ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-06 04:54:20 +08:00
Code Issues Projects Releases Packages Wiki Activity

accountModify - Add a new accept-new POLICY in egress-strict-host-key-checking parameter

Browse source
This commit is contained in:
Jonathan Marsaud 2021-05-14 11:21:15 +02:00 committed by Stéphane Lesimple
parent 3e0202d914
commit b7b2533604
5 changed files with 20 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bin/helper/osh-accountModify
View file

@ -288,7 +288,7 @@ foreach my $tuple (@modify) {
} }
elsif ($key eq 'egress-strict-host-key-checking') { elsif ($key eq 'egress-strict-host-key-checking') {
osh_info "Changing the egress StrictHostKeyChecking option for this account..."; osh_info "Changing the egress StrictHostKeyChecking option for this account...";
if (not grep { $value eq $_ } qw{ yes no ask default bypass }) { if (not grep { $value eq $_ } qw{ yes accept-new no ask default bypass }) {
osh_warn "Invalid parameter '$value', skipping"; osh_warn "Invalid parameter '$value', skipping";
$result{$jsonkey} = R('ERR_INVALID_PARAMETER'); $result{$jsonkey} = R('ERR_INVALID_PARAMETER');
} }

6
bin/plugin/restricted/accountModify
View file

@ -39,7 +39,7 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified, this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
no OTP will ever be asked, even for groups or plugins explicitly requiring it no OTP will ever be asked, even for groups or plugins explicitly requiring it
--egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config), --egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
POLICY can be 'yes', 'no', 'ask', 'default' or 'bypass' POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
--personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server --personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none' using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
--always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account) --always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
@ -78,9 +78,9 @@ foreach my $key (qw{ always-active pam-auth-bypass idle-ignore osh-only }) {
osh_exit 'ERR_INVALID_PARAMETER', "Expected '--$key yes' or '--$key no' instead of '--$key $modify{$key}'"; osh_exit 'ERR_INVALID_PARAMETER', "Expected '--$key yes' or '--$key no' instead of '--$key $modify{$key}'";
} }
} }
if ($modify{'egress-strict-host-key-checking'} && !grep { $modify{'egress-strict-host-key-checking'} eq $_ } qw{ yes no ask default bypass }) { if ($modify{'egress-strict-host-key-checking'} && !grep { $modify{'egress-strict-host-key-checking'} eq $_ } qw{ yes accept-new no ask default bypass }) {
help(); help();
osh_exit 'ERR_INVALID_PARAMETER', "Expected option 'yes', 'no', 'ask', 'default' or 'bypass' to --egress-strict-host-key-checking"; osh_exit 'ERR_INVALID_PARAMETER', "Expected option 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass' to --egress-strict-host-key-checking";
} }
if ($modify{'personal-egress-mfa-required'} && !grep { $modify{'personal-egress-mfa-required'} eq $_ } qw{ password totp any none }) { if ($modify{'personal-egress-mfa-required'} && !grep { $modify{'personal-egress-mfa-required'} eq $_ } qw{ password totp any none }) {
help(); help();

14
bin/plugin/restricted/accountModify.json
View file

@ -1,13 +1,13 @@
{ {
"master_only": true, "master_only": true,
"interactive": [ "interactive": [
"accountModify" , {"ac": ["--account"]}, "accountModify" , {"ac": ["--account"]},
"accountModify --account" , {"ac": ["<ACCOUNT>"]}, "accountModify --account" , {"ac": ["<ACCOUNT>"]},
"accountModify --account \\S+" , {"ac": ["--mfa-password-required","--mfa-totp-required","--pam-auth-bypass","--always-active","--egress-strict-host-key-checking","--personal-egress-mfa-required","--idle-ignore"]}, "accountModify --account \\S+" , {"ac": ["--mfa-password-required","--mfa-totp-required","--pam-auth-bypass","--always-active","--egress-strict-host-key-checking","--personal-egress-mfa-required","--idle-ignore"]},
"accountModify --account \\S+ .*(--mfa-password-required|--mfa-totp-required)" , {"ac": ["yes","no","bypass"]}, "accountModify --account \\S+ .*(--mfa-password-required|--mfa-totp-required)" , {"ac": ["yes","no","bypass"]},
"accountModify --account \\S+ .*(--pam-auth-bypass|--mfa-auth-bypass|--always-active|idle-ignore)", {"ac": ["yes","no"]}, "accountModify --account \\S+ .*(--pam-auth-bypass|--mfa-auth-bypass|--always-active|idle-ignore)", {"ac": ["yes","no"]},
"accountModify --account \\S+ .*(--egress-strict-host-key-checking)" , {"ac": ["yes","no","ask","default","bypass"]}, "accountModify --account \\S+ .*(--egress-strict-host-key-checking)" , {"ac": ["yes","accept-new","no","ask","default","bypass"]},
"accountModify --account \\S+ .*(--personal-egress-mfa-required)" , {"ac": ["password","totp","any","none"]}, "accountModify --account \\S+ .*(--personal-egress-mfa-required)" , {"ac": ["password","totp","any","none"]},
"accountModify --account \\S+ .*(yes|no|bypass|ask|default|totp|password|none)" , {"ac": ["--mfa-password-required","--mfa-totp-required","--pam-auth-bypass","--always-active","--egress-strict-host-key-checking","--personal-egress-mfa-required","--idle-ignore","<enter>"]} "accountModify --account \\S+ .*(yes|accept-new|no|bypass|ask|default|totp|password|none)" , {"ac": ["--mfa-password-required","--mfa-totp-required","--pam-auth-bypass","--always-active","--egress-strict-host-key-checking","--personal-egress-mfa-required","--idle-ignore","<enter>"]}
] ]
} }

2
doc/sphinx/plugins/restricted/accountModify.rst
View file

@ -40,7 +40,7 @@ Modify an account configuration
Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config), Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
POLICY can be 'yes', 'no', 'ask', 'default' or 'bypass' POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
.. option:: --personal-egress-mfa-required POLICY .. option:: --personal-egress-mfa-required POLICY
Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server

8
tests/functional/tests.d/330-selfkeys.sh
View file

@ -94,6 +94,14 @@ testsuite_selfkeys()
json .value.account_egress_ssh_config.type custom json .value.account_egress_ssh_config.type custom
json .value.account_egress_ssh_config.items.stricthostkeychecking no json .value.account_egress_ssh_config.items.stricthostkeychecking no
success accountssh modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking accept-new
json .error_code OK .command accountModify
success accountssh info2 $a0 --osh accountInfo --account $account1
json .error_code OK .command accountInfo
json .value.account_egress_ssh_config.type custom
json .value.account_egress_ssh_config.items.stricthostkeychecking accept-new
success accountssh modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking yes success accountssh modifyssh2 $a0 --osh accountModify --account $account1 --egress-strict-host-key-checking yes
json .error_code OK .command accountModify json .error_code OK .command accountModify