Merge pull request #79 from axl89/master

Fixed wrong default values in bastion.conf comments

doc/sphinx/installation/upgrading.rst

@@ -19,7 +19,7 @@ General upgrade instructions
 
     /opt/bastion/bin/admin/install --upgrade
 
-Note that if you're using an infrastructure automation tool such as Puppet, Ansible, Chef, and don't want the update script to touch some files that you manage yourself, you can use ``--upgrade-managed`` instead of ``--upgrade``. See the ``--help`` for a more fine-grained upgrade path if needed.
+Note that if you're using an infrastructure automation tool such as Puppet, Ansible, Chef, and don't want the update script to touch some files that you manage yourself, you can use ``--managed-upgrade`` instead of ``--upgrade``. See the ``--help`` for a more fine-grained upgrade path if needed.
 
 Version-specific upgrade instructions
 =====================================

etc/bastion/bastion.conf.dist

@@ -89,7 +89,7 @@
 #    DESC: If set to 0 (false), any from="..." specified in user keys (selfAddIngressKey or accountCreate) are ignored and replaced by the IPs in the ingressKeysFrom configuration option (if any).
 #          If set to 1 (true), any from="..." specified in user keys (selfAddIngressKey or accountCreate) will override the value set in ingressKeysFrom (if any). When no user-specified from="..." appears, the value of ingressKeysFrom is still used, regardless of this option.
 # DEFAULT: 0
-"ingressKeysFromAllowOverride": 1,
+"ingressKeysFromAllowOverride": 0,
 #
 # accountUidMin (int)
 #     DESC: minimum allowed UID for accounts on this bastion. Hardcoded > 1000 even if configured for less
@@ -136,7 +136,7 @@
 # minimumIngressRsaKeySize (int), deprecated alias: minimumRsaKeySize
 #     DESC: The minimum allowed size for ingress RSA keys (user->bastion). Sane values range from 2048 to 4096.
 #  DEFAULT: 2048
-"minimumIngressRsaKeySize": 4096,
+"minimumIngressRsaKeySize": 2048,
 #
 # maximumIngressRsaKeySize (int)
 #     DESC: The maximum allowed size for ingress RSA keys (user->bastion). Too big values (>8192) are extremely CPU intensive and don't really add that much security.
@@ -146,7 +146,7 @@
 # minimumEgressRsaKeySize (int), deprecated alias: minimumRsaKeySize
 #     DESC: The minimum allowed size for egress RSA keys (bastion->server). Sane values range from 2048 to 4096.
 #  DEFAULT: 2048
-"minimumEgressRsaKeySize": 4096,
+"minimumEgressRsaKeySize": 2048,
 #
 # maximumEgressRsaKeySize (int)
 #     DESC: The maximum allowed size for ingress RSA keys (bastion->server). Too big values (>8192) are extremely CPU intensive and don't really add that much security.
@@ -355,7 +355,7 @@
 #
 # ttyrecFilenameFormat (string)
 #    DESC: Sets the filename format of the output files of ttyrec for a given session. Magic tokens are: &bastionname, &uniqid, &account, &ip, &port, &user (they'll be replaced by the corresponding values of the current session). Then, this string (automatically prepended with the correct folder) will be passed to ttyrec's -F parameter, which uses strftime() to expand it, so the usual character conversions will be done (%Y for the year, %H for the hour, etc., see man strftime). Note that in a addition to the usual strftime() conversion specifications, ttyrec also supports #usec#, to be replaced by the current microsecond value of the time.
-# DEFAULT: %Y-%m-%d.%H-%M-%S.#usec#.&uniqid.ttyrec
+# DEFAULT: %Y-%m-%d.%H-%M-%S.#usec#.&uniqid.&account.&user.&ip.&port.ttyrec
 "ttyrecFilenameFormat": "%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.&account.&user.&ip.&port.ttyrec",
 #
 # ttyrecAdditionalParameters (list of parameters)

lib/perl/OVH/Bastion/configuration.inc

@@ -182,7 +182,7 @@ sub load_configuration {
     $C->{'moshTimeoutSignal'}  = 30    if (not defined $C->{'moshTimeoutSignal'}  or $C->{'moshTimeoutSignal'}  !~ /^\d+$/);
     $C->{'moshCommandLine'}    = ""    if (not defined $C->{'moshCommandLine'});
 
-    $C->{'ttyrecFilenameFormat'} = '%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.ttyrec' if (not $C->{'ttyrecFilenameFormat'});
+    $C->{'ttyrecFilenameFormat'} = '%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.&account.&user.&ip.&port.ttyrec' if (not $C->{'ttyrecFilenameFormat'});
 
     $C->{'idleLockTimeout'}       = 0 if (not defined $C->{'idleLockTimeout'}       or $C->{'idleLockTimeout'}       !~ /^\d+$/);
     $C->{'idleKillTimeout'}       = 0 if (not defined $C->{'idleKillTimeout'}       or $C->{'idleKillTimeout'}       !~ /^\d+$/);