diff --git a/bin/admin/install b/bin/admin/install index c0a5940..c807809 100755 --- a/bin/admin/install +++ b/bin/admin/install @@ -767,7 +767,7 @@ if [ "$nothing" = 0 ]; then action_error "Error while generating the SSH key" else chmod 0444 "$UID0HOME/id_healthcheck.pub" - USER="$UID0" HOME="$UID0HOME" "$basedir"/bin/plugin/restricted/accountCreate '' '' '' '' --account healthcheck --uid-auto --always-active --immutable-key --osh-only < "$UID0HOME/id_healthcheck.pub" + USER="$UID0" HOME="$UID0HOME" "$basedir"/bin/plugin/restricted/accountCreate '' '' '' '' --account healthcheck --uid-auto --always-active --immutable-key --osh-only --force-key-from "127.0.0.1" < "$UID0HOME/id_healthcheck.pub" if ! getent passwd healthcheck >/dev/null 2>&1; then action_error "Couldn't create the healthcheck account" else diff --git a/bin/helper/osh-accountCreate b/bin/helper/osh-accountCreate index 597268c..7cf4e13 100755 --- a/bin/helper/osh-accountCreate +++ b/bin/helper/osh-accountCreate @@ -20,10 +20,11 @@ use OVH::Bastion::Helper; # Fetch command options my $fnret; my ($result, @optwarns); -my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl); +my ($forceKeyFrom, $type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl); eval { local $SIG{__WARN__} = sub { push @optwarns, shift }; $result = GetOptions( + "force-key-from=s" => sub { $forceKeyFrom //= $_[1] }, # only to be used by the install script "type=s" => sub { $type //= $_[1] }, "from=s" => sub { $realmFrom //= $_[1] }, "uid=s" => sub { $uid //= $_[1] }, @@ -180,7 +181,7 @@ if ($prefix) { } } -$fnret = OVH::Bastion::get_from_for_user_key(userProvidedIpList => \@userProvidedIpList); +$fnret = OVH::Bastion::get_from_for_user_key(userProvidedIpList => \@userProvidedIpList, forcedList => ($forceKeyFrom ? [$forceKeyFrom] : [])); $fnret or HEXIT($fnret); my $from = $fnret->value->{'from'}; diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate index 2009417..4c0a5ea 100755 --- a/bin/plugin/restricted/accountCreate +++ b/bin/plugin/restricted/accountCreate @@ -12,6 +12,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( argv => \@ARGV, header => "create a new bastion account", options => { + 'force-key-from=s' => \my $forceKeyFrom, # only to be used under root by the install script 'uid=i' => \my $uid, 'account=s' => \my $account, 'always-active' => \my $alwaysActive, @@ -140,6 +141,7 @@ push @command, "--osh-only", if $oshOnly; push @command, "--max-inactive-days", $maxInactiveDays if defined $maxInactiveDays; push @command, "--uid-auto" if $uidAuto; push @command, "--immutable-key" if $immutableKey; -push @command, '--ttl', $ttl if $ttl; +push @command, '--ttl', $ttl if $ttl; +push @command, '--force-key-from', $forceKeyFrom if ($forceKeyFrom && $< == 0 && $> == 0); # only to be used under root by the install script osh_exit OVH::Bastion::helper(cmd => \@command); diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index 3ab307a..1669b0f 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -460,6 +460,7 @@ EOS sub get_from_for_user_key { my %params = @_; my $userProvidedIpList = $params{'userProvidedIpList'} || []; # arrayref + my $forcedList = $params{'forcedList'} || []; # arrayref my $key = $params{'key'}; my $ingressKeysFrom = OVH::Bastion::config('ingressKeysFrom'); @@ -475,6 +476,11 @@ sub get_from_for_user_key { @ipList = @$userProvidedIpList; } + # if not empty, override everything by this list + if (@$forcedList) { + @ipList = @$forcedList; + } + my @ipListVerified = grep { OVH::Bastion::is_valid_ip(ip => $_, allowPrefixes => 1) } @ipList; my $from = '';