diff --git a/doc/sphinx/build-plugins-help.sh b/doc/sphinx/build-plugins-help.sh index 6590fbb..664328c 100644 --- a/doc/sphinx/build-plugins-help.sh +++ b/doc/sphinx/build-plugins-help.sh @@ -44,7 +44,7 @@ do else perl "$pluginfile" '' '' '' '' | perl -e 'undef $/; $_=<>; s/\n+$/\n/; print $_' | perl -ne ' if (m{^Usage: (.+)}) { print ".. admonition:: usage\n :class: cmdusage\n\n $1\n\n.. program:: '"$name"'\n\n"; } - elsif (m{^ (-[- ,a-z|/A-Z"'"'"']+) (.+)}) { print ".. option:: $1\n\n $2\n\n"; } + elsif (m{^ (-[- ,a-z|/A-Z"'"'"']+) (.+)}) { ($c,$t)=($1,$2); $c=~s/ +$//; print ".. option:: $c\n\n $t\n\n"; } elsif ($l++ == 0) { chomp; print "$_\n"."="x(length($_))."\n\n"; } else { print "$_"; } ' diff --git a/doc/sphinx/plugins/admin/adminMaintenance.rst b/doc/sphinx/plugins/admin/adminMaintenance.rst index 83ff9dc..e17c921 100644 --- a/doc/sphinx/plugins/admin/adminMaintenance.rst +++ b/doc/sphinx/plugins/admin/adminMaintenance.rst @@ -14,11 +14,11 @@ Manage the bastion maintenance mode .. program:: adminMaintenance -.. option:: --lock +.. option:: --lock Set maintenance mode: new logins will be disallowed -.. option:: --unlock +.. option:: --unlock Unset maintenance mode: new logins are allowed and the bastion functions normally diff --git a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst index 8966acb..205e409 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst @@ -14,7 +14,7 @@ Add an IP or IP block to a group's servers list .. program:: groupAddServer -.. option:: --group GROUP +.. option:: --group GROUP Specify which group this machine should be added to (it should have the public group key of course) @@ -23,31 +23,31 @@ Add an IP or IP block to a group's servers list Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP, or a whole network using the NET/CIDR notation -.. option:: --user USER +.. option:: --user USER Specify which remote user should be allowed (root, run, etc...) -.. option:: --user-any +.. option:: --user-any Allow any remote user (the remote user should still have the public group key in all cases) -.. option:: --port PORT +.. option:: --port PORT Only allow access to this port (e.g. 22) -.. option:: --port-any +.. option:: --port-any Allow access to any port -.. option:: --scpup +.. option:: --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) -.. option:: --force +.. option:: --force Don't try the ssh connection, just add the host to the group blindly @@ -55,15 +55,15 @@ Add an IP or IP block to a group's servers list Only use the key with the specified fingerprint to connect to the server (cf groupInfo) -.. option:: --force-password HASH +.. option:: --force-password HASH Only use the password with the specified hash to connect to the server (cf groupListPasswords) -.. option:: --ttl SECONDS|DURATION +.. option:: --ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire -.. option:: --comment '"ANY TEXT'" +.. option:: --comment '"ANY TEXT'" Add a comment alongside this server diff --git a/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst index 7d35a9e..d80848c 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst @@ -14,7 +14,7 @@ Remove an IP or IP block from a group's serrver list .. program:: groupDelServer -.. option:: --group GROUP +.. option:: --group GROUP Specify which group this machine should be removed from @@ -22,27 +22,27 @@ Remove an IP or IP block from a group's serrver list Host(s) we want to remove access to -.. option:: --user USER +.. option:: --user USER Remote user that was allowed, if any user was allowed, use --user-any -.. option:: --user-any +.. option:: --user-any Use if any remote login was allowed -.. option:: --port PORT +.. option:: --port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any -.. option:: --port-any +.. option:: --port-any Use if any remote port was allowed -.. option:: --scpup +.. option:: --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) diff --git a/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst b/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst index f1591bd..3b47857 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst @@ -14,39 +14,39 @@ Add a specific group server access to an account .. program:: groupAddGuestAccess -.. option:: --group GROUP +.. option:: --group GROUP group to add guest access to -.. option:: --account ACCOUNT +.. option:: --account ACCOUNT name of the other bastion account to add access to, they'll be given access to the GROUP key -.. option:: --host HOST|IP +.. option:: --host HOST|IP add access to this HOST (which must belong to the GROUP) -.. option:: --user USER +.. option:: --user USER allow connecting to HOST only with remote login USER -.. option:: --user-any +.. option:: --user-any allow connecting to HOST with any remote login -.. option:: --port PORT +.. option:: --port PORT allow connecting to HOST only to remote port PORT -.. option:: --port-any +.. option:: --port-any allow connecting to HOST with any remote port -.. option:: --scpup +.. option:: --scpup allow SCP upload, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown allow SCP download, you<--bastion--server (omit --user in this case) diff --git a/doc/sphinx/plugins/group-gatekeeper/groupAddMember.rst b/doc/sphinx/plugins/group-gatekeeper/groupAddMember.rst index 157e4c4..074b53e 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupAddMember.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupAddMember.rst @@ -14,7 +14,7 @@ Add an account to the member list .. program:: groupAddMember -.. option:: --group GROUP +.. option:: --group GROUP which group to set ACCOUNT as a member of diff --git a/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst b/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst index aa29148..9ca03bc 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst @@ -14,36 +14,36 @@ Remove a specific group server access from an account .. program:: groupDelGuestAccess -.. option:: --group GROUP +.. option:: --group GROUP group to remove guest access from --account ACCOUNT name of the other bastion account to remove access from -.. option:: --host HOST|IP +.. option:: --host HOST|IP remove access from this HOST (which must belong to the GROUP) -.. option:: --user USER +.. option:: --user USER allow connecting to HOST only with remote login USER -.. option:: --user-any +.. option:: --user-any allow connecting to HOST with any remote login -.. option:: --port PORT +.. option:: --port PORT allow connecting to HOST only to remote port PORT -.. option:: --port-any +.. option:: --port-any allow connecting to HOST with any remote port -.. option:: --scpup +.. option:: --scpup allow SCP upload, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown allow SCP download, you<--bastion--server (omit --user in this case) diff --git a/doc/sphinx/plugins/group-gatekeeper/groupDelMember.rst b/doc/sphinx/plugins/group-gatekeeper/groupDelMember.rst index 79d9ac7..300d747 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupDelMember.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupDelMember.rst @@ -14,7 +14,7 @@ Remove an account from the members list .. program:: groupDelMember -.. option:: --group GROUP +.. option:: --group GROUP which group to remove ACCOUNT as a member of diff --git a/doc/sphinx/plugins/group-gatekeeper/groupListGuestAccesses.rst b/doc/sphinx/plugins/group-gatekeeper/groupListGuestAccesses.rst index 793b8bb..3354814 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupListGuestAccesses.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupListGuestAccesses.rst @@ -14,7 +14,7 @@ List the guest accesses to servers of a group specifically granted to an account .. program:: groupListGuestAccesses -.. option:: --group GROUP +.. option:: --group GROUP Look for accesses to servers of this GROUP @@ -22,7 +22,7 @@ List the guest accesses to servers of a group specifically granted to an account Which account to check -.. option:: --reverse-dns +.. option:: --reverse-dns Attempt to resolve the reverse hostnames (SLOW!) diff --git a/doc/sphinx/plugins/group-owner/groupAddAclkeeper.rst b/doc/sphinx/plugins/group-owner/groupAddAclkeeper.rst index 4b6a66a..0f86dbb 100644 --- a/doc/sphinx/plugins/group-owner/groupAddAclkeeper.rst +++ b/doc/sphinx/plugins/group-owner/groupAddAclkeeper.rst @@ -14,7 +14,7 @@ Add the group aclkeeper role to an account .. program:: groupAddAclkeeper -.. option:: --group GROUP +.. option:: --group GROUP which group to set ACCOUNT as an aclkeeper of diff --git a/doc/sphinx/plugins/group-owner/groupAddGatekeeper.rst b/doc/sphinx/plugins/group-owner/groupAddGatekeeper.rst index ddcc17e..1e2614f 100644 --- a/doc/sphinx/plugins/group-owner/groupAddGatekeeper.rst +++ b/doc/sphinx/plugins/group-owner/groupAddGatekeeper.rst @@ -14,7 +14,7 @@ Add the group gatekeeper role to an account .. program:: groupAddGatekeeper -.. option:: --group GROUP +.. option:: --group GROUP which group to set ACCOUNT as a gatekeeper of diff --git a/doc/sphinx/plugins/group-owner/groupAddOwner.rst b/doc/sphinx/plugins/group-owner/groupAddOwner.rst index 586b4e4..0dc14a6 100644 --- a/doc/sphinx/plugins/group-owner/groupAddOwner.rst +++ b/doc/sphinx/plugins/group-owner/groupAddOwner.rst @@ -14,7 +14,7 @@ Add the group owner role to an account .. program:: groupAddOwner -.. option:: --group GROUP +.. option:: --group GROUP which group to set ACCOUNT as an owner of diff --git a/doc/sphinx/plugins/group-owner/groupDelAclkeeper.rst b/doc/sphinx/plugins/group-owner/groupDelAclkeeper.rst index 2d920af..e52f626 100644 --- a/doc/sphinx/plugins/group-owner/groupDelAclkeeper.rst +++ b/doc/sphinx/plugins/group-owner/groupDelAclkeeper.rst @@ -14,7 +14,7 @@ Remove the group aclkeeper role from an account .. program:: groupDelAclkeeper -.. option:: --group GROUP +.. option:: --group GROUP which group to remove ACCOUNT as an aclkeeper of diff --git a/doc/sphinx/plugins/group-owner/groupDelEgressKey.rst b/doc/sphinx/plugins/group-owner/groupDelEgressKey.rst index 02828d7..6b76062 100644 --- a/doc/sphinx/plugins/group-owner/groupDelEgressKey.rst +++ b/doc/sphinx/plugins/group-owner/groupDelEgressKey.rst @@ -18,7 +18,7 @@ Remove a bastion group egress key Name of the group to delete the egress key from -.. option:: --id ID +.. option:: --id ID Specify the key ID to delete, you can get it with groupInfo diff --git a/doc/sphinx/plugins/group-owner/groupDelGatekeeper.rst b/doc/sphinx/plugins/group-owner/groupDelGatekeeper.rst index 4641ec5..1da1893 100644 --- a/doc/sphinx/plugins/group-owner/groupDelGatekeeper.rst +++ b/doc/sphinx/plugins/group-owner/groupDelGatekeeper.rst @@ -14,7 +14,7 @@ Remove the group gatekeeper role from an account .. program:: groupDelGatekeeper -.. option:: --group GROUP +.. option:: --group GROUP which group to remove ACCOUNT as a gatekeeper of diff --git a/doc/sphinx/plugins/group-owner/groupDelOwner.rst b/doc/sphinx/plugins/group-owner/groupDelOwner.rst index 09cba1c..9fabe2a 100644 --- a/doc/sphinx/plugins/group-owner/groupDelOwner.rst +++ b/doc/sphinx/plugins/group-owner/groupDelOwner.rst @@ -14,7 +14,7 @@ Remove the group owner role from an account .. program:: groupDelOwner -.. option:: --group GROUP +.. option:: --group GROUP which group to set ACCOUNT as an owner of diff --git a/doc/sphinx/plugins/group-owner/groupDestroy.rst b/doc/sphinx/plugins/group-owner/groupDestroy.rst index 4afbf70..73de126 100644 --- a/doc/sphinx/plugins/group-owner/groupDestroy.rst +++ b/doc/sphinx/plugins/group-owner/groupDestroy.rst @@ -18,7 +18,7 @@ Delete a group Group name to delete -.. option:: --no-confirm +.. option:: --no-confirm Skip group name confirmation, but blame yourself if you deleted the wrong group! diff --git a/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst b/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst index 90f7440..217427b 100644 --- a/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst +++ b/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst @@ -19,12 +19,12 @@ Create a new public + private key pair for a group Group name to generate a new egress key for. -.. option:: --algo ALGO +.. option:: --algo ALGO Specifies the algo of the key, either rsa, ecdsa or ed25519. -.. option:: --size SIZE +.. option:: --size SIZE Specifies the size of the key to be generated. @@ -32,7 +32,7 @@ Create a new public + private key pair for a group For ECDSA, choose either 256, 384 or 521. For ED25519, size is always 256. -.. option:: --encrypted +.. option:: --encrypted If specified, a passphrase will be prompted for the new key diff --git a/doc/sphinx/plugins/group-owner/groupGeneratePassword.rst b/doc/sphinx/plugins/group-owner/groupGeneratePassword.rst index ccb9a5f..c01687f 100644 --- a/doc/sphinx/plugins/group-owner/groupGeneratePassword.rst +++ b/doc/sphinx/plugins/group-owner/groupGeneratePassword.rst @@ -18,11 +18,11 @@ Generate a new egress password for the group Specify which group you want to generate a password for -.. option:: --size SIZE +.. option:: --size SIZE Specify the number of characters of the password to generate -.. option:: --do-it +.. option:: --do-it Required for the password to actually be generated, BEWARE: please read the note below diff --git a/doc/sphinx/plugins/group-owner/groupModify.rst b/doc/sphinx/plugins/group-owner/groupModify.rst index d67c01f..d173d6f 100644 --- a/doc/sphinx/plugins/group-owner/groupModify.rst +++ b/doc/sphinx/plugins/group-owner/groupModify.rst @@ -14,11 +14,11 @@ Modify the configuration of a group .. program:: groupModify -.. option:: --group GROUP +.. option:: --group GROUP Name of the group to modify -.. option:: --mfa-required password|totp|any|none +.. option:: --mfa-required password|totp|any|none Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server of the group @@ -26,7 +26,7 @@ Modify the configuration of a group this group. If set to -1, remove this group override and use the global setting instead. --idle-kill-timeout DURATION|0|-1 Overrides the global setting (`idleKillTimeout`), to the specified duration. If set to 0, disables `idleKillTimeout` for this group. If set to -1, remove this group override and use the global setting instead. -.. option:: --guest-ttl-limit DURATION +.. option:: --guest-ttl-limit DURATION This group will enforce TTL setting, on guest access creation, to be set, and not to a higher value than DURATION, diff --git a/doc/sphinx/plugins/group-owner/groupTransmitOwnership.rst b/doc/sphinx/plugins/group-owner/groupTransmitOwnership.rst index 499ad99..5f12575 100644 --- a/doc/sphinx/plugins/group-owner/groupTransmitOwnership.rst +++ b/doc/sphinx/plugins/group-owner/groupTransmitOwnership.rst @@ -14,7 +14,7 @@ Transmit your group ownership to somebody else .. program:: groupTransmitOwnership -.. option:: --group GROUP +.. option:: --group GROUP which group to set ACCOUNT as an owner of diff --git a/doc/sphinx/plugins/open/clush.rst b/doc/sphinx/plugins/open/clush.rst index daf7451..9ec8919 100644 --- a/doc/sphinx/plugins/open/clush.rst +++ b/doc/sphinx/plugins/open/clush.rst @@ -14,27 +14,27 @@ Launch a remote command on several machines sequentially (clush-like) .. program:: clush -.. option:: --list HOSTLIST +.. option:: --list HOSTLIST Comma-separated list of the hosts (hostname or IP) to run the command on -.. option:: --user USER +.. option:: --user USER Specify which remote user should we use to connect (default: BASTION_ACCOUNT) -.. option:: --port PORT +.. option:: --port PORT Specify which port to connect to (default: 22) -.. option:: --step-by-step +.. option:: --step-by-step Pause before running the command on each host -.. option:: --no-pause-on-failure +.. option:: --no-pause-on-failure Don't pause if the remote command failed (returned exit code != 0) -.. option:: --no-confirm +.. option:: --no-confirm Skip confirmation of the host list and command diff --git a/doc/sphinx/plugins/open/groupList.rst b/doc/sphinx/plugins/open/groupList.rst index 0f209f5..02fe221 100644 --- a/doc/sphinx/plugins/open/groupList.rst +++ b/doc/sphinx/plugins/open/groupList.rst @@ -14,7 +14,7 @@ List the groups available on this bastion .. program:: groupList -.. option:: --all +.. option:: --all List all groups, even those to which you don't have access diff --git a/doc/sphinx/plugins/open/groupListServers.rst b/doc/sphinx/plugins/open/groupListServers.rst index 86b38d1..83b9318 100644 --- a/doc/sphinx/plugins/open/groupListServers.rst +++ b/doc/sphinx/plugins/open/groupListServers.rst @@ -14,11 +14,11 @@ List the servers (IPs and IP blocks) pertaining to a group .. program:: groupListServers -.. option:: --group GROUP +.. option:: --group GROUP List the servers of this group -.. option:: --reverse-dns +.. option:: --reverse-dns Attempt to resolve the reverse hostnames (SLOW!) diff --git a/doc/sphinx/plugins/open/nc.rst b/doc/sphinx/plugins/open/nc.rst index 2b1e448..9d6f6d6 100644 --- a/doc/sphinx/plugins/open/nc.rst +++ b/doc/sphinx/plugins/open/nc.rst @@ -22,7 +22,7 @@ Check whether a remote TCP port is open TCP port to attempt to connect to -.. option:: -w SECONDS +.. option:: -w SECONDS Timeout in seconds (default: 3) diff --git a/doc/sphinx/plugins/open/ping.rst b/doc/sphinx/plugins/open/ping.rst index 833f350..a82b15c 100644 --- a/doc/sphinx/plugins/open/ping.rst +++ b/doc/sphinx/plugins/open/ping.rst @@ -18,19 +18,19 @@ Ping a remote host from the bastion Remote host to ping -.. option:: -c COUNT +.. option:: -c COUNT Number of pings to send (default: infinite) -.. option:: -s SIZE +.. option:: -s SIZE Specify the packet size to send -.. option:: -t TTL +.. option:: -t TTL TTL to set in the ICMP packet (default: OS dependent) -.. option:: -w TIMEOUT +.. option:: -w TIMEOUT Exit unconditionally after this amount of seconds (default & max: 86400) diff --git a/doc/sphinx/plugins/open/selfAddIngressKey.rst b/doc/sphinx/plugins/open/selfAddIngressKey.rst index 5bc8d05..80fa5a8 100644 --- a/doc/sphinx/plugins/open/selfAddIngressKey.rst +++ b/doc/sphinx/plugins/open/selfAddIngressKey.rst @@ -22,7 +22,7 @@ Add a new ingress public key to your account can also pass it through STDIN directly. If the policy of this bastion allows it, you may prefix the key with a 'from="IP1,IP2,..."' snippet, a la authorized_keys. However the policy might force a configured 'from' prefix that will override yours, or be used if you don't specify it yourself. -.. option:: --piv +.. option:: --piv Add a public SSH key from a PIV-compatible hardware token, along with its attestation certificate and key diff --git a/doc/sphinx/plugins/open/selfDelIngressKey.rst b/doc/sphinx/plugins/open/selfDelIngressKey.rst index 628fa9a..433ed22 100644 --- a/doc/sphinx/plugins/open/selfDelIngressKey.rst +++ b/doc/sphinx/plugins/open/selfDelIngressKey.rst @@ -14,7 +14,7 @@ Remove an ingress public key from your account .. program:: selfDelIngressKey -.. option:: -l, --id-to-delete ID +.. option:: -l, --id-to-delete ID Directly specify key id to delete (CAUTION!), you can get id with selfListIngressKeys diff --git a/doc/sphinx/plugins/open/selfGeneratePassword.rst b/doc/sphinx/plugins/open/selfGeneratePassword.rst index 3da7286..4e37c33 100644 --- a/doc/sphinx/plugins/open/selfGeneratePassword.rst +++ b/doc/sphinx/plugins/open/selfGeneratePassword.rst @@ -18,7 +18,7 @@ Generate a new egress password for your account Specify the number of characters of the password to generate -.. option:: --do-it +.. option:: --do-it Required for the password to actually be generated, BEWARE: please read the note below diff --git a/doc/sphinx/plugins/open/selfGenerateProxyPassword.rst b/doc/sphinx/plugins/open/selfGenerateProxyPassword.rst index 0aa73ef..eb03a90 100644 --- a/doc/sphinx/plugins/open/selfGenerateProxyPassword.rst +++ b/doc/sphinx/plugins/open/selfGenerateProxyPassword.rst @@ -18,7 +18,7 @@ Generate a new ingress password to use the bastion HTTPS proxy Size of the password to generate -.. option:: --do-it +.. option:: --do-it Required for the password to actually be generated, BEWARE: please read the note below diff --git a/doc/sphinx/plugins/open/selfListAccesses.rst b/doc/sphinx/plugins/open/selfListAccesses.rst index f5bf98c..af32b42 100644 --- a/doc/sphinx/plugins/open/selfListAccesses.rst +++ b/doc/sphinx/plugins/open/selfListAccesses.rst @@ -14,12 +14,12 @@ Show the list of servers you have access to .. program:: selfListAccesses -.. option:: --hide-groups +.. option:: --hide-groups Don't show the machines you have access to through group rights. In other words, list only your personal accesses. -.. option:: --reverse-dns +.. option:: --reverse-dns Attempt to resolve the reverse hostnames (SLOW!) diff --git a/doc/sphinx/plugins/open/selfListSessions.rst b/doc/sphinx/plugins/open/selfListSessions.rst index daaa46a..325fed2 100644 --- a/doc/sphinx/plugins/open/selfListSessions.rst +++ b/doc/sphinx/plugins/open/selfListSessions.rst @@ -14,57 +14,57 @@ List the few past sessions of your account .. program:: selfListSessions -.. option:: --detailed +.. option:: --detailed Display more information about each session -.. option:: --limit LIMIT +.. option:: --limit LIMIT Limit to LIMIT results -.. option:: --id ID +.. option:: --id ID Only sessions having this ID -.. option:: --type TYPE +.. option:: --type TYPE Only sessions of specified type (ssh, osh, ...) -.. option:: --allowed +.. option:: --allowed Only sessions that have been allowed by the bastion -.. option:: --denied +.. option:: --denied Only sessions that have been denied by the bastion -.. option:: --after WHEN +.. option:: --after WHEN Only sessions that started after WHEN, WHEN can be a TIMESTAMP, or YYYY-MM-DD[@HH:MM:SS] -.. option:: --before WHEN +.. option:: --before WHEN Only sessions that started before WHEN, WHEN can be a TIMESTAMP, or YYYY-MM-DD[@HH:MM:SS] -.. option:: --host HOST +.. option:: --host HOST Only sessions connecting to remote HOST -.. option:: --to-port PORT +.. option:: --to-port PORT Only sessions connecting to remote PORT -.. option:: --user USER +.. option:: --user USER Only sessions connecting using remote USER -.. option:: --via HOST +.. option:: --via HOST Only sessions that connected through bastion IP HOST -.. option:: --via-port PORT +.. option:: --via-port PORT Only sessions that connected through bastion PORT diff --git a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst index 62b97f2..b181be5 100644 --- a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst @@ -14,35 +14,35 @@ Add a personal server access to an account .. program:: accountAddPersonalAccess -.. option:: --account +.. option:: --account Bastion account to add the access to -.. option:: --host IP|HOST|IP/MASK +.. option:: --host IP|HOST|IP/MASK Server to add access to -.. option:: --user USER +.. option:: --user USER Remote login to use, if you want to allow any login, use --user-any -.. option:: --user-any +.. option:: --user-any Allow access with any remote login -.. option:: --port PORT +.. option:: --port PORT Remote SSH port to use, if you want to allow any port, use --port-any -.. option:: --port-any +.. option:: --port-any Allow access to all remote ports -.. option:: --scpup +.. option:: --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) @@ -50,15 +50,15 @@ Add a personal server access to an account Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys) -.. option:: --force-password HASH +.. option:: --force-password HASH Only use the password with the specified hash to connect to the server (cf accountListPasswords) -.. option:: --ttl SECONDS|DURATION +.. option:: --ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire -.. option:: --comment "'ANY TEXT'" +.. option:: --comment "'ANY TEXT'" Add a comment alongside this server. Quote it twice as shown if you're under a shell. diff --git a/doc/sphinx/plugins/restricted/accountCreate.rst b/doc/sphinx/plugins/restricted/accountCreate.rst index 8e91196..e86615d 100644 --- a/doc/sphinx/plugins/restricted/accountCreate.rst +++ b/doc/sphinx/plugins/restricted/accountCreate.rst @@ -14,24 +14,24 @@ Create a new bastion account .. program:: accountCreate -.. option:: --account NAME +.. option:: --account NAME Account name to create, NAME must contain only valid UNIX account name characters -.. option:: --uid UID +.. option:: --uid UID Account system UID, also see --uid-auto -.. option:: --uid-auto +.. option:: --uid-auto Auto-select an UID from the allowed range (the upper available one will be used) -.. option:: --always-active +.. option:: --always-active This account's activation won't be challenged on connection, even if the bastion is globally configured to check for account activation -.. option:: --osh-only +.. option:: --osh-only This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion @@ -40,24 +40,24 @@ Create a new bastion account Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays', setting this option to zero disables account expiration. -.. option:: --immutable-key +.. option:: --immutable-key Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied) -.. option:: --comment '"STRING"' +.. option:: --comment '"STRING"' An optional comment when creating the account. Quote it twice as shown if you're under a shell. -.. option:: --public-key '"KEY"' +.. option:: --public-key '"KEY"' Account public SSH key to deposit on the bastion, if not present, you'll be prompted interactively for it. Quote it twice as shown if your're under a shell. -.. option:: --no-key +.. option:: --no-key Don't prompt for an SSH key, no ingress public key will be installed -.. option:: --ttl SECONDS|DURATION +.. option:: --ttl SECONDS|DURATION Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m") diff --git a/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst index 1c49c34..6d4e2a9 100644 --- a/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst @@ -14,7 +14,7 @@ Remove a personal server access from an account .. program:: accountDelPersonalAccess -.. option:: --account +.. option:: --account Bastion account to remove access from @@ -22,27 +22,27 @@ Remove a personal server access from an account Server to remove access from -.. option:: --user USER +.. option:: --user USER Remote user that was allowed, if any user was allowed, use --user-any -.. option:: --user-any +.. option:: --user-any Use if any remote login was allowed -.. option:: --port PORT +.. option:: --port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any -.. option:: --port-any +.. option:: --port-any Use if any remote port was allowed -.. option:: --scpup +.. option:: --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) diff --git a/doc/sphinx/plugins/restricted/accountDelete.rst b/doc/sphinx/plugins/restricted/accountDelete.rst index 8a48565..dbacf0d 100644 --- a/doc/sphinx/plugins/restricted/accountDelete.rst +++ b/doc/sphinx/plugins/restricted/accountDelete.rst @@ -18,7 +18,7 @@ Delete an account from the bastion Account name to delete -.. option:: --no-confirm +.. option:: --no-confirm Don't ask for confirmation, and blame yourself if you deleted the wrong account diff --git a/doc/sphinx/plugins/restricted/accountFreeze.rst b/doc/sphinx/plugins/restricted/accountFreeze.rst new file mode 100644 index 0000000..a4e4a46 --- /dev/null +++ b/doc/sphinx/plugins/restricted/accountFreeze.rst @@ -0,0 +1,25 @@ +============== +accountFreeze +============== + +Freeze an account, to prevent it from connecting +================================================ + + +.. admonition:: usage + :class: cmdusage + + --osh accountFreeze --account ACCOUNT [--reason "'SOME REASON'"] + +.. program:: accountFreeze + + +.. option:: --account ACCOUNT + + Account to freeze + +.. option:: --reason "'SOME REASON'" + + Optional reason for the account to be frozen (will be displayed to the user), + + if you are in a shell (and not in interactive mode), quote it twice as shown. diff --git a/doc/sphinx/plugins/restricted/accountGeneratePassword.rst b/doc/sphinx/plugins/restricted/accountGeneratePassword.rst index 24aa26c..b4a897b 100644 --- a/doc/sphinx/plugins/restricted/accountGeneratePassword.rst +++ b/doc/sphinx/plugins/restricted/accountGeneratePassword.rst @@ -18,11 +18,11 @@ Generate a new egress password for an account Specify which account you want to generate a password for -.. option:: --size SIZE +.. option:: --size SIZE Specify the number of characters of the password to generate -.. option:: --do-it +.. option:: --do-it Required for the password to actually be generated, BEWARE: please read the note below diff --git a/doc/sphinx/plugins/restricted/accountInfo.rst b/doc/sphinx/plugins/restricted/accountInfo.rst index 412a375..a1c22c6 100644 --- a/doc/sphinx/plugins/restricted/accountInfo.rst +++ b/doc/sphinx/plugins/restricted/accountInfo.rst @@ -18,7 +18,7 @@ Display some information about an account The account name to work on -.. option:: --list-groups +.. option:: --list-groups Show which groups the account has a role on diff --git a/doc/sphinx/plugins/restricted/accountList.rst b/doc/sphinx/plugins/restricted/accountList.rst index 53c514e..0ddeb08 100644 --- a/doc/sphinx/plugins/restricted/accountList.rst +++ b/doc/sphinx/plugins/restricted/accountList.rst @@ -14,15 +14,15 @@ List the bastion accounts .. program:: accountList -.. option:: --account ACCOUNT +.. option:: --account ACCOUNT Only list the specified account. This is an easy way to check whether the account exists -.. option:: --inactive-only +.. option:: --inactive-only Only list inactive accounts -.. option:: --audit +.. option:: --audit Show more verbose information (SLOW!), you need to be a bastion auditor @@ -30,16 +30,16 @@ List the bastion accounts Don't gather password info in audit mode (makes --audit way faster) -.. option:: --no-output +.. option:: --no-output Don't print human-readable output (faster, use with --json) -.. option:: --include PATTERN +.. option:: --include PATTERN Only show accounts whose name match the given PATTERN (see below) This option can be used multiple times to refine results -.. option:: --exclude PATTERN +.. option:: --exclude PATTERN Omit accounts whose name match the given PATTERN (see below) diff --git a/doc/sphinx/plugins/restricted/accountListAccesses.rst b/doc/sphinx/plugins/restricted/accountListAccesses.rst index fa9029b..68cf4ca 100644 --- a/doc/sphinx/plugins/restricted/accountListAccesses.rst +++ b/doc/sphinx/plugins/restricted/accountListAccesses.rst @@ -18,12 +18,12 @@ View the expanded access list of a given bastion account The account to work on -.. option:: --hide-groups +.. option:: --hide-groups Don't show the machines the accouns has access to through group rights. In other words, list only the account's personal accesses. -.. option:: --reverse-dns +.. option:: --reverse-dns Attempt to resolve the reverse hostnames (SLOW!) diff --git a/doc/sphinx/plugins/restricted/accountModify.rst b/doc/sphinx/plugins/restricted/accountModify.rst index df63030..47f5452 100644 --- a/doc/sphinx/plugins/restricted/accountModify.rst +++ b/doc/sphinx/plugins/restricted/accountModify.rst @@ -14,29 +14,29 @@ Modify an account configuration .. program:: accountModify -.. option:: --account ACCOUNT +.. option:: --account ACCOUNT Bastion account to work on -.. option:: --pam-auth-bypass yes|no +.. option:: --pam-auth-bypass yes|no Enable or disable PAM auth bypass for this account in addition to pubkey auth (default is 'no'), in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This does not change the behaviour of the code, just the PAM auth handled by SSH itself -.. option:: --mfa-password-required yes|no|bypass +.. option:: --mfa-password-required yes|no|bypass Enable or disable UNIX password requirement for this account in addition to pubkey auth (default is 'no'), this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified, no password will ever be asked, even for groups or plugins explicitly requiring it -.. option:: --mfa-totp-required yes|no|bypass +.. option:: --mfa-totp-required yes|no|bypass Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'), this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified, no OTP will ever be asked, even for groups or plugins explicitly requiring it -.. option:: --egress-strict-host-key-checking POLICY +.. option:: --egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`), @@ -46,30 +46,30 @@ Modify an account configuration This effectively suppress the host key checking entirely. Please don't enable this blindly. 'default' will remove this account's ``StrictHostKeyChecking`` setting override. All the other policies carry the same meaning that what is documented in `man ssh_config`. -.. option:: --personal-egress-mfa-required POLICY +.. option:: --personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none' -.. option:: --always-active yes|no +.. option:: --always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account) -.. option:: --idle-ignore yes|no +.. option:: --idle-ignore yes|no If enabled, this account is immune to the idleLockTimeout and idleKillTimeout bastion-wide policy -.. option:: --max-inactive-days DAYS +.. option:: --max-inactive-days DAYS Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays'. Setting this option to zero disables account expiration. Setting this option to -1 removes this account expiration policy, i.e. the global bastion setting will apply. -.. option:: --osh-only yes|no +.. option:: --osh-only yes|no If enabled, this account can only use ``--osh`` commands, and can't connect anywhere through the bastion -.. option:: --pubkey-auth-optional yes|no +.. option:: --pubkey-auth-optional yes|no Make the public key optional on ingress for the account (default is 'no'). diff --git a/doc/sphinx/plugins/restricted/accountPIV.rst b/doc/sphinx/plugins/restricted/accountPIV.rst index b203c98..5ac30c8 100644 --- a/doc/sphinx/plugins/restricted/accountPIV.rst +++ b/doc/sphinx/plugins/restricted/accountPIV.rst @@ -14,11 +14,11 @@ Modify the PIV policy for the ingress keys of an account .. program:: accountPIV -.. option:: --account ACCOUNT +.. option:: --account ACCOUNT Bastion account to work on -.. option:: --policy POLICY +.. option:: --policy POLICY Changes the PIV policy of account. See below for a description of available policies. diff --git a/doc/sphinx/plugins/restricted/accountUnfreeze.rst b/doc/sphinx/plugins/restricted/accountUnfreeze.rst new file mode 100644 index 0000000..82f6a99 --- /dev/null +++ b/doc/sphinx/plugins/restricted/accountUnfreeze.rst @@ -0,0 +1,20 @@ +================ +accountUnfreeze +================ + +Unfreeze a frozen account +========================= + + +.. admonition:: usage + :class: cmdusage + + --osh accountUnfreeze --account ACCOUNT + +.. program:: accountUnfreeze + + +.. option:: --account ACCOUNT + + Account to unfreeze + diff --git a/doc/sphinx/plugins/restricted/groupDelete.rst b/doc/sphinx/plugins/restricted/groupDelete.rst index 0bfc41c..61a0ead 100644 --- a/doc/sphinx/plugins/restricted/groupDelete.rst +++ b/doc/sphinx/plugins/restricted/groupDelete.rst @@ -18,7 +18,7 @@ Delete a group Group name to delete -.. option:: --no-confirm +.. option:: --no-confirm Skip group name confirmation, but blame yourself if you deleted the wrong group! diff --git a/doc/sphinx/plugins/restricted/realmCreate.rst b/doc/sphinx/plugins/restricted/realmCreate.rst index 0a4af72..5294e25 100644 --- a/doc/sphinx/plugins/restricted/realmCreate.rst +++ b/doc/sphinx/plugins/restricted/realmCreate.rst @@ -14,7 +14,7 @@ Declare and create a new trusted realm .. program:: realmCreate -.. option:: --realm REALM +.. option:: --realm REALM Realm name to create diff --git a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst index 51b6e37..2ab2f39 100644 --- a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst @@ -14,35 +14,35 @@ Add a personal server access on your account .. program:: selfAddPersonalAccess -.. option:: --host IP|HOST|IP/MASK +.. option:: --host IP|HOST|IP/MASK Server to add access to -.. option:: --user USER +.. option:: --user USER Remote login to use, if you want to allow any login, use --user-any -.. option:: --user-any +.. option:: --user-any Allow access with any remote login -.. option:: --port PORT +.. option:: --port PORT Remote SSH port to use, if you want to allow any port, use --port-any -.. option:: --port-any +.. option:: --port-any Allow access to all remote ports -.. option:: --scpup +.. option:: --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) -.. option:: --force +.. option:: --force Add the access without checking that the public SSH key is properly installed remotely @@ -50,15 +50,15 @@ Add a personal server access on your account Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys) -.. option:: --force-password HASH +.. option:: --force-password HASH Only use the password with the specified hash to connect to the server (cf selfListPasswords) -.. option:: --ttl SECONDS|DURATION +.. option:: --ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire -.. option:: --comment "'ANY TEXT'" +.. option:: --comment "'ANY TEXT'" Add a comment alongside this server. Quote it twice as shown if you're under a shell. diff --git a/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst index 332fb84..536bcd3 100644 --- a/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst @@ -18,27 +18,27 @@ Remove a personal server access from your account Server to remove access from -.. option:: --user USER +.. option:: --user USER Remote user that was allowed, if any user was allowed, use --user-any -.. option:: --user-any +.. option:: --user-any Use if any remote login was allowed -.. option:: --port PORT +.. option:: --port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any -.. option:: --port-any +.. option:: --port-any Use if any remote port was allowed -.. option:: --scpup +.. option:: --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) -.. option:: --scpdown +.. option:: --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) diff --git a/doc/sphinx/plugins/restricted/whoHasAccessTo.rst b/doc/sphinx/plugins/restricted/whoHasAccessTo.rst index 1c4da46..24ba23a 100644 --- a/doc/sphinx/plugins/restricted/whoHasAccessTo.rst +++ b/doc/sphinx/plugins/restricted/whoHasAccessTo.rst @@ -14,19 +14,19 @@ List the accounts that have access to a given server .. program:: whoHasAccessTo -.. option:: --host SERVER +.. option:: --host SERVER List declared accesses to this server -.. option:: --user USER +.. option:: --user USER Remote user allowed (if not specified, ignore user specifications) -.. option:: --port PORT +.. option:: --port PORT Remote port allowed (if not specified, ignore port specifications) -.. option:: --ignore-personal +.. option:: --ignore-personal Don't check accounts' personal accesses (i.e. only check groups) @@ -35,7 +35,7 @@ List the accounts that have access to a given server Ignore accesses by this group, if you know GROUP public key is in fact not present on remote server but bastion thinks it is -.. option:: --show-wildcards +.. option:: --show-wildcards Also list accesses that match because 0.0.0.0/0 is listed in a group or private access, diff --git a/doc/sphinx/using/basics/first_steps.rst b/doc/sphinx/using/basics/first_steps.rst index fabbdd5..5d4f387 100644 --- a/doc/sphinx/using/basics/first_steps.rst +++ b/doc/sphinx/using/basics/first_steps.rst @@ -141,7 +141,7 @@ then use ```` again to show you the required arguments. The complete comman You'll notice that it didn't work. This is because first, you need to add your *personal egress key* to the remote machine's *authorized_keys* file. If this seems strange, here is -:doc:`how it works <../presentation/principles>`. +:doc:`how it works `. To get your *personal egress key*, you can use this command: .. code-block:: shell @@ -267,4 +267,4 @@ Let's see what we did exactly during this session: ~ Starting from the next line, the Total Recall begins. Press CTRL+C to jolt awake. Now that you've connected to your first server, using a personal access, -you may want to learn more about the :doc:``, or directly dive into the **PLUGINS** on the left menu. +you may want to learn more about the :doc:`access_management`, or directly dive into the **PLUGINS** on the left menu.