ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-04 20:14:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

doc: accountModify: more details on the --egress-strict-host-key-checking option

Browse source
This commit is contained in:
Stéphane Lesimple 2021-05-19 14:46:02 +00:00 committed by Stéphane Lesimple
parent b7b2533604
commit 68e088a607
2 changed files with 26 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
bin/plugin/restricted/accountModify
View file

@ -30,16 +30,21 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
--account ACCOUNT Bastion account to work on
--pam-auth-bypass yes|no Enable or disable PAM auth bypass for this account in addition to pubkey auth (default is 'no'),
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
does not change the behaviour of the code, just the PAM auth handled by SSH itself
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
does not change the behaviour of the code, just the PAM auth handled by SSH itself
--mfa-password-required yes|no|bypass Enable or disable UNIX password requirement for this account in addition to pubkey auth (default is 'no'),
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no password will ever be asked, even for groups or plugins explicitly requiring it
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no password will ever be asked, even for groups or plugins explicitly requiring it
--mfa-totp-required yes|no|bypass Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'),
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no OTP will ever be asked, even for groups or plugins explicitly requiring it
--egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no OTP will ever be asked, even for groups or plugins explicitly requiring it
--egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'.
'bypass' means setting ``StrictHostKeyChecking=no`` and ``UserKnownHostsFile=/dev/null``,
which will permit egress connections in all cases, even when host keys change all the time on the same target.
This effectively suppress the host key checking entirely. Please don't enable this blindly.
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
All the other policies carry the same meaning that what is documented in `man ssh_config`.
--personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
--always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)

21
doc/sphinx/plugins/restricted/accountModify.rst
View file

@ -22,25 +22,30 @@ Modify an account configuration
Enable or disable PAM auth bypass for this account in addition to pubkey auth (default is 'no'),
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
does not change the behaviour of the code, just the PAM auth handled by SSH itself
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
does not change the behaviour of the code, just the PAM auth handled by SSH itself
.. option:: --mfa-password-required yes|no|bypass
Enable or disable UNIX password requirement for this account in addition to pubkey auth (default is 'no'),
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no password will ever be asked, even for groups or plugins explicitly requiring it
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no password will ever be asked, even for groups or plugins explicitly requiring it
.. option:: --mfa-totp-required yes|no|bypass
Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'),
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no OTP will ever be asked, even for groups or plugins explicitly requiring it
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no OTP will ever be asked, even for groups or plugins explicitly requiring it
.. option:: --egress-strict-host-key-checking POLICY
Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'.
'bypass' means setting ``StrictHostKeyChecking=no`` and ``UserKnownHostsFile=/dev/null``,
which will permit egress connections in all cases, even when host keys change all the time on the same target.
This effectively suppress the host key checking entirely. Please don't enable this blindly.
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
All the other policies carry the same meaning that what is documented in `man ssh_config`.
.. option:: --personal-egress-mfa-required POLICY
Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server