From 5c72c92bdd92edbb28603e09d96463a687e2436d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Thu, 5 Nov 2020 17:36:17 +0000 Subject: [PATCH] chore: fix typos everywhere --- bin/admin/install | 2 +- bin/admin/setup-gpg.sh | 2 +- bin/plugin/open/info | 2 +- bin/plugin/open/nc | 2 +- bin/plugin/open/selfListSessions | 2 +- bin/plugin/restricted/accountUnexpire | 2 +- bin/plugin/restricted/realmInfo | 2 +- bin/proxy/osh-http-proxy-worker | 4 ++-- bin/shell/osh.pl | 12 ++++++------ bin/sudogen/generate-sudoers.sh | 4 ++-- doc/HIERARCHY.md | 4 ++-- doc/VERSIONING.md | 2 +- doc/sphinx-plugins-override/groupCreate.override.rst | 2 +- doc/sphinx-plugins-override/groupInfo.rst | 2 +- doc/sphinx-plugins-override/help.rst | 2 +- doc/sphinx-plugins-override/info.rst | 2 +- doc/sphinx/installation/basic.rst | 2 +- doc/sphinx/installation/tests.rst | 2 +- doc/sphinx/plugins/open/groupInfo.rst | 2 +- doc/sphinx/plugins/open/help.rst | 2 +- doc/sphinx/plugins/open/info.rst | 2 +- doc/sphinx/plugins/open/selfListSessions.rst | 2 +- doc/sphinx/plugins/restricted/accountUnexpire.rst | 2 +- doc/sphinx/plugins/restricted/groupCreate.rst | 2 +- doc/sphinx/plugins/restricted/realmInfo.rst | 2 +- doc/sphinx/using/basics.rst | 4 ++-- docker/Dockerfile.centos7 | 2 +- docker/Dockerfile.centos8 | 2 +- docker/Dockerfile.debian10 | 2 +- docker/Dockerfile.debian8 | 2 +- docker/Dockerfile.debian9 | 2 +- docker/Dockerfile.opensuse150 | 2 +- docker/Dockerfile.opensuse151 | 2 +- docker/Dockerfile.sandbox | 2 +- docker/Dockerfile.ubuntu1404 | 2 +- docker/Dockerfile.ubuntu1604 | 2 +- docker/Dockerfile.ubuntu1804 | 2 +- docker/Dockerfile.ubuntu2004 | 2 +- etc/bastion/bastion.conf.dist | 12 ++++++------ etc/ssh/ssh_config.centos7 | 4 ++-- etc/ssh/ssh_config.centos8 | 4 ++-- etc/ssh/ssh_config.debian10 | 4 ++-- etc/ssh/ssh_config.debian7 | 4 ++-- etc/ssh/ssh_config.debian8 | 4 ++-- etc/ssh/ssh_config.debian9 | 4 ++-- etc/ssh/ssh_config.default | 4 ++-- etc/ssh/ssh_config.opensuse15 | 4 ++-- etc/ssh/sshd_config.centos7 | 2 +- etc/ssh/sshd_config.centos8 | 2 +- etc/ssh/sshd_config.debian10 | 2 +- etc/ssh/sshd_config.debian7 | 2 +- etc/ssh/sshd_config.debian8 | 2 +- etc/ssh/sshd_config.debian9 | 2 +- etc/ssh/sshd_config.default | 2 +- etc/ssh/sshd_config.opensuse15 | 2 +- lib/perl/OVH/Bastion.pm | 6 +++--- lib/perl/OVH/Bastion/Plugin/generatePassword.pm | 8 ++++---- lib/perl/OVH/Bastion/allowdeny.inc | 8 ++++---- lib/perl/OVH/Bastion/configuration.inc | 2 +- tests/functional/launch_tests_on_instance.sh | 2 +- 60 files changed, 90 insertions(+), 90 deletions(-) diff --git a/bin/admin/install b/bin/admin/install index 11c2ceb..8e1ce20 100755 --- a/bin/admin/install +++ b/bin/admin/install @@ -151,7 +151,7 @@ Usage: $0 --nothing Don't do anything at all, not even what we normally do when all below options are disabled (as in the minimal mode). Can be useful if you want to do only one precise modification that you - can explicitely specify using the options below. + can explicitly specify using the options below. OPTIONS: diff --git a/bin/admin/setup-gpg.sh b/bin/admin/setup-gpg.sh index e1c7360..b0b329f 100755 --- a/bin/admin/setup-gpg.sh +++ b/bin/admin/setup-gpg.sh @@ -136,6 +136,6 @@ fi echo "Usage: $0 <--import|--generate>" echo -echo "Use --generate to generate a new GPG keypair for bastion signing" +echo "Use --generate to generate a new GPG key pair for bastion signing" echo "Use --import to import the administrator GPG key you've generated on your desk (ttyrecs, keys and acls backups will be encrypted to it)" exit 0 diff --git a/bin/plugin/open/info b/bin/plugin/open/info index 8f8bccb..d472754 100755 --- a/bin/plugin/open/info +++ b/bin/plugin/open/info @@ -139,7 +139,7 @@ osh_info "The networks I'm able to connect you to on the egress side are: " . co $ret{'allowed_networks_list'} = \@allowedNets; my @forbiddenNets = @{$config->{'forbiddenNetworks'}}; -osh_info "The networks that are explicitely forbidden on the egress side are: " . colored(@forbiddenNets ? join(", ", @forbiddenNets) : "none", "magenta"); +osh_info "The networks that are explicitly forbidden on the egress side are: " . colored(@forbiddenNets ? join(", ", @forbiddenNets) : "none", "magenta"); $ret{'forbidden_networks_list'} = \@forbiddenNets; $fnret = OVH::Bastion::get_bastion_ips(); diff --git a/bin/plugin/open/nc b/bin/plugin/open/nc index 52fc260..aefa4bd 100755 --- a/bin/plugin/open/nc +++ b/bin/plugin/open/nc @@ -62,7 +62,7 @@ push @command, ($timeout and $timeout > 0 and $timeout <= 3600) ? $timeout : 3; push @command, $host; push @command, $port; -osh_info "Checking wether TCP port $port of $host is reachable..."; +osh_info "Checking whether TCP port $port of $host is reachable..."; $fnret = OVH::Bastion::execute(cmd => \@command, noisy_stdout => 1, noisy_stderr => 1); $fnret or osh_exit $fnret; diff --git a/bin/plugin/open/selfListSessions b/bin/plugin/open/selfListSessions index 6c334bc..63345da 100755 --- a/bin/plugin/open/selfListSessions +++ b/bin/plugin/open/selfListSessions @@ -32,7 +32,7 @@ List the few past sessions of your account Usage: --osh SCRIPT_NAME [OPTIONS] - --detailed Display more informations about each session + --detailed Display more information about each session --limit LIMIT Limit to LIMIT results --id ID Only sessions having this ID --type TYPE Only sessions of specified type (ssh, osh, ...) diff --git a/bin/plugin/restricted/accountUnexpire b/bin/plugin/restricted/accountUnexpire index e0757c6..4d9b162 100755 --- a/bin/plugin/restricted/accountUnexpire +++ b/bin/plugin/restricted/accountUnexpire @@ -22,7 +22,7 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT --account ACCOUNT Account to work on -When the bastion is configued to expire accounts that haven't been seen in a while, +When the bastion is configured to expire accounts that haven't been seen in a while, this command can be used to activate them back. EOF ); diff --git a/bin/plugin/restricted/realmInfo b/bin/plugin/restricted/realmInfo index de491ce..e6528d4 100755 --- a/bin/plugin/restricted/realmInfo +++ b/bin/plugin/restricted/realmInfo @@ -13,7 +13,7 @@ OVH::Bastion::Plugin::begin( header => "realm information", options => {'realm=s' => \my $pRealm}, helptext => <<'EOF', -Display informations about a bastion realm +Display information about a bastion realm Usage: --osh SCRIPT_NAME --realm REALM diff --git a/bin/proxy/osh-http-proxy-worker b/bin/proxy/osh-http-proxy-worker index 90f8d1d..d469f24 100755 --- a/bin/proxy/osh-http-proxy-worker +++ b/bin/proxy/osh-http-proxy-worker @@ -175,8 +175,8 @@ undef $storedhash; # read the password we must use # pseudoalgo: -# if mode was explicitely specified to group, we look for a group password -# elif mode was explicitely specified to self, we look for a self account password +# if mode was explicitly specified to group, we look for a group password +# elif mode was explicitly specified to self, we look for a self account password # elif the legacy file with the same name as $user exists in /home/passkeeper, use it # elif the specified $user happens to be a group name, look for this group password # else look for a self account password diff --git a/bin/shell/osh.pl b/bin/shell/osh.pl index 0acc6c6..2960392 100755 --- a/bin/shell/osh.pl +++ b/bin/shell/osh.pl @@ -324,7 +324,7 @@ if ($realOptions =~ /^(.*?) -- (.*)$/) { } else { # we have no -- delimiter, either there was no remote command (that's fine), - # or it's indistiguishable from the bastion options, in that case GetOptionsFromString + # or it's indistinguishable from the bastion options, in that case GetOptionsFromString # will leave what it doesn't recognize, will also fuck up "" and '', but users are warned # to always use -- anyway, and we'll use that as a remote command $beforeOptions = $realOptions; @@ -790,7 +790,7 @@ if ($osh_command) { $log_db_name = $logret->value->{'db_name'}; } else { - warn_syslog("Failed to insert accesss log: " . $logret->msg); + warn_syslog("Failed to insert access log: " . $logret->msg); if ($ip eq '127.0.0.1') { osh_warn("Would deny access on out of space condition but you're root\@127.0.0.1, I hope you're here to fix me!"); } @@ -802,10 +802,10 @@ if ($osh_command) { if ($fnret) { my @cmd = ($fnret->value->{'fullpath'}, $user, $ip, $host, $optPort, @$remainingOptions); - # is plugin explicitely disabled? + # is plugin explicitly disabled? my $isDisabled = OVH::Bastion::plugin_config(plugin => $osh_command, key => "disabled"); - # plugin is enabled by default if not explicitely disabled + # plugin is enabled by default if not explicitly disabled if ($isDisabled and $isDisabled->value() =~ /yes/) { main_exit OVH::Bastion::EXIT_RESTRICTED_COMMAND, "plugin_disabled", "Sorry, this plugin has been disabled by policy."; } @@ -1160,7 +1160,7 @@ else { if (not $quiet) { $fnret = OVH::Bastion::account_config(account => $self, key => OVH::Bastion::OPT_ACCOUNT_IDLE_IGNORE, public => 1); if ($fnret && $fnret->value =~ /yes/) { - osh_debug("Acccount is immune to idle"); + osh_debug("Account is immune to idle"); } else { if ($config->{'idleLockTimeout'}) { @@ -1441,7 +1441,7 @@ Usage (osh cmd): $bastionName --osh [OSH_COMMAND] [OSH_OPTIONS] --verbose, -v Enable verbose ssh --tty, -t Force tty allocation --no-tty, -T Prevent tty allocation - --use-key FP Explicitely specify the fingerprint of the egress key you want to use + --use-key FP Explicitly specify the fingerprint of the egress key you want to use --kbd-interactive Enable the keyboard-interactive authentication scheme on egress connection --netconf Request to use netconf subsystem diff --git a/bin/sudogen/generate-sudoers.sh b/bin/sudogen/generate-sudoers.sh index 50a2ed8..28cf9a9 100755 --- a/bin/sudogen/generate-sudoers.sh +++ b/bin/sudogen/generate-sudoers.sh @@ -49,7 +49,7 @@ generate_account_sudoers() perl -pe "s!%ACCOUNT%!$account!g;s!%NORMACCOUNT%!$normalized_account!g;s!%BASEPATH%!$basedir!g" "$template" done } > "${dst}.tmp" - # then move the file to its final name (potentially overwritting a previous file of the same name) + # then move the file to its final name (potentially overwriting a previous file of the same name) mv -f "${dst}.tmp" "$dst" return 0 } @@ -84,7 +84,7 @@ generate_group_sudoers() perl -pe "s!%GROUP%!$group!g;s!%BASEPATH%!$basedir!g" "$template" done } > "${dst}.tmp" - # then move the file to its final name (potentially overwritting a previous file of the same name) + # then move the file to its final name (potentially overwriting a previous file of the same name) mv -f "${dst}.tmp" "$dst" return 0 } diff --git a/doc/HIERARCHY.md b/doc/HIERARCHY.md index 47133ab..47fb463 100644 --- a/doc/HIERARCHY.md +++ b/doc/HIERARCHY.md @@ -15,12 +15,12 @@ The OVH::Bastion directory hierarchy is organized as follows: - bin/plugin/group-gatekeeper: plugins that can only be launched by group gatekeepers - bin/plugin/group-owner: plugins that can only be launched by group owners - bin/plugin/open: plugins that can be launched by any user - - bin/plugin/restricted: plugins that can be launched only by users that are explicitely granted on said plugins + - bin/plugin/restricted: plugins that can be launched only by users that are explicitly granted on said plugins - bin/shell: where resides the main script that is declared as the shell of the bastion users, with some of its helpers - bin/sudogen: where resides the helper script that generate group and account sudoers files - bin/other: other helper scripts for various tasks - contrib: placeholder directory with a readme file that references other repositories of interest when integrating the bastion in your company -- doc: sysadmin-proof documentation folder, the main Markdown files you need are there, just one `view` appart +- doc: sysadmin-proof documentation folder, the main Markdown files you need are there, just one `view` apart - doc/sphinx: more complete documentation using the `sphinx` documentation system, the built version is viewable on https://ovh.github.io/the-bastion/ - docker: where the Dockerfiles reside - etc: contains all the template configuration files that will be installed on your system (depending on your `install` options) diff --git a/doc/VERSIONING.md b/doc/VERSIONING.md index 5dbcd2f..f053c90 100644 --- a/doc/VERSIONING.md +++ b/doc/VERSIONING.md @@ -9,7 +9,7 @@ Update between a previous `ZZ` version is supposed to be frictionless. - The `YY` part is considered a major update, potentially with new features (and new bugs!). Be sure to read the UPGRADE.md documentation which might contain instructions for a smoother update. If no specific instruction can be found, it means there's no specific action to be taken, -appart from following the usual update process. +apart from following the usual update process. If the change introduces an incompatibility between a `master` and its `slave`s, it'll be detailed in the UPGRADE.md file. diff --git a/doc/sphinx-plugins-override/groupCreate.override.rst b/doc/sphinx-plugins-override/groupCreate.override.rst index 281e5dd..107db8f 100644 --- a/doc/sphinx-plugins-override/groupCreate.override.rst +++ b/doc/sphinx-plugins-override/groupCreate.override.rst @@ -35,7 +35,7 @@ Create a new bastion group .. option:: --no-key - No egress keypair will be generated. In that case, omit ``--algo`` and ``--size``. + No egress key pair will be generated. In that case, omit ``--algo`` and ``--size``. Algorithms guideline ==================== diff --git a/doc/sphinx-plugins-override/groupInfo.rst b/doc/sphinx-plugins-override/groupInfo.rst index 5d32159..d956d45 100644 --- a/doc/sphinx-plugins-override/groupInfo.rst +++ b/doc/sphinx-plugins-override/groupInfo.rst @@ -15,7 +15,7 @@ Output example ~ keyline follows, please copy the *whole* line: from="203.0.113.4/32,192.0.2.0/26" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdD60bA3NgaOpRLgcACWfKcAMRQQRyFMppwp5GpHLTB mygroup@testbastion:1523886640 -The first paragraph of the output lists the differents roles along with the people having these roles. +The first paragraph of the output lists the different roles along with the people having these roles. You can also see the public egress key of this group, i.e. the key that needs to be added to the remote servers' ``authorized_keys`` files, so that ``members`` of this group can access these servers. diff --git a/doc/sphinx-plugins-override/help.rst b/doc/sphinx-plugins-override/help.rst index 70f82cf..3591083 100644 --- a/doc/sphinx-plugins-override/help.rst +++ b/doc/sphinx-plugins-override/help.rst @@ -7,7 +7,7 @@ Note that if you want some help about the bastion (and not specifically about th Colors ====== -You'll notice that plugins are hilighted in different colors, these indicate the access level needed to run the plugin. Note that plugins you don't have access to are simply omitted. +You'll notice that plugins are highlighted in different colors, these indicate the access level needed to run the plugin. Note that plugins you don't have access to are simply omitted. - green (``open``): these plugins can be called by anybody - blue (``restricted``): these plugins can only be called by users having the specific right to call them. This right is granted per plugin by the ``accountGrantCommand`` plugin diff --git a/doc/sphinx-plugins-override/info.rst b/doc/sphinx-plugins-override/info.rst index 7f36f97..288c2d0 100644 --- a/doc/sphinx-plugins-override/info.rst +++ b/doc/sphinx-plugins-override/info.rst @@ -22,7 +22,7 @@ Output example ~ I have 42 registered accounts and 46 groups ~ I am a MASTER, which means I accept modifications ~ The networks I'm able to connect you to on the egress side are: all - ~ The networks that are explicitely forbidden on the egress side are: none + ~ The networks that are explicitly forbidden on the egress side are: none ~ My egress connection IP to remote servers is 192.0.2.45/32 ~ ...don't forget to whitelist me in your firewalls! ~ diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst index 1268be5..1dc805e 100644 --- a/doc/sphinx/installation/basic.rst +++ b/doc/sphinx/installation/basic.rst @@ -9,7 +9,7 @@ If you are just upgrading from a previous version, please read :doc:`upgrading` for more information. + The Bastion expects to be the only main service running on the server, please see :ref:`this FAQ entry ` for more information. The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS: diff --git a/doc/sphinx/installation/tests.rst b/doc/sphinx/installation/tests.rst index 5ef7bab..30009e9 100644 --- a/doc/sphinx/installation/tests.rst +++ b/doc/sphinx/installation/tests.rst @@ -27,7 +27,7 @@ Then, from another machine, run: ``test/functional/launch_tests_on_instance.sh [outdir]`` -Where ``IP`` and ``port`` are the informations needed to connect to the remote server to test, ``remote_user_name`` is the name of the account created on the remote bastion to use for the tests, and ``ssh_key_path`` is the private SSH key path used to connect to the account. The ``outdir`` parameter is optional, if you want to keep the raw output of each test. +Where ``IP`` and ``port`` are the information needed to connect to the remote server to test, ``remote_user_name`` is the name of the account created on the remote bastion to use for the tests, and ``ssh_key_path`` is the private SSH key path used to connect to the account. The ``outdir`` parameter is optional, if you want to keep the raw output of each test. This script is also the script used by the Docker client instance, so you're sure to get the proper results even without using Docker. diff --git a/doc/sphinx/plugins/open/groupInfo.rst b/doc/sphinx/plugins/open/groupInfo.rst index 986f231..b1ebdad 100644 --- a/doc/sphinx/plugins/open/groupInfo.rst +++ b/doc/sphinx/plugins/open/groupInfo.rst @@ -37,7 +37,7 @@ Output example ~ keyline follows, please copy the *whole* line: from="203.0.113.4/32,192.0.2.0/26" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdD60bA3NgaOpRLgcACWfKcAMRQQRyFMppwp5GpHLTB mygroup@testbastion:1523886640 -The first paragraph of the output lists the differents roles along with the people having these roles. +The first paragraph of the output lists the different roles along with the people having these roles. You can also see the public egress key of this group, i.e. the key that needs to be added to the remote servers' ``authorized_keys`` files, so that ``members`` of this group can access these servers. diff --git a/doc/sphinx/plugins/open/help.rst b/doc/sphinx/plugins/open/help.rst index 1d800c5..d7e843d 100644 --- a/doc/sphinx/plugins/open/help.rst +++ b/doc/sphinx/plugins/open/help.rst @@ -24,7 +24,7 @@ Note that if you want some help about the bastion (and not specifically about th Colors ====== -You'll notice that plugins are hilighted in different colors, these indicate the access level needed to run the plugin. Note that plugins you don't have access to are simply omitted. +You'll notice that plugins are highlighted in different colors, these indicate the access level needed to run the plugin. Note that plugins you don't have access to are simply omitted. - green (``open``): these plugins can be called by anybody - blue (``restricted``): these plugins can only be called by users having the specific right to call them. This right is granted per plugin by the ``accountGrantCommand`` plugin diff --git a/doc/sphinx/plugins/open/info.rst b/doc/sphinx/plugins/open/info.rst index 19fb860..8e0dc10 100644 --- a/doc/sphinx/plugins/open/info.rst +++ b/doc/sphinx/plugins/open/info.rst @@ -39,7 +39,7 @@ Output example ~ I have 42 registered accounts and 46 groups ~ I am a MASTER, which means I accept modifications ~ The networks I'm able to connect you to on the egress side are: all - ~ The networks that are explicitely forbidden on the egress side are: none + ~ The networks that are explicitly forbidden on the egress side are: none ~ My egress connection IP to remote servers is 192.0.2.45/32 ~ ...don't forget to whitelist me in your firewalls! ~ diff --git a/doc/sphinx/plugins/open/selfListSessions.rst b/doc/sphinx/plugins/open/selfListSessions.rst index faa453f..191e391 100644 --- a/doc/sphinx/plugins/open/selfListSessions.rst +++ b/doc/sphinx/plugins/open/selfListSessions.rst @@ -16,7 +16,7 @@ List the few past sessions of your account .. option:: --detailed - Display more informations about each session + Display more information about each session .. option:: --limit LIMIT diff --git a/doc/sphinx/plugins/restricted/accountUnexpire.rst b/doc/sphinx/plugins/restricted/accountUnexpire.rst index bcbaf4d..24d2752 100644 --- a/doc/sphinx/plugins/restricted/accountUnexpire.rst +++ b/doc/sphinx/plugins/restricted/accountUnexpire.rst @@ -19,7 +19,7 @@ Unexpire an inactivity-expired account Account to work on -When the bastion is configued to expire accounts that haven't been seen in a while, +When the bastion is configured to expire accounts that haven't been seen in a while, this command can be used to activate them back. diff --git a/doc/sphinx/plugins/restricted/groupCreate.rst b/doc/sphinx/plugins/restricted/groupCreate.rst index b975619..d9e1a3c 100644 --- a/doc/sphinx/plugins/restricted/groupCreate.rst +++ b/doc/sphinx/plugins/restricted/groupCreate.rst @@ -39,7 +39,7 @@ Create a new bastion group .. option:: --no-key - No egress keypair will be generated. In that case, omit ``--algo`` and ``--size``. + No egress key pair will be generated. In that case, omit ``--algo`` and ``--size``. Algorithms guideline ==================== diff --git a/doc/sphinx/plugins/restricted/realmInfo.rst b/doc/sphinx/plugins/restricted/realmInfo.rst index 876b263..c9213cf 100644 --- a/doc/sphinx/plugins/restricted/realmInfo.rst +++ b/doc/sphinx/plugins/restricted/realmInfo.rst @@ -2,7 +2,7 @@ realmInfo ========== -Display informations about a bastion realm +Display information about a bastion realm ========================================== diff --git a/doc/sphinx/using/basics.rst b/doc/sphinx/using/basics.rst index d749099..951ed30 100644 --- a/doc/sphinx/using/basics.rst +++ b/doc/sphinx/using/basics.rst @@ -27,7 +27,7 @@ For the remaining of this documentation, we'll assume your bastion alias is `bss You can do to categories of things on the bastion: -- Connect to infrastructures throught it +- Connect to infrastructures through it - Interact with the bastion itself, for example to manage your account, and/or groups, through so-called *plugins*, also named *osh commands* Plugins @@ -156,7 +156,7 @@ Now that you have it, you can push this public key (the line starting with the * -------------------------------------------------------------------------------- ~ Testing connection to root@198.51.100.42, please wait... Warning: Permanently added '198.51.100.42' (ECDSA) to the list of known hosts. - ~ Access to root@198.51.100.42:22 succesfully added + ~ Access to root@198.51.100.42:22 successfully added -------------------------------------------------------- bssh(master)> diff --git a/docker/Dockerfile.centos7 b/docker/Dockerfile.centos7 index 89067ab..14e8d44 100644 --- a/docker/Dockerfile.centos7 +++ b/docker/Dockerfile.centos7 @@ -7,7 +7,7 @@ COPY lib/shell /opt/bastion/lib/sh RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.centos8 b/docker/Dockerfile.centos8 index c73ad6d..3607961 100644 --- a/docker/Dockerfile.centos8 +++ b/docker/Dockerfile.centos8 @@ -7,7 +7,7 @@ COPY lib/shell /opt/bastion/lib/sh RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.debian10 b/docker/Dockerfile.debian10 index a40d78e..16db977 100644 --- a/docker/Dockerfile.debian10 +++ b/docker/Dockerfile.debian10 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.debian8 b/docker/Dockerfile.debian8 index 30eded6..0406bf5 100644 --- a/docker/Dockerfile.debian8 +++ b/docker/Dockerfile.debian8 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.debian9 b/docker/Dockerfile.debian9 index 543c54b..a3bcea1 100644 --- a/docker/Dockerfile.debian9 +++ b/docker/Dockerfile.debian9 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.opensuse150 b/docker/Dockerfile.opensuse150 index 33c604c..408798f 100644 --- a/docker/Dockerfile.opensuse150 +++ b/docker/Dockerfile.opensuse150 @@ -7,7 +7,7 @@ COPY lib/shell /opt/bastion/lib/sh RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.opensuse151 b/docker/Dockerfile.opensuse151 index 4090de7..bdb9ce0 100644 --- a/docker/Dockerfile.opensuse151 +++ b/docker/Dockerfile.opensuse151 @@ -7,7 +7,7 @@ COPY lib/shell /opt/bastion/lib/sh RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.sandbox b/docker/Dockerfile.sandbox index d664a1b..23ed267 100644 --- a/docker/Dockerfile.sandbox +++ b/docker/Dockerfile.sandbox @@ -17,7 +17,7 @@ RUN \ rm -rf /var/cache/apt && \ # handle locales \ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen && \ - # disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log \ + # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf && \ # accountUidMax & ttyrecGroupIdOffset change: fixes https://github.com/ovh/the-bastion/issues/24 \ sed -i -re 's/^"accountUidMax":.+/"accountUidMax": 9999,/;s/^"ttyrecGroupIdOffset":.+/"ttyrecGroupIdOffset": 10000,/' /opt/bastion/etc/bastion/bastion.conf.dist && \ diff --git a/docker/Dockerfile.ubuntu1404 b/docker/Dockerfile.ubuntu1404 index 0b1ad0c..6563f28 100644 --- a/docker/Dockerfile.ubuntu1404 +++ b/docker/Dockerfile.ubuntu1404 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.ubuntu1604 b/docker/Dockerfile.ubuntu1604 index cc6e043..4d17dba 100644 --- a/docker/Dockerfile.ubuntu1604 +++ b/docker/Dockerfile.ubuntu1604 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.ubuntu1804 b/docker/Dockerfile.ubuntu1804 index b136791..b18aa7a 100644 --- a/docker/Dockerfile.ubuntu1804 +++ b/docker/Dockerfile.ubuntu1804 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.ubuntu2004 b/docker/Dockerfile.ubuntu2004 index b0313b5..1483723 100644 --- a/docker/Dockerfile.ubuntu2004 +++ b/docker/Dockerfile.ubuntu2004 @@ -10,7 +10,7 @@ RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/etc/bastion/bastion.conf.dist b/etc/bastion/bastion.conf.dist index c10de82..9086c78 100644 --- a/etc/bastion/bastion.conf.dist +++ b/etc/bastion/bastion.conf.dist @@ -30,13 +30,13 @@ "defaultLogin": "", # # adminAccounts (list of accounts names), deprecated alias: adminLogins -# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys resetted by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Tule of thumb: only add here people that have root@localhost access to the bastion +# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Tule of thumb: only add here people that have root@localhost access to the bastion # DEFAULT: [] "adminAccounts": [], # # superOwnerAccounts (list of account names) # VALUE: list of accounts that are considered as super group owners -# DESC: The list of accounts that are considered as "Super Group Owners". They can run all group administrative commands, exactly as if they were owners of all the groups. Super Owners are only here as a last resort when the owners/gatekeepers/aclkeepers of a group are not available. Every command run by a Super Owner that would have failed if the account was not a Super Owner is logged explicitely as "Super Owner Override". You can see it as a "sudo" for group management. Don't add here accounts that are bastion Admins, they already inherit the Super Owner role. +# DESC: The list of accounts that are considered as "Super Group Owners". They can run all group administrative commands, exactly as if they were owners of all the groups. Super Owners are only here as a last resort when the owners/gatekeepers/aclkeepers of a group are not available. Every command run by a Super Owner that would have failed if the account was not a Super Owner is logged explicitly as "Super Owner Override". You can see it as a "sudo" for group management. Don't add here accounts that are bastion Admins, they already inherit the Super Owner role. # DEFAULT: [] "superOwnerAccounts": [], # @@ -51,7 +51,7 @@ "forbiddenNetworks": [], # # ingressToEgressRules (array of arrays of rules, a rule being a 3-uple of {array, array, string}) -# DESC: Fine-grained rules (a la netfilter) to apply global restrictions to possible egress destinations given ingress IPs. Rules here are enforced at all times and can NOT be overriden by users or admins. +# DESC: Fine-grained rules (a la netfilter) to apply global restrictions to possible egress destinations given ingress IPs. Rules here are enforced at all times and can NOT be overridden by users or admins. # DEFAULT: [], which means no restriction # DETAILS: A rule is a 3-uple of {array of ingress networks, array of egress networks, policy to apply}. # Each rule will be processed IN ORDER. The first rule to match will be applied and no other rule will be checked. @@ -70,7 +70,7 @@ # but not any other machine from the wider 192.168.0.0/16 network (rule #3). It can however # access any other machine outside of this block (implicit allow catch-all rule, as there is # no corresponding DENY rule, and rule #2 is ALLOW and not ALLOW-EXCLUSIVE) -# - The 192.168.0.0/16 network (except 192.168.42.0/16) can accesss any machine except one from its own network (rule #3) +# - The 192.168.0.0/16 network (except 192.168.42.0/16) can access any machine except one from its own network (rule #3) # - All the other networks can access any other network (including egress 10.20.0.0/16 or egress 192.168.0.0/16) # In any case, all the personal and group accesses still apply in addition to these global rules "ingressToEgressRules": [], @@ -113,7 +113,7 @@ "accountExternalValidationProgram": "", # # accountExternalValidationDenyOnFailure (boolean-int, aka 0 or 1) -# DESC: If we can't validate an account using the above configured program, for example because the path doesn't exist, the file is not executable, or because the program returns the exit code 4 (see above for more informaton), this configuration option indicates whether we should deny or allow access. Note that the bastion admins will always be allowed if the accountExternalValidationProgram doesn't work correctly, because they're expected to be able to fix it. They would be denied, as any other account, if accountExternalValidationProgram works correctly and denies them access, however. If you're still testing your account validation procedure, and don't want to break your users workflow while you're not 100% sure it works correctly, you can say 0 ("false") here, and return 4 instead of 1 in your accountExternalValidationProgram when you would want to deny access. +# DESC: If we can't validate an account using the above configured program, for example because the path doesn't exist, the file is not executable, or because the program returns the exit code 4 (see above for more information), this configuration option indicates whether we should deny or allow access. Note that the bastion admins will always be allowed if the accountExternalValidationProgram doesn't work correctly, because they're expected to be able to fix it. They would be denied, as any other account, if accountExternalValidationProgram works correctly and denies them access, however. If you're still testing your account validation procedure, and don't want to break your users workflow while you're not 100% sure it works correctly, you can say 0 ("false") here, and return 4 instead of 1 in your accountExternalValidationProgram when you would want to deny access. # DEFAULT: 1 "accountExternalValidationDenyOnFailure": 1, # @@ -238,7 +238,7 @@ "MFAPostCommand": [], # # remoteCommandEscapeByDefault (boolean-int, i.e. 0 or 1) -# DESC: If set to 0, will not escape simple quotes in remote commands by default. Leave it to 0 if possible. Will escape simple quotes otherwise (legacy "broken" behavior). Can be overriden at runtime with --never-escape and --always-escape +# DESC: If set to 0, will not escape simple quotes in remote commands by default. Leave it to 0 if possible. Will escape simple quotes otherwise (legacy "broken" behavior). Can be overridden at runtime with --never-escape and --always-escape # DEFAULT: 0 "remoteCommandEscapeByDefault": 0, # diff --git a/etc/ssh/ssh_config.centos7 b/etc/ssh/ssh_config.centos7 index 963cfa1..79b8e39 100644 --- a/etc/ssh/ssh_config.centos7 +++ b/etc/ssh/ssh_config.centos7 @@ -80,10 +80,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/ssh_config.centos8 b/etc/ssh/ssh_config.centos8 index 963cfa1..79b8e39 100644 --- a/etc/ssh/ssh_config.centos8 +++ b/etc/ssh/ssh_config.centos8 @@ -80,10 +80,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/ssh_config.debian10 b/etc/ssh/ssh_config.debian10 index 963cfa1..79b8e39 100644 --- a/etc/ssh/ssh_config.debian10 +++ b/etc/ssh/ssh_config.debian10 @@ -80,10 +80,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/ssh_config.debian7 b/etc/ssh/ssh_config.debian7 index 4be322f..329595f 100644 --- a/etc/ssh/ssh_config.debian7 +++ b/etc/ssh/ssh_config.debian7 @@ -75,10 +75,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/ssh_config.debian8 b/etc/ssh/ssh_config.debian8 index 963cfa1..79b8e39 100644 --- a/etc/ssh/ssh_config.debian8 +++ b/etc/ssh/ssh_config.debian8 @@ -80,10 +80,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/ssh_config.debian9 b/etc/ssh/ssh_config.debian9 index 963cfa1..79b8e39 100644 --- a/etc/ssh/ssh_config.debian9 +++ b/etc/ssh/ssh_config.debian9 @@ -80,10 +80,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/ssh_config.default b/etc/ssh/ssh_config.default index 8120415..accf3b7 100644 --- a/etc/ssh/ssh_config.default +++ b/etc/ssh/ssh_config.default @@ -76,10 +76,10 @@ HostbasedAuthentication no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey # === LOGIN ### diff --git a/etc/ssh/ssh_config.opensuse15 b/etc/ssh/ssh_config.opensuse15 index 70e117a..6430f30 100644 --- a/etc/ssh/ssh_config.opensuse15 +++ b/etc/ssh/ssh_config.opensuse15 @@ -80,10 +80,10 @@ GSSAPIDelegateCredentials no # NOTE1: as per the ssh source code, an auth method omitted hereafter # will not be used, even if set to "yes" above. # NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitely on command-line (pubkey OR sshpass), so the value +# value explicitly on command-line (pubkey OR sshpass), so the value # specified hereafter will be ignored. if you want to force-disable # a method, set it to "no" in the list above, as those will never be -# overriden by the code. +# overridden by the code. PreferredAuthentications publickey,keyboard-interactive # === LOGIN ### diff --git a/etc/ssh/sshd_config.centos7 b/etc/ssh/sshd_config.centos7 index 71816b8..9480d2e 100644 --- a/etc/ssh/sshd_config.centos7 +++ b/etc/ssh/sshd_config.centos7 @@ -84,7 +84,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/etc/ssh/sshd_config.centos8 b/etc/ssh/sshd_config.centos8 index 71816b8..9480d2e 100644 --- a/etc/ssh/sshd_config.centos8 +++ b/etc/ssh/sshd_config.centos8 @@ -84,7 +84,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/etc/ssh/sshd_config.debian10 b/etc/ssh/sshd_config.debian10 index fa506eb..66be6a2 100644 --- a/etc/ssh/sshd_config.debian10 +++ b/etc/ssh/sshd_config.debian10 @@ -88,7 +88,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/etc/ssh/sshd_config.debian7 b/etc/ssh/sshd_config.debian7 index de5c0b1..929ee9f 100644 --- a/etc/ssh/sshd_config.debian7 +++ b/etc/ssh/sshd_config.debian7 @@ -76,7 +76,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/etc/ssh/sshd_config.debian8 b/etc/ssh/sshd_config.debian8 index 6d63e19..1b83dab 100644 --- a/etc/ssh/sshd_config.debian8 +++ b/etc/ssh/sshd_config.debian8 @@ -88,7 +88,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/etc/ssh/sshd_config.debian9 b/etc/ssh/sshd_config.debian9 index 6d63e19..1b83dab 100644 --- a/etc/ssh/sshd_config.debian9 +++ b/etc/ssh/sshd_config.debian9 @@ -88,7 +88,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/etc/ssh/sshd_config.default b/etc/ssh/sshd_config.default index 088ef25..5771263 100644 --- a/etc/ssh/sshd_config.default +++ b/etc/ssh/sshd_config.default @@ -79,7 +79,7 @@ ChallengeResponseAuthentication no # ... not host-based HostbasedAuthentication no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # root login is allowed only with public keys, not passwords diff --git a/etc/ssh/sshd_config.opensuse15 b/etc/ssh/sshd_config.opensuse15 index 973ad31..dc00061 100644 --- a/etc/ssh/sshd_config.opensuse15 +++ b/etc/ssh/sshd_config.opensuse15 @@ -84,7 +84,7 @@ HostbasedAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no -# just in case, we also explicitely deny empty passwords +# just in case, we also explicitly deny empty passwords PermitEmptyPasswords no # this needs to be set at "yes" to allow PAM keyboard-interactive authentication, diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index c163aa9..fd7eb6d 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -26,7 +26,7 @@ BEGIN { my $criticity = ($type eq 'die' ? 'err' : 'warning'); # Net::Server can be noisy if the client fails to establish the SSL connection, - # transform thoses die into info to avoid triggering SIEM alerts + # transform those die into info to avoid triggering SIEM alerts $criticity = 'info' if (defined $msg and $msg =~ m{^Could not finalize SSL connection with client handle}); require Carp; @@ -156,7 +156,7 @@ sub AUTOLOAD { ## no critic (AutoLoading) die "AUTOLOAD FAILED: $AUTOLOAD"; } -# checks wether an account is expired (inactivity) if that's configured on this bastion +# checks whether an account is expired (inactivity) if that's configured on this bastion sub is_account_nonexpired { my %params = @_; my $sysaccount = $params{'sysaccount'}; @@ -499,7 +499,7 @@ sub is_valid_ip { my %params = @_; my $ip = $params{'ip'}; my $allowPrefixes = $params{'allowPrefixes'}; # if not, a /24 or /32 notation is rejected - my $fast = $params{'fast'}; # fast mode: avoid instanciating Net::IP... except if ipv6 + my $fast = $params{'fast'}; # fast mode: avoid instantiating Net::IP... except if ipv6 if ($fast and $ip !~ m{:}) { diff --git a/lib/perl/OVH/Bastion/Plugin/generatePassword.pm b/lib/perl/OVH/Bastion/Plugin/generatePassword.pm index 638247c..75b1508 100644 --- a/lib/perl/OVH/Bastion/Plugin/generatePassword.pm +++ b/lib/perl/OVH/Bastion/Plugin/generatePassword.pm @@ -146,19 +146,19 @@ sub act { if (-e "$base.$n") { osh_debug "renaming $base.$n to $base.$next"; if (!rename "$base.$n", "$base.$next") { - HEXIT('ERR_INTERNAL', msg => "Coudn't rename '$base.$n' to '$base.$next' ($!)"); + HEXIT('ERR_INTERNAL', msg => "Couldn't rename '$base.$n' to '$base.$next' ($!)"); } if (-e "$base.$n.metadata" && !rename "$base.$n.metadata", "$base.$next.metadata") { - HEXIT('ERR_INTERNAL', msg => "Coudn't rename '$base.$n.metadata' to '$base.$next.metadata' ($!)"); + HEXIT('ERR_INTERNAL', msg => "Couldn't rename '$base.$n.metadata' to '$base.$next.metadata' ($!)"); } } } osh_debug "renaming $base to $base.1"; if (!rename "$base", "$base.1") { - HEXIT('ERR_INTERNAL', msg => "Coudn't rename '$base' to '$base.1' ($!)"); + HEXIT('ERR_INTERNAL', msg => "Couldn't rename '$base' to '$base.1' ($!)"); } if (-e "$base.metadata" && !rename "$base.metadata", "$base.1.metadata") { - HEXIT('ERR_INTERNAL', msg => "Coudn't rename '$base.metadata' to '$base.1.metadata' ($!)"); + HEXIT('ERR_INTERNAL', msg => "Couldn't rename '$base.metadata' to '$base.1.metadata' ($!)"); } } if (open(my $fdout, '>', $base)) { diff --git a/lib/perl/OVH/Bastion/allowdeny.inc b/lib/perl/OVH/Bastion/allowdeny.inc index 00faf23..5937456 100644 --- a/lib/perl/OVH/Bastion/allowdeny.inc +++ b/lib/perl/OVH/Bastion/allowdeny.inc @@ -68,9 +68,9 @@ sub get_group_keys { sub is_access_way_granted { my %params = @_; - my $exactIpMatch = $params{'exactIpMatch'}; # $ip must be explicitely allowed (not given through a wider slash or a 0.0.0.0/0 in grantfile) - my $exactPortMatch = $params{'exactPortMatch'}; # $port must be explicitely allowed (port wildcards in grantfile will be ignored) - my $exactUserMatch = $params{'exactUserMatch'}; # $user must be explicitely allowed (user wildcards in grantfile will be ignored) + my $exactIpMatch = $params{'exactIpMatch'}; # $ip must be explicitly allowed (not given through a wider slash or a 0.0.0.0/0 in grantfile) + my $exactPortMatch = $params{'exactPortMatch'}; # $port must be explicitly allowed (port wildcards in grantfile will be ignored) + my $exactUserMatch = $params{'exactUserMatch'}; # $user must be explicitly allowed (user wildcards in grantfile will be ignored) my $exactMatch = $params{'exactMatch'}; # sets exactIpMatch exactPortMatch and exactUserMatch my $ignoreUser = $params{'ignoreUser'}; # ignore remote user COMPLETELY (plop@, or root@, or @ will all match) @@ -332,7 +332,7 @@ sub ip2host { return R('OK', value => $host); } -# Return an array containings the groups for which user is a member of +# Return an array containing the groups for which user is a member of my %_cache_get_user_groups; sub get_user_groups { diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc index 643cd4d..90324cc 100644 --- a/lib/perl/OVH/Bastion/configuration.inc +++ b/lib/perl/OVH/Bastion/configuration.inc @@ -504,7 +504,7 @@ sub json_load { # Clean file content - # Remove bloc comment + # Remove block comment $rawConf =~ s/\/\*\*.+?\*\///sgm; # Add {} if needed diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh index 42db66e..0ce7f5a 100755 --- a/tests/functional/launch_tests_on_instance.sh +++ b/tests/functional/launch_tests_on_instance.sh @@ -164,7 +164,7 @@ run() printf "%b%b%b\\n" "$WHITE_ON_BLUE" "[INFO] returned json follows" "$NOC" grep "^JSON_OUTPUT=" -- $outdir/$basename.log | cut -d= -f2- | $jq . if [ "$nocc" != 1 ]; then - printf "%b%b%b\\n" "$WHITE_ON_BLUE" "[INFO] consistency check folows" "$NOC" + printf "%b%b%b\\n" "$WHITE_ON_BLUE" "[INFO] consistency check follows" "$NOC" cat "$outdir/$basename.cc" fi if test -t 0 && [ "$nowait" != 1 ]; then