ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-04 06:27:11 +08:00
Code Issues Projects Releases Packages Wiki Activity
561 commits 5 branches 49 tags 7.9 MiB
Commit graph

264 commits

Author SHA1 Message Date
Stéphane Lesimple
213bd28616 fix: scp: adapt wrapper and tests to new scp versions 2023-09-20 16:39:29 +02:00
Stéphane Lesimple
733fd054a6 fix: setup-gpg.sh: in some cases, an invalid configuration file could be generated 
The escape code didn't work correctly, remove it as it's not needed,
indeed we already ensure that the generated password doesn't contain
any " or \, hence surrounding the var by "" quotes is enough.
 2023-09-20 15:14:55 +02:00
Stéphane Lesimple
5c7389e85f fix: when no command-line is passed, a warn could be emitted in some cases 
This depends on the version of Perl libs, but in any case we shouldn't
pass an undef var to GetOptionsFromString, ensure this never happens
 2023-09-20 13:38:40 +02:00
Stéphane Lesimple
13c885df42 enh: enable stealth_stdout mode for sftp 2023-09-19 17:32:27 +02:00
Stéphane Lesimple
a6a25fd53b feat: add type8 and type9 password hashes 
This requires the-bastion-mkhash-helper v1.1.0+
 2023-09-19 17:12:48 +02:00
Stéphane Lesimple
5dc50b3e57
feat: add stealth_stderr/stdout ttyrec support, enable it for scp (#413) 2023-09-19 15:27:00 +02:00
Stéphane Lesimple
87d3f721e5 fix: clush: restore default handlers for SIGHUP/PIPE 2023-08-22 15:53:27 +02:00
Philipp Walter
e616f24d89 enh: setup-gpg.sh: create additional backup signing config with --generate 2023-08-22 14:32:30 +02:00
Stéphane Lesimple
4d8b5f520d fix: selfMFASetupPassword: restore default sighandlers to avoid being zombified 2023-07-28 14:17:50 +02:00
Stéphane Lesimple
a65c53b76e enh: use ttyrec instead of sqlite to record plugin output 2023-07-28 11:09:10 +02:00
Antoine Guerrée
7821c9ff75 chore(helper): remove -v ssh option 
`--verbose` is the way to go
 2023-07-20 14:52:52 +02:00
Antoine Guerrée
1b6131a753 chore(helper/doc): fix typos 2023-07-20 14:52:52 +02:00
Stéphane Lesimple
f77b8a25d3 fix: accountList: crash in some cases 2023-06-13 10:14:22 +02:00
Stéphane Lesimple
5cfb049a82 chore: doc: adding plugin configuration autogeneration 2023-06-01 11:52:39 +02:00
Stéphane Lesimple
cf405badfb feat: add 2 configurable knobs to (self|account)AddPersonalAccess 
widest_v4_prefix (maximum allowed prefix to add in a single ACL),
and self_remote_user_only (only allow ACLs where the remote user
is the same than the bastion account name)
 2023-06-01 11:52:39 +02:00
Stéphane Lesimple
482eddb10c feat: plugins: add loadConfig parameter & config validator support 2023-06-01 11:52:39 +02:00
Stéphane Lesimple
0515753f91 fix: add missing autocompletions, readonly flags and help category for some plugins 2023-05-31 17:37:52 +02:00
Stéphane Lesimple
902508f7d1 fix: update undocumented rename-group.sh script 2023-05-31 17:34:34 +02:00
Stéphane Lesimple
c6a6f806d2 feat: add uid/gid collisions checking script & amend doc 2023-04-17 17:53:14 +02:00
Stéphane Lesimple
f7f1514dd0 fix: groupInfo: show group name in human-readable output 2023-04-17 14:18:51 +02:00
Stéphane Lesimple
84687256a8 fix: --force-key wasn't working for groups 
Fixes #259
 2023-04-07 10:44:14 +02:00
Stéphane Lesimple
708efd90ca chore: add RockyLinux 9 support 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
6f13149093 chore: bump OpenSUSE Leap tests from 15.3 to 15.4 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
49dc104dd7 chore: push sandbox and tester images from Deb10 to Deb11 
Also remove old config files from previsously dropped OS versions
 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
eb9a25a9ac fix: groupInfo: empty gk and guest accesses list 
Introduced in 7a825aeec4
 2023-03-27 17:04:32 +02:00
Stéphane Lesimple
7a825aeec4 feat: add --all to groupInfo and accountInfo 2023-03-23 14:37:45 +01:00
Stéphane Lesimple
a1812e34bb fix: race condition when two parallel account creations used --uid-auto 
Fixes #363
 2023-03-22 11:00:16 +01:00
Stéphane Lesimple
f4abfc1ba8 feat: add sftp support 2023-03-16 13:45:42 +01:00
Stéphane Lesimple
a7c0b5ec23 fix: typo in a func name in an error code path 
Fixes #372
 2023-03-14 13:33:45 +01:00
Stéphane Lesimple
76f25f287e enh: setup-encryption.sh: don't require install to be called before us 2023-03-03 10:32:10 +01:00
Stéphane Lesimple
036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
0e787f4ea9 enh: accountInfo: add --no-password-info and --no-output 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
b3683dfe6e enh: osh.pl: add the account name on each error message 
This makes it clearer which bastion is outputing the error when
multiple bastions are involved, for example in realm cases
 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
4508b6b6a8 enh: more precise matching of ssh client error messages 2022-12-30 17:52:42 +01:00
Stéphane Lesimple
f82ff21062 chore: generate-sudoers.sh: sort alphabetically 2022-11-23 17:17:51 +01:00
Stéphane Lesimple
521836b17b fix: rare race condition introduced by b7f4909 
Under some specific conditions, the execute() call could get deadlocked with the program it started,
both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin,
where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.
 2022-11-15 17:34:47 +01:00
Stéphane Lesimple
21f29680b6 fix: basic mitigation for scp's CVE-2020-15778 
This CVE will not be fixed by scp authors, and as far as The Bastion
is concerned, this can't be achieved by anybody that doesn't already
have shell access to the remote server in addition to the scp rights,
but let's still block it for good measure.
 2022-11-15 14:56:49 +01:00
Stéphane Lesimple
720222c423 fix: batch: don't attempt to read if stdin is closed 2022-09-21 11:57:55 +02:00
Stéphane Lesimple
8c82c3441b fix: accountInfo wasn't showing TTL account expiration #329 2022-09-09 17:14:25 +02:00
Stéphane Lesimple
0c96df0a3d enh: tests: faster perl-check script 2022-07-29 11:35:26 +02:00
Stéphane Lesimple
ebebed7be0 fix: remove spurious set +e/-e after commit bdea34c 2022-07-29 11:34:56 +02:00
Stéphane Lesimple
7b3c721f66 doc: add a missing parameter in ping's help 2022-07-29 11:34:43 +02:00
Stéphane Lesimple
a86f25470a chore: selfListEgressKeys: fix typo 2022-07-29 11:29:58 +02:00
Stéphane Lesimple
8c2b6a410a fix: accountUnlock: add missing check_spurious_args and no_auto_abbrev 2022-07-29 11:29:34 +02:00
Stéphane Lesimple
72cefa6417 fix: performance issues introduced by effab4a 
Commit that introduced the performance degradation is effab4a
(fix: workaround for undocumented caching in getpw/getgr funcs)

Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level,
which restores performance pre-effab4a and even enhances it in somes cases,
for example on a 2000-accounts and 2000-groups bastion, we are:

- 11% faster on --osh help
- 35% faster on --osh selfListAccesses (reduces syscalls by 87%)
 2022-07-12 10:07:16 +02:00
Stéphane Lesimple
7a3306a00d fix: cleanup-guest-key-access: use cache for performance 2022-07-12 10:07:16 +02:00
Stéphane Lesimple
bdea34ccad enh: install: better error detection 2022-07-11 12:06:42 +02:00
Stéphane Lesimple
45070f833c enh: MFA: specify account name in message 2022-07-05 18:06:41 +02:00
Thomas Soëte
da6d80bef1 fix: Bad plugin name 2022-07-05 10:02:37 +02:00
Stéphane Lesimple
73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00