Commit graph

121 commits

Author SHA1 Message Date
Stéphane Lesimple
1d9ae483da chg: set ECDSA as default egress key algo for new installs 2024-12-24 14:46:36 +01:00
Stéphane Lesimple
545547de6d chore: tests: no longer run consistency check by default
This is slow and almost never catched a bug, so consistency check is
still supported but will not run by default, as it is quite slow,
checking the system between each and every test. The option
--skip-consistency-check is now ignored, and a new option to enable
it has been added: --consistency-check
2024-12-24 14:46:36 +01:00
Stéphane Lesimple
4de9f88fe4 chore: faster tests by removing grant/revoke command dance
When restricted commands need to be used during tests,
we now use "account0" which has all these commands granted,
instead of granting/revoking commands every time with no added
value with respect to the tests.

This was previously required for OSes that have a limit to the
number of groups an account can be a member of, but these OSes
have now long been unsupported.
2024-12-24 14:46:36 +01:00
Stéphane Lesimple
ad54cc6aad chore: speedup tests in 330-selfkeys.sh 2024-12-10 14:21:20 +01:00
Stéphane Lesimple
92bc512050 feat: add assetForgetHostKey 2024-12-10 14:21:20 +01:00
TomRicci
f599793c76 fix: protocol scpdownload scpupload in 395-mfa-scp-sftp-rsync.sh 2024-10-23 11:16:51 +02:00
Stéphane Lesimple
8cafbc854c fix: allow ssh-as in connect.pl 2024-10-16 13:45:10 +02:00
Stéphane Lesimple
3ee9a5d896 fix: regression introduced by 932e72e for stealth stdout in ssh
Before 932e72e, plugin-scoped stealthStdout was ignored, which was
fixed by 932e72e which in turn made ssh ignore the pattern-based egress ssh
stealthStdout option.

This fix ensures stealthStdout is honored for both plugins and egress ssh.
2024-09-25 11:53:51 +02:00
Stéphane Lesimple
accd50eea7 feat: add rsync support to --protocol 2024-09-17 14:44:28 +02:00
Stéphane Lesimple
f4de5957a3 feat: add groupSetServers 2024-08-12 13:42:51 +02:00
Stéphane Lesimple
2e96603300 feat: support wildcards in --user (fix #461) 2024-07-02 17:54:28 +02:00
Stéphane Lesimple
77ab1e2336 fix: tests: Ubuntu 24.04 adjustments 2024-07-02 16:08:46 +02:00
Stéphane Lesimple
7487597d61 fix: tests: don't test FIDO2 on unsupported distros 2024-04-10 10:51:01 +02:00
perrze
0b13371165 Adding tests for secure keys feature 2024-04-10 10:51:01 +02:00
Stéphane Lesimple
a1efcec582 feat: replace --wait by a tcp-based connection try 2024-04-09 18:23:17 +02:00
Stéphane Lesimple
4216795895 fix: tests: detect definition errors in modules 2024-04-09 17:26:39 +02:00
Stéphane Lesimple
c53f50ddf9 enh: remove nc dependency 2024-04-09 17:26:39 +02:00
Stéphane Lesimple
496fe94dd3 enh: allow @ as a valid remote user char (fixes #437) 2024-03-20 11:53:58 +01:00
Stéphane Lesimple
7423f6ad63 feat: add dnsSupportLevel option for systems with broken DNS (fixes #397) 2024-03-20 11:53:00 +01:00
Stéphane Lesimple
d8f9423e8f fix: scp/sftp: correctly bypass JIT MFA if asked to, when old helpers are used 2024-02-21 15:15:06 +01:00
Stéphane Lesimple
8625b74307 fix: tests for FreeBSD 2024-02-20 17:41:53 +01:00
Stéphane Lesimple
345a1f951f fix: don't exit with fping host is unreachable
As ping can return unknown exit codes for unknown cases,
just never bail out to avoid taking bad decisions,
as we retry each second maximum, there's no DoS risk
2023-12-05 10:02:52 +01:00
Stéphane Lesimple
59b04ab761 tests: add tests for MFA with scp/sftp 2023-11-08 13:21:20 +01:00
Stéphane Lesimple
b48463076f feat: osh.pl: jit mfa for plugins 2023-11-08 13:21:20 +01:00
Stéphane Lesimple
ac5eb9b636 enh: tests: more mfa tests 2023-11-08 13:21:20 +01:00
Stéphane Lesimple
027521b875 chore: fix FreeBSD GitHub Action 2023-11-07 12:16:49 +01:00
Stéphane Lesimple
d3ece7b9f4 enh: add tests for multiple gpg keys setup 2023-10-27 17:26:23 +02:00
Stéphane Lesimple
213bd28616 fix: scp: adapt wrapper and tests to new scp versions 2023-09-20 16:39:29 +02:00
Stéphane Lesimple
a6a25fd53b feat: add type8 and type9 password hashes
This requires the-bastion-mkhash-helper v1.1.0+
2023-09-19 17:12:48 +02:00
Stéphane Lesimple
5dc50b3e57
feat: add stealth_stderr/stdout ttyrec support, enable it for scp (#413) 2023-09-19 15:27:00 +02:00
Stéphane Lesimple
a50224a99d chore: tests: ensure test modules don't pollute the caller's env 2023-07-28 11:09:36 +02:00
Stéphane Lesimple
cf405badfb feat: add 2 configurable knobs to (self|account)AddPersonalAccess
widest_v4_prefix (maximum allowed prefix to add in a single ACL),
and self_remote_user_only (only allow ACLs where the remote user
is the same than the bastion account name)
2023-06-01 11:52:39 +02:00
Stéphane Lesimple
84687256a8 fix: --force-key wasn't working for groups
Fixes #259
2023-04-07 10:44:14 +02:00
Stéphane Lesimple
a0d361b8da fix: tests: race condition after sshd reload 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
52d44ba993 chore: remove Debian openssh-blacklist logic
All Debian versions supporting this are EOL by now.
2023-04-07 10:44:05 +02:00
Stéphane Lesimple
6f13149093 chore: bump OpenSUSE Leap tests from 15.3 to 15.4 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
7a825aeec4 feat: add --all to groupInfo and accountInfo 2023-03-23 14:37:45 +01:00
Stéphane Lesimple
f4abfc1ba8 feat: add sftp support 2023-03-16 13:45:42 +01:00
Stéphane Lesimple
a7c0b5ec23 fix: typo in a func name in an error code path
Fixes #372
2023-03-14 13:33:45 +01:00
Cédric Roussel
4d56c32853 fix: invalid suffixed account creation 2023-01-31 12:03:13 +01:00
Stéphane Lesimple
036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
521836b17b fix: rare race condition introduced by b7f4909
Under some specific conditions, the execute() call could get deadlocked with the program it started,
both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin,
where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.
2022-11-15 17:34:47 +01:00
Stéphane Lesimple
97b20c7ffe tests: higher tolerance for TTL tests 2022-09-13 13:21:18 +02:00
Stéphane Lesimple
8c82c3441b fix: accountInfo wasn't showing TTL account expiration #329 2022-09-09 17:14:25 +02:00
Stéphane Lesimple
73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00
Stéphane Lesimple
3956dc587b fix: ttyrec cmdline: don't add --warn-before-* when no --idle-*-timeout is specified 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
46a01a546a feat: groupModify: add --idle-lock-timeout and --idle-kill-timeout for group-specific timeouts 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
e040afb074 chore: new perltidy rules 2022-07-01 10:21:19 +02:00
Stéphane Lesimple
e71aa7b975 feat: add osh-cleanup-guest-key-access.pl script
This script removes system-level access to group keys to old guests
of groups that no longer have any active access to servers of that group.
This only happens when the last access to be removed from them had a TTL.
2022-02-09 14:31:33 +01:00
Stéphane Lesimple
2c2064a484 feat: osh-encrypt-rsync: handle sqlite and user logs along with ttyrec files 2022-02-09 14:31:33 +01:00