumper(\\\@ARGV)' one 'two is 2' three"
|
||||
|
||||
[OPTIONS (ssh)] :
|
||||
[OPTIONS (ssh)]
|
||||
--verbose, -v Enable verbose ssh
|
||||
--tty, -t Force tty allocation
|
||||
--no-tty, -T Prevent tty allocation
|
||||
--use-key FP Explicitly specify the fingerprint of the egress key you want to use
|
||||
--kbd-interactive Enable the keyboard-interactive authentication scheme on egress connection
|
||||
--netconf Request to use netconf subsystem
|
||||
--fallback-password-delay S Amount of seconds to wait between subsequent tries in the SSH password autologin fallback mechanism (3).
|
||||
|
||||
[OPTIONS (osh cmd)]
|
||||
--json Return data in json format between JSON_START and JSON_END tags
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue