ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 06:55:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
660 commits 5 branches 44 tags 7.1 MiB
Commit graph

77 commits

Author SHA1 Message Date
Stéphane Lesimple 4ef9c6ddde feat: add --egress-session-multiplexing option to accountModify 2024-09-17 11:19:49 +02:00
Stéphane Lesimple f4de5957a3 feat: add groupSetServers 2024-08-12 13:42:51 +02:00
Stéphane Lesimple 3d2cf21e0b release v3.16.99-rc1 2024-07-03 18:31:59 +02:00
Stéphane Lesimple cccbdc09f3 chg: Debian12, Ubuntu20+: enable sntrup KEX by default 2024-07-02 16:08:46 +02:00
Stéphane Lesimple 914d8b30b4 chg: remove support for EOL CentOS 7 2024-07-02 16:08:46 +02:00
Stéphane Lesimple 47b51c79ee feat: accountFreeze: terminate running sessions if any 2024-06-27 17:03:07 +02:00
Stéphane Lesimple 3c9382a192 enh: use print_accepted_key_algorithms everywhere 2024-04-10 10:51:01 +02:00
Pierre-Elliott Bécue d0ac9eabb9 Implement Ingress Secure Keys 2024-04-10 10:51:01 +02:00
Cody Robertson f51bee273e Adjust etc/pam.d/sshd.rhel configuration 
- Fix logic error breaking MFA handling if enabled
 2024-04-08 16:31:14 +02:00
Stéphane Lesimple 7423f6ad63 feat: add dnsSupportLevel option for systems with broken DNS (fixes #397) 2024-03-20 11:53:00 +01:00
Stéphane Lesimple f022bd9ac8 feat: add ttyrecStealthStdoutPattern config 
Commands that generate a lot of stdout output and are M2M workflows, such as rsync,
can now be excluded from ttyrec to avoid filling up drives
 2024-02-20 12:13:53 +01:00
Stéphane Lesimple fd6850c7ef fix: osh-sync-watcher: default to a valid rshcmd (fixes #433) 2024-02-20 12:13:43 +01:00
Stéphane Lesimple b48463076f feat: osh.pl: jit mfa for plugins 2023-11-08 13:21:20 +01:00
Stéphane Lesimple 708efd90ca chore: add RockyLinux 9 support 2023-04-07 10:44:05 +02:00
Stéphane Lesimple 455fd8b8c3 chore: remove deprecated UseRoaming option from ssh_config 2023-04-07 10:44:05 +02:00
Stéphane Lesimple 4cdd52d85f chore: add Debian 12 to tests 
Note that Debian 12 is not released yet, so it's not yet supported.
 2023-04-07 10:44:05 +02:00
Stéphane Lesimple 49dc104dd7 chore: push sandbox and tester images from Deb10 to Deb11 
Also remove old config files from previsously dropped OS versions
 2023-04-07 10:44:05 +02:00
Stéphane Lesimple 036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple 7fafeb3e1d doc: osh-encrypt-rsync.conf: add verbose 2022-07-05 18:04:19 +02:00
Stéphane Lesimple 73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00
Stéphane Lesimple ee776707c1 chore: standardize doc generation for config files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple a7462c0ac7 enh: use snake_case for system scripts json config files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple e71aa7b975 feat: add osh-cleanup-guest-key-access.pl script 
This script removes system-level access to group keys to old guests
of groups that no longer have any active access to servers of that group.
This only happens when the last access to be removed from them had a TTL.
 2022-02-09 14:31:33 +01:00
Stéphane Lesimple f43fdaaf82 enh: osh-lingering-sessions-reaper: make it configurable 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 2c2064a484 feat: osh-encrypt-rsync: handle sqlite and user logs along with ttyrec files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 86c7bf39e6 remove compress-old-logs script, as osh-encrypt-rsync will do the job instead 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 9d371f90a9 doc: add documentation for osh-remove-empty-folders 2022-01-19 11:23:44 +01:00
Stéphane Lesimple 7bb0843de1 feat: add osh-remove-empty-folders.sh 2022-01-19 11:23:44 +01:00
Stéphane Lesimple 415bc9b903 doc: add more info about root 2FA in sshd_config templates 2021-12-21 14:44:48 +01:00
Stéphane Lesimple a68ccb3f8c feat: add new OSes and deprecate old ones 
add:
- Debian 11
- RockyLinux 8

remove:
- OpenSUSE Leap 15.2
- Old minor versions of CentOS 7.x
- Old minor versions of CentOS 8.x
 2021-12-21 12:00:04 +01:00
Stéphane Lesimple aaaa173764 feat: add the accountUnlock restricted plugin 2021-12-21 09:42:54 +01:00
Stéphane Lesimple 89ecb2c0d7 feat: add support for Duo PAM auth as MFA (#249) 2021-11-03 15:50:10 +01:00
Christophe Crochet d85298f229 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-10-15 11:22:00 +02:00
madx ea8ed97a34 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both 2021-10-15 11:22:00 +02:00
Jean "henyxia" Wasilewski b40a2fd6e3 fix: add superowner group requirement 
Signed-off-by: Jean "henyxia" Wasilewski <henyxia@revs0.com>
 2021-09-24 11:56:35 +02:00
Stéphane Lesimple b58388a3d9 feat: add --proactive-mfa and mfa/nofa interactive commands 
For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush``  or ``batch``, and interactive mode.
 2021-09-21 12:06:40 +02:00
Stéphane Lesimple 99686499b1 feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209) 2021-09-20 17:00:18 +02:00
Stéphane Lesimple 710eb2e4cb doc: use autosectionlabel 2021-09-02 10:06:47 +02:00
Stéphane Lesimple 92d4a46ac5 doc: add osh-piv-grace-reaper.pl config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple 9f28dfa977 doc: add osh-backup-acl-keys.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple 3c6ce52e8e doc: add osh-encrypt-rsync.pl config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple 0dc448943a doc: add osh-sync-watcher.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple a08f56df9f feat: support pam_faillock for Debian 11 (#163) 2021-07-05 10:35:58 +02:00
Stéphane Lesimple d3f323d0c6 doc: micro fixes 2021-07-02 16:50:53 +02:00
Stéphane Lesimple 458c50eff1 documentation: add a lot of new documentation topics 2021-06-30 15:52:47 +02:00
Stéphane Lesimple 2193ee487d enh: replace 'allowUTF8' (introduced in rc1) by 'fanciness' 2021-06-30 09:53:04 +02:00
Stéphane Lesimple 2e9fe9288b enh: httpproxy: add options to fine-tune logging 
Added the `log_request_response` and `log_request_response_max_size`
options to osh-http-proxy.conf.

By default, requests are logged, including their body, up to a size
of 64K per request response. Before, there was no size limit to the
logged body response.
 2021-06-03 16:39:56 +02:00
Stéphane Lesimple 3925e67d43 feat: add groupDestroy command for owners 
This command deletes a group, as `groupDelete` does, but works
for owners so that they can delete their own group.
`groupDelete` remains as a restricted command, able to delete any group.

Closes #40.
 2021-06-02 15:32:40 +02:00
Stéphane Lesimple adb9d8c374 feat: add UTF-8 chars to output when supported and allowed 
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
 2021-05-24 16:44:35 +02:00
Stéphane Lesimple 003052530e feat: preparatory work to support Debian 11 "Bullseye" 
We still need to replacee pam_tally2 by pam_faillock
Debian 11 is NOT yet supported, and won't be before it's released as stable.
 2021-03-24 17:41:29 +01:00