mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 15:05:58 +08:00
chore: doc: remove sparse trailing spaces from generated files
This commit is contained in:
parent
76f25f287e
commit
9eac699954
|
@ -44,7 +44,7 @@ do
|
|||
else
|
||||
perl "$pluginfile" '' '' '' '' | perl -e 'undef $/; $_=<>; s/\n+$/\n/; print $_' | perl -ne '
|
||||
if (m{^Usage: (.+)}) { print ".. admonition:: usage\n :class: cmdusage\n\n $1\n\n.. program:: '"$name"'\n\n"; }
|
||||
elsif (m{^ (-[- ,a-z|/A-Z"'"'"']+) (.+)}) { print ".. option:: $1\n\n $2\n\n"; }
|
||||
elsif (m{^ (-[- ,a-z|/A-Z"'"'"']+) (.+)}) { ($c,$t)=($1,$2); $c=~s/ +$//; print ".. option:: $c\n\n $t\n\n"; }
|
||||
elsif ($l++ == 0) { chomp; print "$_\n"."="x(length($_))."\n\n"; }
|
||||
else { print "$_"; }
|
||||
'
|
||||
|
|
|
@ -14,11 +14,11 @@ Manage the bastion maintenance mode
|
|||
.. program:: adminMaintenance
|
||||
|
||||
|
||||
.. option:: --lock
|
||||
.. option:: --lock
|
||||
|
||||
Set maintenance mode: new logins will be disallowed
|
||||
|
||||
.. option:: --unlock
|
||||
.. option:: --unlock
|
||||
|
||||
Unset maintenance mode: new logins are allowed and the bastion functions normally
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Add an IP or IP block to a group's servers list
|
|||
.. program:: groupAddServer
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
Specify which group this machine should be added to (it should have the public group key of course)
|
||||
|
||||
|
@ -23,31 +23,31 @@ Add an IP or IP block to a group's servers list
|
|||
Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP,
|
||||
|
||||
or a whole network using the NET/CIDR notation
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Specify which remote user should be allowed (root, run, etc...)
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
Allow any remote user (the remote user should still have the public group key in all cases)
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Only allow access to this port (e.g. 22)
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
Allow access to any port
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
Allow SCP upload, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
Allow SCP download, you<--bastion--server (omit --user in this case)
|
||||
|
||||
.. option:: --force
|
||||
.. option:: --force
|
||||
|
||||
Don't try the ssh connection, just add the host to the group blindly
|
||||
|
||||
|
@ -55,15 +55,15 @@ Add an IP or IP block to a group's servers list
|
|||
|
||||
Only use the key with the specified fingerprint to connect to the server (cf groupInfo)
|
||||
|
||||
.. option:: --force-password HASH
|
||||
.. option:: --force-password HASH
|
||||
|
||||
Only use the password with the specified hash to connect to the server (cf groupListPasswords)
|
||||
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
|
||||
Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
|
||||
|
||||
.. option:: --comment '"ANY TEXT'"
|
||||
.. option:: --comment '"ANY TEXT'"
|
||||
|
||||
Add a comment alongside this server
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove an IP or IP block from a group's serrver list
|
|||
.. program:: groupDelServer
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
Specify which group this machine should be removed from
|
||||
|
||||
|
@ -22,27 +22,27 @@ Remove an IP or IP block from a group's serrver list
|
|||
|
||||
Host(s) we want to remove access to
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Remote user that was allowed, if any user was allowed, use --user-any
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
Use if any remote login was allowed
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Remote SSH port that was allowed, if any port was allowed, use --port-any
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
Use if any remote port was allowed
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
Remove SCP upload right, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
Remove SCP download right, you<--bastion--server (omit --user in this case)
|
||||
|
||||
|
|
|
@ -14,39 +14,39 @@ Add a specific group server access to an account
|
|||
.. program:: groupAddGuestAccess
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
group to add guest access to
|
||||
|
||||
.. option:: --account ACCOUNT
|
||||
.. option:: --account ACCOUNT
|
||||
|
||||
name of the other bastion account to add access to, they'll be given access to the GROUP key
|
||||
|
||||
.. option:: --host HOST|IP
|
||||
.. option:: --host HOST|IP
|
||||
|
||||
add access to this HOST (which must belong to the GROUP)
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
allow connecting to HOST only with remote login USER
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
allow connecting to HOST with any remote login
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
allow connecting to HOST only to remote port PORT
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
allow connecting to HOST with any remote port
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
allow SCP upload, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
allow SCP download, you<--bastion--server (omit --user in this case)
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Add an account to the member list
|
|||
.. program:: groupAddMember
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to set ACCOUNT as a member of
|
||||
|
||||
|
|
|
@ -14,36 +14,36 @@ Remove a specific group server access from an account
|
|||
.. program:: groupDelGuestAccess
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
group to remove guest access from
|
||||
|
||||
--account ACCOUNT name of the other bastion account to remove access from
|
||||
.. option:: --host HOST|IP
|
||||
.. option:: --host HOST|IP
|
||||
|
||||
remove access from this HOST (which must belong to the GROUP)
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
allow connecting to HOST only with remote login USER
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
allow connecting to HOST with any remote login
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
allow connecting to HOST only to remote port PORT
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
allow connecting to HOST with any remote port
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
allow SCP upload, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
allow SCP download, you<--bastion--server (omit --user in this case)
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove an account from the members list
|
|||
.. program:: groupDelMember
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to remove ACCOUNT as a member of
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ List the guest accesses to servers of a group specifically granted to an account
|
|||
.. program:: groupListGuestAccesses
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
Look for accesses to servers of this GROUP
|
||||
|
||||
|
@ -22,7 +22,7 @@ List the guest accesses to servers of a group specifically granted to an account
|
|||
|
||||
Which account to check
|
||||
|
||||
.. option:: --reverse-dns
|
||||
.. option:: --reverse-dns
|
||||
|
||||
Attempt to resolve the reverse hostnames (SLOW!)
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Add the group aclkeeper role to an account
|
|||
.. program:: groupAddAclkeeper
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to set ACCOUNT as an aclkeeper of
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Add the group gatekeeper role to an account
|
|||
.. program:: groupAddGatekeeper
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to set ACCOUNT as a gatekeeper of
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Add the group owner role to an account
|
|||
.. program:: groupAddOwner
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to set ACCOUNT as an owner of
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove the group aclkeeper role from an account
|
|||
.. program:: groupDelAclkeeper
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to remove ACCOUNT as an aclkeeper of
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Remove a bastion group egress key
|
|||
|
||||
Name of the group to delete the egress key from
|
||||
|
||||
.. option:: --id ID
|
||||
.. option:: --id ID
|
||||
|
||||
Specify the key ID to delete, you can get it with groupInfo
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove the group gatekeeper role from an account
|
|||
.. program:: groupDelGatekeeper
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to remove ACCOUNT as a gatekeeper of
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove the group owner role from an account
|
|||
.. program:: groupDelOwner
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to set ACCOUNT as an owner of
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Delete a group
|
|||
|
||||
Group name to delete
|
||||
|
||||
.. option:: --no-confirm
|
||||
.. option:: --no-confirm
|
||||
|
||||
Skip group name confirmation, but blame yourself if you deleted the wrong group!
|
||||
|
||||
|
|
|
@ -19,12 +19,12 @@ Create a new public + private key pair for a group
|
|||
Group name to generate a new egress key for.
|
||||
|
||||
|
||||
.. option:: --algo ALGO
|
||||
.. option:: --algo ALGO
|
||||
|
||||
Specifies the algo of the key, either rsa, ecdsa or ed25519.
|
||||
|
||||
|
||||
.. option:: --size SIZE
|
||||
.. option:: --size SIZE
|
||||
|
||||
Specifies the size of the key to be generated.
|
||||
|
||||
|
@ -32,7 +32,7 @@ Create a new public + private key pair for a group
|
|||
For ECDSA, choose either 256, 384 or 521.
|
||||
For ED25519, size is always 256.
|
||||
|
||||
.. option:: --encrypted
|
||||
.. option:: --encrypted
|
||||
|
||||
If specified, a passphrase will be prompted for the new key
|
||||
|
||||
|
|
|
@ -18,11 +18,11 @@ Generate a new egress password for the group
|
|||
|
||||
Specify which group you want to generate a password for
|
||||
|
||||
.. option:: --size SIZE
|
||||
.. option:: --size SIZE
|
||||
|
||||
Specify the number of characters of the password to generate
|
||||
|
||||
.. option:: --do-it
|
||||
.. option:: --do-it
|
||||
|
||||
Required for the password to actually be generated, BEWARE: please read the note below
|
||||
|
||||
|
|
|
@ -14,11 +14,11 @@ Modify the configuration of a group
|
|||
.. program:: groupModify
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
Name of the group to modify
|
||||
|
||||
.. option:: --mfa-required password|totp|any|none
|
||||
.. option:: --mfa-required password|totp|any|none
|
||||
|
||||
Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server of the group
|
||||
|
||||
|
@ -26,7 +26,7 @@ Modify the configuration of a group
|
|||
this group. If set to -1, remove this group override and use the global setting instead.
|
||||
--idle-kill-timeout DURATION|0|-1 Overrides the global setting (`idleKillTimeout`), to the specified duration. If set to 0, disables `idleKillTimeout` for
|
||||
this group. If set to -1, remove this group override and use the global setting instead.
|
||||
.. option:: --guest-ttl-limit DURATION
|
||||
.. option:: --guest-ttl-limit DURATION
|
||||
|
||||
This group will enforce TTL setting, on guest access creation, to be set, and not to a higher value than DURATION,
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Transmit your group ownership to somebody else
|
|||
.. program:: groupTransmitOwnership
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
which group to set ACCOUNT as an owner of
|
||||
|
||||
|
|
|
@ -14,27 +14,27 @@ Launch a remote command on several machines sequentially (clush-like)
|
|||
.. program:: clush
|
||||
|
||||
|
||||
.. option:: --list HOSTLIST
|
||||
.. option:: --list HOSTLIST
|
||||
|
||||
Comma-separated list of the hosts (hostname or IP) to run the command on
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Specify which remote user should we use to connect (default: BASTION_ACCOUNT)
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Specify which port to connect to (default: 22)
|
||||
|
||||
.. option:: --step-by-step
|
||||
.. option:: --step-by-step
|
||||
|
||||
Pause before running the command on each host
|
||||
|
||||
.. option:: --no-pause-on-failure
|
||||
.. option:: --no-pause-on-failure
|
||||
|
||||
Don't pause if the remote command failed (returned exit code != 0)
|
||||
|
||||
.. option:: --no-confirm
|
||||
.. option:: --no-confirm
|
||||
|
||||
Skip confirmation of the host list and command
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ List the groups available on this bastion
|
|||
.. program:: groupList
|
||||
|
||||
|
||||
.. option:: --all
|
||||
.. option:: --all
|
||||
|
||||
List all groups, even those to which you don't have access
|
||||
|
||||
|
|
|
@ -14,11 +14,11 @@ List the servers (IPs and IP blocks) pertaining to a group
|
|||
.. program:: groupListServers
|
||||
|
||||
|
||||
.. option:: --group GROUP
|
||||
.. option:: --group GROUP
|
||||
|
||||
List the servers of this group
|
||||
|
||||
.. option:: --reverse-dns
|
||||
.. option:: --reverse-dns
|
||||
|
||||
Attempt to resolve the reverse hostnames (SLOW!)
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ Check whether a remote TCP port is open
|
|||
|
||||
TCP port to attempt to connect to
|
||||
|
||||
.. option:: -w SECONDS
|
||||
.. option:: -w SECONDS
|
||||
|
||||
Timeout in seconds (default: 3)
|
||||
|
||||
|
|
|
@ -18,19 +18,19 @@ Ping a remote host from the bastion
|
|||
|
||||
Remote host to ping
|
||||
|
||||
.. option:: -c COUNT
|
||||
.. option:: -c COUNT
|
||||
|
||||
Number of pings to send (default: infinite)
|
||||
|
||||
.. option:: -s SIZE
|
||||
.. option:: -s SIZE
|
||||
|
||||
Specify the packet size to send
|
||||
|
||||
.. option:: -t TTL
|
||||
.. option:: -t TTL
|
||||
|
||||
TTL to set in the ICMP packet (default: OS dependent)
|
||||
|
||||
.. option:: -w TIMEOUT
|
||||
.. option:: -w TIMEOUT
|
||||
|
||||
Exit unconditionally after this amount of seconds (default & max: 86400)
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ Add a new ingress public key to your account
|
|||
can also pass it through STDIN directly. If the policy of this bastion allows it, you may prefix the key
|
||||
with a 'from="IP1,IP2,..."' snippet, a la authorized_keys. However the policy might force a configured
|
||||
'from' prefix that will override yours, or be used if you don't specify it yourself.
|
||||
.. option:: --piv
|
||||
.. option:: --piv
|
||||
|
||||
Add a public SSH key from a PIV-compatible hardware token, along with its attestation certificate and key
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove an ingress public key from your account
|
|||
.. program:: selfDelIngressKey
|
||||
|
||||
|
||||
.. option:: -l, --id-to-delete ID
|
||||
.. option:: -l, --id-to-delete ID
|
||||
|
||||
Directly specify key id to delete (CAUTION!), you can get id with selfListIngressKeys
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Generate a new egress password for your account
|
|||
|
||||
Specify the number of characters of the password to generate
|
||||
|
||||
.. option:: --do-it
|
||||
.. option:: --do-it
|
||||
|
||||
Required for the password to actually be generated, BEWARE: please read the note below
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Generate a new ingress password to use the bastion HTTPS proxy
|
|||
|
||||
Size of the password to generate
|
||||
|
||||
.. option:: --do-it
|
||||
.. option:: --do-it
|
||||
|
||||
Required for the password to actually be generated, BEWARE: please read the note below
|
||||
|
||||
|
|
|
@ -14,12 +14,12 @@ Show the list of servers you have access to
|
|||
.. program:: selfListAccesses
|
||||
|
||||
|
||||
.. option:: --hide-groups
|
||||
.. option:: --hide-groups
|
||||
|
||||
Don't show the machines you have access to through group rights.
|
||||
|
||||
In other words, list only your personal accesses.
|
||||
.. option:: --reverse-dns
|
||||
.. option:: --reverse-dns
|
||||
|
||||
Attempt to resolve the reverse hostnames (SLOW!)
|
||||
|
||||
|
|
|
@ -14,57 +14,57 @@ List the few past sessions of your account
|
|||
.. program:: selfListSessions
|
||||
|
||||
|
||||
.. option:: --detailed
|
||||
.. option:: --detailed
|
||||
|
||||
Display more information about each session
|
||||
|
||||
.. option:: --limit LIMIT
|
||||
.. option:: --limit LIMIT
|
||||
|
||||
Limit to LIMIT results
|
||||
|
||||
.. option:: --id ID
|
||||
.. option:: --id ID
|
||||
|
||||
Only sessions having this ID
|
||||
|
||||
.. option:: --type TYPE
|
||||
.. option:: --type TYPE
|
||||
|
||||
Only sessions of specified type (ssh, osh, ...)
|
||||
|
||||
.. option:: --allowed
|
||||
.. option:: --allowed
|
||||
|
||||
Only sessions that have been allowed by the bastion
|
||||
|
||||
.. option:: --denied
|
||||
.. option:: --denied
|
||||
|
||||
Only sessions that have been denied by the bastion
|
||||
|
||||
.. option:: --after WHEN
|
||||
.. option:: --after WHEN
|
||||
|
||||
Only sessions that started after WHEN,
|
||||
|
||||
WHEN can be a TIMESTAMP, or YYYY-MM-DD[@HH:MM:SS]
|
||||
.. option:: --before WHEN
|
||||
.. option:: --before WHEN
|
||||
|
||||
Only sessions that started before WHEN,
|
||||
|
||||
WHEN can be a TIMESTAMP, or YYYY-MM-DD[@HH:MM:SS]
|
||||
.. option:: --host HOST
|
||||
.. option:: --host HOST
|
||||
|
||||
Only sessions connecting to remote HOST
|
||||
|
||||
.. option:: --to-port PORT
|
||||
.. option:: --to-port PORT
|
||||
|
||||
Only sessions connecting to remote PORT
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Only sessions connecting using remote USER
|
||||
|
||||
.. option:: --via HOST
|
||||
.. option:: --via HOST
|
||||
|
||||
Only sessions that connected through bastion IP HOST
|
||||
|
||||
.. option:: --via-port PORT
|
||||
.. option:: --via-port PORT
|
||||
|
||||
Only sessions that connected through bastion PORT
|
||||
|
||||
|
|
|
@ -14,35 +14,35 @@ Add a personal server access to an account
|
|||
.. program:: accountAddPersonalAccess
|
||||
|
||||
|
||||
.. option:: --account
|
||||
.. option:: --account
|
||||
|
||||
Bastion account to add the access to
|
||||
|
||||
.. option:: --host IP|HOST|IP/MASK
|
||||
.. option:: --host IP|HOST|IP/MASK
|
||||
|
||||
Server to add access to
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Remote login to use, if you want to allow any login, use --user-any
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
Allow access with any remote login
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Remote SSH port to use, if you want to allow any port, use --port-any
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
Allow access to all remote ports
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
Allow SCP upload, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
Allow SCP download, you<--bastion--server (omit --user in this case)
|
||||
|
||||
|
@ -50,15 +50,15 @@ Add a personal server access to an account
|
|||
|
||||
Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
|
||||
|
||||
.. option:: --force-password HASH
|
||||
.. option:: --force-password HASH
|
||||
|
||||
Only use the password with the specified hash to connect to the server (cf accountListPasswords)
|
||||
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
|
||||
Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
|
||||
|
||||
.. option:: --comment "'ANY TEXT'"
|
||||
.. option:: --comment "'ANY TEXT'"
|
||||
|
||||
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
|
||||
|
||||
|
|
|
@ -14,24 +14,24 @@ Create a new bastion account
|
|||
.. program:: accountCreate
|
||||
|
||||
|
||||
.. option:: --account NAME
|
||||
.. option:: --account NAME
|
||||
|
||||
Account name to create, NAME must contain only valid UNIX account name characters
|
||||
|
||||
.. option:: --uid UID
|
||||
.. option:: --uid UID
|
||||
|
||||
Account system UID, also see --uid-auto
|
||||
|
||||
.. option:: --uid-auto
|
||||
.. option:: --uid-auto
|
||||
|
||||
Auto-select an UID from the allowed range (the upper available one will be used)
|
||||
|
||||
.. option:: --always-active
|
||||
.. option:: --always-active
|
||||
|
||||
This account's activation won't be challenged on connection, even if the bastion is globally
|
||||
|
||||
configured to check for account activation
|
||||
.. option:: --osh-only
|
||||
.. option:: --osh-only
|
||||
|
||||
This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
|
||||
|
||||
|
@ -40,24 +40,24 @@ Create a new bastion account
|
|||
Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
|
||||
|
||||
setting this option to zero disables account expiration.
|
||||
.. option:: --immutable-key
|
||||
.. option:: --immutable-key
|
||||
|
||||
Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
|
||||
|
||||
.. option:: --comment '"STRING"'
|
||||
.. option:: --comment '"STRING"'
|
||||
|
||||
An optional comment when creating the account. Quote it twice as shown if you're under a shell.
|
||||
|
||||
.. option:: --public-key '"KEY"'
|
||||
.. option:: --public-key '"KEY"'
|
||||
|
||||
Account public SSH key to deposit on the bastion, if not present,
|
||||
|
||||
you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
|
||||
.. option:: --no-key
|
||||
.. option:: --no-key
|
||||
|
||||
Don't prompt for an SSH key, no ingress public key will be installed
|
||||
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
|
||||
Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Remove a personal server access from an account
|
|||
.. program:: accountDelPersonalAccess
|
||||
|
||||
|
||||
.. option:: --account
|
||||
.. option:: --account
|
||||
|
||||
Bastion account to remove access from
|
||||
|
||||
|
@ -22,27 +22,27 @@ Remove a personal server access from an account
|
|||
|
||||
Server to remove access from
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Remote user that was allowed, if any user was allowed, use --user-any
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
Use if any remote login was allowed
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Remote SSH port that was allowed, if any port was allowed, use --port-any
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
Use if any remote port was allowed
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
Remove SCP upload right, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
Remove SCP download right, you<--bastion--server (omit --user in this case)
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Delete an account from the bastion
|
|||
|
||||
Account name to delete
|
||||
|
||||
.. option:: --no-confirm
|
||||
.. option:: --no-confirm
|
||||
|
||||
Don't ask for confirmation, and blame yourself if you deleted the wrong account
|
||||
|
||||
|
|
25
doc/sphinx/plugins/restricted/accountFreeze.rst
Normal file
25
doc/sphinx/plugins/restricted/accountFreeze.rst
Normal file
|
@ -0,0 +1,25 @@
|
|||
==============
|
||||
accountFreeze
|
||||
==============
|
||||
|
||||
Freeze an account, to prevent it from connecting
|
||||
================================================
|
||||
|
||||
|
||||
.. admonition:: usage
|
||||
:class: cmdusage
|
||||
|
||||
--osh accountFreeze --account ACCOUNT [--reason "'SOME REASON'"]
|
||||
|
||||
.. program:: accountFreeze
|
||||
|
||||
|
||||
.. option:: --account ACCOUNT
|
||||
|
||||
Account to freeze
|
||||
|
||||
.. option:: --reason "'SOME REASON'"
|
||||
|
||||
Optional reason for the account to be frozen (will be displayed to the user),
|
||||
|
||||
if you are in a shell (and not in interactive mode), quote it twice as shown.
|
|
@ -18,11 +18,11 @@ Generate a new egress password for an account
|
|||
|
||||
Specify which account you want to generate a password for
|
||||
|
||||
.. option:: --size SIZE
|
||||
.. option:: --size SIZE
|
||||
|
||||
Specify the number of characters of the password to generate
|
||||
|
||||
.. option:: --do-it
|
||||
.. option:: --do-it
|
||||
|
||||
Required for the password to actually be generated, BEWARE: please read the note below
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Display some information about an account
|
|||
|
||||
The account name to work on
|
||||
|
||||
.. option:: --list-groups
|
||||
.. option:: --list-groups
|
||||
|
||||
Show which groups the account has a role on
|
||||
|
||||
|
|
|
@ -14,15 +14,15 @@ List the bastion accounts
|
|||
.. program:: accountList
|
||||
|
||||
|
||||
.. option:: --account ACCOUNT
|
||||
.. option:: --account ACCOUNT
|
||||
|
||||
Only list the specified account. This is an easy way to check whether the account exists
|
||||
|
||||
.. option:: --inactive-only
|
||||
.. option:: --inactive-only
|
||||
|
||||
Only list inactive accounts
|
||||
|
||||
.. option:: --audit
|
||||
.. option:: --audit
|
||||
|
||||
Show more verbose information (SLOW!), you need to be a bastion auditor
|
||||
|
||||
|
@ -30,16 +30,16 @@ List the bastion accounts
|
|||
|
||||
Don't gather password info in audit mode (makes --audit way faster)
|
||||
|
||||
.. option:: --no-output
|
||||
.. option:: --no-output
|
||||
|
||||
Don't print human-readable output (faster, use with --json)
|
||||
|
||||
.. option:: --include PATTERN
|
||||
.. option:: --include PATTERN
|
||||
|
||||
Only show accounts whose name match the given PATTERN (see below)
|
||||
|
||||
This option can be used multiple times to refine results
|
||||
.. option:: --exclude PATTERN
|
||||
.. option:: --exclude PATTERN
|
||||
|
||||
Omit accounts whose name match the given PATTERN (see below)
|
||||
|
||||
|
|
|
@ -18,12 +18,12 @@ View the expanded access list of a given bastion account
|
|||
|
||||
The account to work on
|
||||
|
||||
.. option:: --hide-groups
|
||||
.. option:: --hide-groups
|
||||
|
||||
Don't show the machines the accouns has access to through group rights.
|
||||
|
||||
In other words, list only the account's personal accesses.
|
||||
.. option:: --reverse-dns
|
||||
.. option:: --reverse-dns
|
||||
|
||||
Attempt to resolve the reverse hostnames (SLOW!)
|
||||
|
||||
|
|
|
@ -14,29 +14,29 @@ Modify an account configuration
|
|||
.. program:: accountModify
|
||||
|
||||
|
||||
.. option:: --account ACCOUNT
|
||||
.. option:: --account ACCOUNT
|
||||
|
||||
Bastion account to work on
|
||||
|
||||
.. option:: --pam-auth-bypass yes|no
|
||||
.. option:: --pam-auth-bypass yes|no
|
||||
|
||||
Enable or disable PAM auth bypass for this account in addition to pubkey auth (default is 'no'),
|
||||
|
||||
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
|
||||
does not change the behaviour of the code, just the PAM auth handled by SSH itself
|
||||
.. option:: --mfa-password-required yes|no|bypass
|
||||
.. option:: --mfa-password-required yes|no|bypass
|
||||
|
||||
Enable or disable UNIX password requirement for this account in addition to pubkey auth (default is 'no'),
|
||||
|
||||
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
|
||||
no password will ever be asked, even for groups or plugins explicitly requiring it
|
||||
.. option:: --mfa-totp-required yes|no|bypass
|
||||
.. option:: --mfa-totp-required yes|no|bypass
|
||||
|
||||
Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'),
|
||||
|
||||
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
|
||||
no OTP will ever be asked, even for groups or plugins explicitly requiring it
|
||||
.. option:: --egress-strict-host-key-checking POLICY
|
||||
.. option:: --egress-strict-host-key-checking POLICY
|
||||
|
||||
Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
|
||||
|
||||
|
@ -46,30 +46,30 @@ Modify an account configuration
|
|||
This effectively suppress the host key checking entirely. Please don't enable this blindly.
|
||||
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
|
||||
All the other policies carry the same meaning that what is documented in `man ssh_config`.
|
||||
.. option:: --personal-egress-mfa-required POLICY
|
||||
.. option:: --personal-egress-mfa-required POLICY
|
||||
|
||||
Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
|
||||
|
||||
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
|
||||
.. option:: --always-active yes|no
|
||||
.. option:: --always-active yes|no
|
||||
|
||||
Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
|
||||
|
||||
.. option:: --idle-ignore yes|no
|
||||
.. option:: --idle-ignore yes|no
|
||||
|
||||
If enabled, this account is immune to the idleLockTimeout and idleKillTimeout bastion-wide policy
|
||||
|
||||
.. option:: --max-inactive-days DAYS
|
||||
.. option:: --max-inactive-days DAYS
|
||||
|
||||
Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays'.
|
||||
|
||||
Setting this option to zero disables account expiration. Setting this option to -1 removes this account
|
||||
expiration policy, i.e. the global bastion setting will apply.
|
||||
.. option:: --osh-only yes|no
|
||||
.. option:: --osh-only yes|no
|
||||
|
||||
If enabled, this account can only use ``--osh`` commands, and can't connect anywhere through the bastion
|
||||
|
||||
.. option:: --pubkey-auth-optional yes|no
|
||||
.. option:: --pubkey-auth-optional yes|no
|
||||
|
||||
Make the public key optional on ingress for the account (default is 'no').
|
||||
|
||||
|
|
|
@ -14,11 +14,11 @@ Modify the PIV policy for the ingress keys of an account
|
|||
.. program:: accountPIV
|
||||
|
||||
|
||||
.. option:: --account ACCOUNT
|
||||
.. option:: --account ACCOUNT
|
||||
|
||||
Bastion account to work on
|
||||
|
||||
.. option:: --policy POLICY
|
||||
.. option:: --policy POLICY
|
||||
|
||||
Changes the PIV policy of account. See below for a description of available policies.
|
||||
|
||||
|
|
20
doc/sphinx/plugins/restricted/accountUnfreeze.rst
Normal file
20
doc/sphinx/plugins/restricted/accountUnfreeze.rst
Normal file
|
@ -0,0 +1,20 @@
|
|||
================
|
||||
accountUnfreeze
|
||||
================
|
||||
|
||||
Unfreeze a frozen account
|
||||
=========================
|
||||
|
||||
|
||||
.. admonition:: usage
|
||||
:class: cmdusage
|
||||
|
||||
--osh accountUnfreeze --account ACCOUNT
|
||||
|
||||
.. program:: accountUnfreeze
|
||||
|
||||
|
||||
.. option:: --account ACCOUNT
|
||||
|
||||
Account to unfreeze
|
||||
|
|
@ -18,7 +18,7 @@ Delete a group
|
|||
|
||||
Group name to delete
|
||||
|
||||
.. option:: --no-confirm
|
||||
.. option:: --no-confirm
|
||||
|
||||
Skip group name confirmation, but blame yourself if you deleted the wrong group!
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ Declare and create a new trusted realm
|
|||
.. program:: realmCreate
|
||||
|
||||
|
||||
.. option:: --realm REALM
|
||||
.. option:: --realm REALM
|
||||
|
||||
Realm name to create
|
||||
|
||||
|
|
|
@ -14,35 +14,35 @@ Add a personal server access on your account
|
|||
.. program:: selfAddPersonalAccess
|
||||
|
||||
|
||||
.. option:: --host IP|HOST|IP/MASK
|
||||
.. option:: --host IP|HOST|IP/MASK
|
||||
|
||||
Server to add access to
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Remote login to use, if you want to allow any login, use --user-any
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
Allow access with any remote login
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Remote SSH port to use, if you want to allow any port, use --port-any
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
Allow access to all remote ports
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
Allow SCP upload, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
Allow SCP download, you<--bastion--server (omit --user in this case)
|
||||
|
||||
.. option:: --force
|
||||
.. option:: --force
|
||||
|
||||
Add the access without checking that the public SSH key is properly installed remotely
|
||||
|
||||
|
@ -50,15 +50,15 @@ Add a personal server access on your account
|
|||
|
||||
Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
|
||||
|
||||
.. option:: --force-password HASH
|
||||
.. option:: --force-password HASH
|
||||
|
||||
Only use the password with the specified hash to connect to the server (cf selfListPasswords)
|
||||
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
.. option:: --ttl SECONDS|DURATION
|
||||
|
||||
Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
|
||||
|
||||
.. option:: --comment "'ANY TEXT'"
|
||||
.. option:: --comment "'ANY TEXT'"
|
||||
|
||||
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
|
||||
|
||||
|
|
|
@ -18,27 +18,27 @@ Remove a personal server access from your account
|
|||
|
||||
Server to remove access from
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Remote user that was allowed, if any user was allowed, use --user-any
|
||||
|
||||
.. option:: --user-any
|
||||
.. option:: --user-any
|
||||
|
||||
Use if any remote login was allowed
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Remote SSH port that was allowed, if any port was allowed, use --port-any
|
||||
|
||||
.. option:: --port-any
|
||||
.. option:: --port-any
|
||||
|
||||
Use if any remote port was allowed
|
||||
|
||||
.. option:: --scpup
|
||||
.. option:: --scpup
|
||||
|
||||
Remove SCP upload right, you--bastion-->server (omit --user in this case)
|
||||
|
||||
.. option:: --scpdown
|
||||
.. option:: --scpdown
|
||||
|
||||
Remove SCP download right, you<--bastion--server (omit --user in this case)
|
||||
|
||||
|
|
|
@ -14,19 +14,19 @@ List the accounts that have access to a given server
|
|||
.. program:: whoHasAccessTo
|
||||
|
||||
|
||||
.. option:: --host SERVER
|
||||
.. option:: --host SERVER
|
||||
|
||||
List declared accesses to this server
|
||||
|
||||
.. option:: --user USER
|
||||
.. option:: --user USER
|
||||
|
||||
Remote user allowed (if not specified, ignore user specifications)
|
||||
|
||||
.. option:: --port PORT
|
||||
.. option:: --port PORT
|
||||
|
||||
Remote port allowed (if not specified, ignore port specifications)
|
||||
|
||||
.. option:: --ignore-personal
|
||||
.. option:: --ignore-personal
|
||||
|
||||
Don't check accounts' personal accesses (i.e. only check groups)
|
||||
|
||||
|
@ -35,7 +35,7 @@ List the accounts that have access to a given server
|
|||
Ignore accesses by this group, if you know GROUP public key is in fact
|
||||
|
||||
not present on remote server but bastion thinks it is
|
||||
.. option:: --show-wildcards
|
||||
.. option:: --show-wildcards
|
||||
|
||||
Also list accesses that match because 0.0.0.0/0 is listed in a group or private access,
|
||||
|
||||
|
|
|
@ -141,7 +141,7 @@ then use ``<TAB>`` again to show you the required arguments. The complete comman
|
|||
|
||||
You'll notice that it didn't work. This is because first, you need to add your *personal egress key* to the
|
||||
remote machine's *authorized_keys* file. If this seems strange, here is
|
||||
:doc:`how it works <../presentation/principles>`.
|
||||
:doc:`how it works </presentation/principles>`.
|
||||
To get your *personal egress key*, you can use this command:
|
||||
|
||||
.. code-block:: shell
|
||||
|
@ -267,4 +267,4 @@ Let's see what we did exactly during this session:
|
|||
~ Starting from the next line, the Total Recall begins. Press CTRL+C to jolt awake.
|
||||
|
||||
Now that you've connected to your first server, using a personal access,
|
||||
you may want to learn more about the :doc:`<access_management>`, or directly dive into the **PLUGINS** on the left menu.
|
||||
you may want to learn more about the :doc:`access_management`, or directly dive into the **PLUGINS** on the left menu.
|
||||
|
|
Loading…
Reference in a new issue