ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-05 04:24:11 +08:00
Code Issues Projects Releases Packages Wiki Activity

fixes after review

Browse source
This commit is contained in:
Stéphane Lesimple 2020-11-17 14:57:34 +01:00
parent 1b164c1197
commit cb02fd2a33
8 changed files with 62 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/freebsd.yml vendored
View file

@ -19,15 +19,15 @@ jobs:
set -ex
freebsd-version
mount -o acls /
pkg install -y bash unzip rsync ca_root_nss jq fping screen flock
pkg install -y bash unzip rsync ca_root_nss jq fping screen flock gmake
mkdir -p /opt/bastion
rsync -a . /opt/bastion/
fetch https://github.com/ovh/ovh-ttyrec/archive/master.zip
unzip master.zip
cd ovh-ttyrec-master/
./configure
make
make install
gmake
gmake install
cd ..
/opt/bastion/bin/admin/packages-check.sh -i
/opt/bastion/bin/admin/install --new-install --no-wait

4
bin/admin/install
View file

@ -202,8 +202,8 @@ fi
if [ "${opt[install-fake-ttyrec]}" = 1 ]; then
action_doing "Installing fake ttyrec (use this only for tests!)"
if [ ! -e "/usr/bin/ttyrec" ]; then
install -o "$UID0" -g "$GID0" -m 0755 "$basedir/tests/functional/fake_ttyrec.sh" "/usr/bin/ttyrec"
if [ ! -e "/usr/bin/ttyrec" ] && [ ! -e "/usr/local/bin/ttyrec" ]; then
install -o "$UID0" -g "$GID0" -m 0755 "$basedir/tests/functional/fake_ttyrec.sh" "/usr/local/bin/ttyrec"
action_done
else
action_na

5
bin/admin/install-ttyrec.sh
View file

@ -196,11 +196,6 @@ if [ "$OS_FAMILY" != "Linux" ]; then
exit 1
fi
if [ "$OS_FAMILY" != "Linux" ]; then
echo "Sorry, your OS ($(uname -s)) is not supported." >&2
exit 1
fi
while getopts :sdrah arg; do
case "$arg" in
s) action_static; exit 0;;

7
bin/shell/connect.pl
View file

@ -100,7 +100,12 @@ else {
}
# in any case, force this
$command[0] = '/usr/bin/ttyrec';
if (-e '/usr/local/bin/ttyrec') {
$command[0] = '/usr/local/bin/ttyrec';
}
else {
$command[0] = '/usr/bin/ttyrec';
}
# then finally launch the command !
my $sysret = system(@command);

68
bin/shell/osh.pl
View file

@ -872,38 +872,8 @@ if ($osh_command) {
if ($MFArequiredForPlugin ne 'none' && !$skipMFA) {
print "As this is required to run this plugin, entering MFA phase.\n";
# use system() instead of OVH::Bastion::execute() because we need it to grab the term
my $pamtries = 3;
while (1) {
my $pamsysret;
if (OVH::Bastion::is_freebsd()) {
$pamsysret = system('sudo', '-n', '-u', 'root', '--', '/usr/bin/env', 'pamtester', 'sshd', $sysself, 'authenticate');
}
else {
$pamsysret = system('pamtester', 'sshd', $sysself, 'authenticate');
}
if ($pamsysret < 0) {
main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "MFA is required for this plugin, but this bastion is missing the `pamtester' tool, aborting");
}
elsif ($pamsysret != 0) {
if (--$pamtries <= 0) {
main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "Sorry, but Multi-Factor Authentication failed, aborting");
}
next;
}
# success, if we are configured to launch a external command on pamtester success, do it.
# see the bastion.conf.dist file for usage example.
my $MFAPostCommand = OVH::Bastion::config('MFAPostCommand')->value;
if (ref $MFAPostCommand eq 'ARRAY' && @$MFAPostCommand) {
s/%ACCOUNT%/$self/g for @$MFAPostCommand;
$fnret = OVH::Bastion::execute(cmd => $MFAPostCommand, must_succeed => 1);
if (!$fnret) {
warn_syslog("MFAPostCommand returned a non-zero value: " . $fnret->msg);
}
}
last;
}
$fnret = OVH::Bastion::do_pamtester(self => $self, sysself => $sysself);
$fnret or main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', $fnret->msg);
}
OVH::Bastion::set_terminal_mode_for_plugin(plugin => $osh_command, action => 'set');
@ -1310,38 +1280,8 @@ if ($JITMFARequired) {
print "... skipping as your account is exempt from MFA\n";
}
else {
# use system() instead of OVH::Bastion::execute() because we need it to grab the term
my $pamtries = 3;
while (1) {
my $pamsysret;
if (OVH::Bastion::is_freebsd()) {
$pamsysret = system('sudo', '-n', '-u', 'root', '--', '/usr/bin/env', 'pamtester', 'sshd', $sysself, 'authenticate');
}
else {
$pamsysret = system('pamtester', 'sshd', $sysself, 'authenticate');
}
if ($pamsysret < 0) {
main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "MFA is required for this host, but this bastion is missing the `pamtester' tool, aborting");
}
elsif ($pamsysret != 0) {
if (--$pamtries <= 0) {
main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "Sorry, but Multi-Factor Authentication failed, I can't connect you to this host");
}
next;
}
# success, if we are configured to launch a external command on pamtester success, do it.
# see the bastion.conf.dist file for usage example.
my $MFAPostCommand = OVH::Bastion::config('MFAPostCommand')->value;
if (ref $MFAPostCommand eq 'ARRAY' && @$MFAPostCommand) {
s/%ACCOUNT%/$self/g for @$MFAPostCommand;
$fnret = OVH::Bastion::execute(cmd => $MFAPostCommand, must_succeed => 1);
if (!$fnret) {
warn_syslog("MFAPostCommand returned a non-zero value: " . $fnret->msg);
}
}
last;
}
$fnret = OVH::Bastion::do_pamtester(self => $self, sysself => $sysself);
$fnret or main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', $fnret->msg);
}
}

45
lib/perl/OVH/Bastion.pm
View file

@ -920,4 +920,49 @@ sub build_ttyrec_cmdline {
return R('OK', value => {saveFile => $saveFile, cmd => \@ttyrec});
}
sub do_pamtester {
my %params = @_;
my $sysself = $params{'sysself'};
my $self = $params{'self'};
my $fnret;
if (!$sysself || !$self) {
return R('ERR_MISSING_PARAMETER', msg => "Missing mandatory arguments 'sysself' or 'self'");
}
# use system() instead of OVH::Bastion::execute() because we need it to grab the term
my $pamtries = 3;
while (1) {
my $pamsysret;
if (OVH::Bastion::is_freebsd()) {
$pamsysret = system('sudo', '-n', '-u', 'root', '--', '/usr/bin/env', 'pamtester', 'sshd', $sysself, 'authenticate');
}
else {
$pamsysret = system('pamtester', 'sshd', $sysself, 'authenticate');
}
if ($pamsysret < 0) {
return R('KO_MFA_FAILED', msg => "MFA is required for this host, but this bastion is missing the `pamtester' tool, aborting");
}
elsif ($pamsysret != 0) {
if (--$pamtries <= 0) {
return R('KO_MFA_FAILED', msg => "Sorry, but Multi-Factor Authentication failed, I can't connect you to this host");
}
next;
}
# success, if we are configured to launch a external command on pamtester success, do it.
# see the bastion.conf.dist file for usage example.
my $MFAPostCommand = OVH::Bastion::config('MFAPostCommand')->value;
if (ref $MFAPostCommand eq 'ARRAY' && @$MFAPostCommand) {
s/%ACCOUNT%/$self/g for @$MFAPostCommand;
$fnret = OVH::Bastion::execute(cmd => $MFAPostCommand, must_succeed => 1);
if (!$fnret) {
warn_syslog("MFAPostCommand returned a non-zero value: " . $fnret->msg);
}
}
last;
}
return R('OK_MFA_SUCCESS');
}
1;

2
tests/functional/docker/target_role.sh
View file

@ -56,7 +56,7 @@ cat /home/"$TARGET_USER"/.ssh/id_*.pub > ~test-shell_/.ssh/authorized_keys
add_user_to_group_compat test-shell_ bastion-nopam
# install a fake ttyrec just so that our connection tests work
if [ ! -e /usr/bin/ttyrec ] ; then
if ! command -v ttyrec >/dev/null; then
"$basedir"/bin/admin/install --nothing --no-wait --install-fake-ttyrec
fi

1
tests/functional/tests.d/350-groups.sh
View file

@ -883,6 +883,7 @@ EOS
success groupModify guest_ttl_limit $a1 --osh groupModify --group $group1 --guest-ttl-limit 0
json .command groupModify .error_code OK
# if we're just counting the number of tests, don't sleep
[ "$COUNTONLY" != 1 ] && sleep 1
# group1: a1(owner,aclkeeper,gatekeeper,member) a2() servers(127.0.0.10,127.0.0.11)