ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-06 21:14:15 +08:00
Code Issues Projects Releases Packages Wiki Activity

feat: add --fallback-password-delay (3) for ssh password autologin

Browse source
This commit is contained in:
Stéphane Lesimple 2021-09-01 14:41:21 +00:00 committed by Stéphane Lesimple
parent 5930775626
commit 56d4078605
2 changed files with 58 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
bin/shell/autologin
View file

@ -4,19 +4,20 @@
set ::env(TERM) ""
# we need 6 arguments
if { [llength $argv] < 6 } {
puts "BASTION SAYS: autologin usage error, expected 5 args: <ssh|telnet> <login> <ip> <port> <file_with_password> <timeout> [passthrough arguments to ssh or telnet]"
if { [llength $argv] < 7 } {
puts "BASTION SAYS: autologin usage error, expected 6 args: <ssh|telnet> <login> <ip> <port> <file_with_password> <timeout> <fallback_delay> [passthrough arguments to ssh or telnet]"
exit 1
}
# name our arguments
set arg_prog [lindex $argv 0]
set arg_login [lindex $argv 1]
set arg_ip [lindex $argv 2]
set arg_port [lindex $argv 3]
set arg_file [lindex $argv 4]
set arg_timeout [lindex $argv 5]
set arg_remaining [lrange $argv 6 end]
set arg_prog [lindex $argv 0]
set arg_login [lindex $argv 1]
set arg_ip [lindex $argv 2]
set arg_port [lindex $argv 3]
set arg_file [lindex $argv 4]
set arg_timeout [lindex $argv 5]
set arg_fallback_delay [lindex $argv 6]
set arg_remaining [lrange $argv 7 end]
# start the program
if { $arg_prog == "ssh" } {
@ -40,11 +41,12 @@ set timeout $arg_timeout
# if other non-critical error, return 101
# if critical error, exits
proc attempt_to_login args {
set tryid [lindex $args 0]
set prog [lindex $args 1]
set login [lindex $args 2]
set file [lindex $args 3]
set spawn_args [lindex $args 4]
set tryid [lindex $args 0]
set prog [lindex $args 1]
set login [lindex $args 2]
set file [lindex $args 3]
set arg_fallback_delay [lindex $args 4]
set spawn_args [lindex $args 5]
if { [file exists $file] == 0 } {
if { $tryid == 0 } { puts "BASTION SAYS: file $file does not exist" }
@ -56,7 +58,8 @@ proc attempt_to_login args {
}
if { $tryid > 0 } {
puts "BASTION SAYS: trying with fallback password..."
puts "BASTION SAYS: trying with fallback password $tryid after sleeping for $arg_fallback_delay seconds..."
sleep $arg_fallback_delay
}
# reading password (256 chars max)
@ -102,10 +105,10 @@ proc attempt_to_login args {
# try to login with the main password file
set tryid 0
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login $arg_file $spawn_args]
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login $arg_file $arg_fallback_delay $spawn_args]
while { $last_attempt == 100 && $tryid < 10 } {
# auth failed, might want to try with the fallback
incr tryid
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login "$arg_file.$tryid" $spawn_args]
set last_attempt [attempt_to_login $tryid $arg_prog $arg_login "$arg_file.$tryid" $arg_fallback_delay $spawn_args]
}
exit $last_attempt

75
bin/shell/osh.pl
View file

@ -344,33 +344,34 @@ else {
my $remainingOptions;
($result, $remainingOptions) = GetOptionsFromString(
$beforeOptions,
"port|p=i" => \my $optPort,
"verbose+" => \my $verbose,
"tty|t" => \my $tty,
"no-tty|T" => \my $notty,
"user|u=s" => \my $user,
"osh=s" => \my $osh_command,
"telnet|e" => \my $telnet,
"password=s" => \my $passwordFile,
"P" => \my $selfPassword,
"host|h=s" => \my $host,
"help" => \my $help,
"long-help" => \my $longHelp,
"quiet|q" => \my $quiet,
"timeout=i" => \my $timeout,
"bind=s" => \my $bind,
"debug" => \my $debug,
"json" => \my $json,
"json-greppable" => \my $json_greppable,
"json-pretty" => \my $json_pretty,
"always-escape" => \my $_dummy1, # not used as corresponding option has already been ninja-used above
"never-escape" => \my $_dummy2, # not used as corresponding option has already been ninja-used above
"interactive|i" => \my $interactive,
"netconf" => \my $netconf,
"wait" => \my $wait,
"ssh-as=s" => \my $sshAs,
"use-key=s" => \my $useKey,
"kbd-interactive" => \my $userKbdInteractive,
"port|p=i" => \my $optPort,
"verbose+" => \my $verbose,
"tty|t" => \my $tty,
"no-tty|T" => \my $notty,
"user|u=s" => \my $user,
"osh=s" => \my $osh_command,
"telnet|e" => \my $telnet,
"password=s" => \my $passwordFile,
"P" => \my $selfPassword,
"host|h=s" => \my $host,
"help" => \my $help,
"long-help" => \my $longHelp,
"quiet|q" => \my $quiet,
"timeout=i" => \my $timeout,
"bind=s" => \my $bind,
"debug" => \my $debug,
"json" => \my $json,
"json-greppable" => \my $json_greppable,
"json-pretty" => \my $json_pretty,
"always-escape" => \my $_dummy1, # not used as corresponding option has already been ninja-used above
"never-escape" => \my $_dummy2, # not used as corresponding option has already been ninja-used above
"interactive|i" => \my $interactive,
"netconf" => \my $netconf,
"wait" => \my $wait,
"ssh-as=s" => \my $sshAs,
"use-key=s" => \my $useKey,
"kbd-interactive" => \my $userKbdInteractive,
"fallback-password-delay=i" => \my $fallbackPasswordDelay,
);
if (not defined $realOptions) {
help();
@ -1125,7 +1126,7 @@ if ($telnet) {
$passwordFile = $fnretpass->value;
osh_debug("going to use telnet with this password file : $passwordFile");
print " will use TELNET with password autologin\n\n" unless $quiet;
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'telnet', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45);
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'telnet', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45), ($fallbackPasswordDelay // 3);
}
# TELNET PASSWORD INTERACTIVE
@ -1152,8 +1153,7 @@ else {
$passwordFile = $fnretpass->value;
osh_debug("going to use ssh with this password file : $passwordFile");
print " will use SSH with password autologin\n\n" unless $quiet;
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'ssh', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45);
push @command, $OVH::Bastion::BASEPATH . '/bin/shell/autologin', 'ssh', $user, $ip, $port, $passwordFile, ($timeout ? $timeout : 45), ($fallbackPasswordDelay // 3);
}
# SSH EGRESS KEYS (and maybe password interactive as a fallback if passwordAllowed)
@ -1531,13 +1531,14 @@ Usage (osh cmd): $bastionName --osh [OSH_COMMAND] [OSH_OPTIONS]
that your shell will eat one level of quotes and backslashes. One working example:
$bastionName srv1.example.org -- "perl -e 'use Data::Dumper; print Dumper(\\\@ARGV)' one 'two is 2' three"
[OPTIONS (ssh)] :
--verbose, -v Enable verbose ssh
--tty, -t Force tty allocation
--no-tty, -T Prevent tty allocation
--use-key FP Explicitly specify the fingerprint of the egress key you want to use
--kbd-interactive Enable the keyboard-interactive authentication scheme on egress connection
--netconf Request to use netconf subsystem
[OPTIONS (ssh)]
--verbose, -v Enable verbose ssh
--tty, -t Force tty allocation
--no-tty, -T Prevent tty allocation
--use-key FP Explicitly specify the fingerprint of the egress key you want to use
--kbd-interactive Enable the keyboard-interactive authentication scheme on egress connection
--netconf Request to use netconf subsystem
--fallback-password-delay S Amount of seconds to wait between subsequent tries in the SSH password autologin fallback mechanism (3).
[OPTIONS (osh cmd)]
--json Return data in json format between JSON_START and JSON_END tags