ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 15:05:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
500 commits 5 branches 44 tags 6.9 MiB
Commit graph

234 commits

Author SHA1 Message Date
Stéphane Lesimple 036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple 0e787f4ea9 enh: accountInfo: add --no-password-info and --no-output 2022-12-30 17:53:08 +01:00
Stéphane Lesimple b3683dfe6e enh: osh.pl: add the account name on each error message 
This makes it clearer which bastion is outputing the error when
multiple bastions are involved, for example in realm cases
 2022-12-30 17:53:08 +01:00
Stéphane Lesimple 4508b6b6a8 enh: more precise matching of ssh client error messages 2022-12-30 17:52:42 +01:00
Stéphane Lesimple f82ff21062 chore: generate-sudoers.sh: sort alphabetically 2022-11-23 17:17:51 +01:00
Stéphane Lesimple 521836b17b fix: rare race condition introduced by b7f4909 
Under some specific conditions, the execute() call could get deadlocked with the program it started,
both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin,
where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.
 2022-11-15 17:34:47 +01:00
Stéphane Lesimple 21f29680b6 fix: basic mitigation for scp's CVE-2020-15778 
This CVE will not be fixed by scp authors, and as far as The Bastion
is concerned, this can't be achieved by anybody that doesn't already
have shell access to the remote server in addition to the scp rights,
but let's still block it for good measure.
 2022-11-15 14:56:49 +01:00
Stéphane Lesimple 720222c423 fix: batch: don't attempt to read if stdin is closed 2022-09-21 11:57:55 +02:00
Stéphane Lesimple 8c82c3441b fix: accountInfo wasn't showing TTL account expiration #329 2022-09-09 17:14:25 +02:00
Stéphane Lesimple 0c96df0a3d enh: tests: faster perl-check script 2022-07-29 11:35:26 +02:00
Stéphane Lesimple ebebed7be0 fix: remove spurious set +e/-e after commit bdea34c 2022-07-29 11:34:56 +02:00
Stéphane Lesimple 7b3c721f66 doc: add a missing parameter in ping's help 2022-07-29 11:34:43 +02:00
Stéphane Lesimple a86f25470a chore: selfListEgressKeys: fix typo 2022-07-29 11:29:58 +02:00
Stéphane Lesimple 8c2b6a410a fix: accountUnlock: add missing check_spurious_args and no_auto_abbrev 2022-07-29 11:29:34 +02:00
Stéphane Lesimple 72cefa6417 fix: performance issues introduced by effab4a 
Commit that introduced the performance degradation is effab4a
(fix: workaround for undocumented caching in getpw/getgr funcs)

Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level,
which restores performance pre-effab4a and even enhances it in somes cases,
for example on a 2000-accounts and 2000-groups bastion, we are:

- 11% faster on --osh help
- 35% faster on --osh selfListAccesses (reduces syscalls by 87%)
 2022-07-12 10:07:16 +02:00
Stéphane Lesimple 7a3306a00d fix: cleanup-guest-key-access: use cache for performance 2022-07-12 10:07:16 +02:00
Stéphane Lesimple bdea34ccad enh: install: better error detection 2022-07-11 12:06:42 +02:00
Stéphane Lesimple 45070f833c enh: MFA: specify account name in message 2022-07-05 18:06:41 +02:00
Thomas Soëte da6d80bef1 fix: Bad plugin name 2022-07-05 10:02:37 +02:00
Stéphane Lesimple 73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00
Stéphane Lesimple d75b221deb fix: group-specific idle timeouts: also handle password-only groups 2022-07-01 15:33:44 +02:00
Stéphane Lesimple 291d897832 fix: group-specific timeouts: advertise the proper timeout that will be applied when connecting 2022-07-01 15:33:44 +02:00
Stéphane Lesimple 3540dc309c enh: groupInfo: clearer message for disabled idle/kill timeout policies 2022-07-01 15:33:44 +02:00
Stéphane Lesimple 46a01a546a feat: groupModify: add --idle-lock-timeout and --idle-kill-timeout for group-specific timeouts 2022-07-01 15:33:44 +02:00
Stéphane Lesimple 6fb528ccf1 chore: rename some vars for clarity 2022-07-01 15:33:44 +02:00
Stéphane Lesimple e040afb074 chore: new perltidy rules 2022-07-01 10:21:19 +02:00
Stéphane Lesimple bd2f069c7e enh: print a msg when no ingress keys are found 2022-07-01 10:10:17 +02:00
Stéphane Lesimple 077735908a fix: {group,account}Delete: move() would sometimes fail, replace by mv 2022-06-29 11:35:04 +02:00
Stéphane Lesimple 4f99c4fe6c fix: ping: force a deadline, and restore default sighandlers 2022-06-29 11:34:24 +02:00
Stéphane Lesimple 884b4bbaf0 fix: install: ensure that the healthcheck user can always connect from 127.0.0.1 
Regardless of the bastion config about the ingressKeysFrom configuration
 2022-06-29 11:33:41 +02:00
Romain Beuque c1ca9b6374 fix: typo in the 'alive' command 
Signed-off-by: Romain Beuque <556072+rbeuque74@users.noreply.github.com>
 2022-06-08 12:01:10 +02:00
Stéphane Lesimple d254ad0ba0 fix: osh-cleanup-guest-key-access.pl: load proper config file 2022-03-21 10:57:19 +01:00
Stéphane Lesimple 6d3bd00d4c fix: osh-encrypt-rsync: delete +a source files properly 2022-03-21 10:56:58 +01:00
Stéphane Lesimple 10fcb7ebc5 fix: osh-encrypt-rsync.pl: ensure $verbose is always set, make it configurable, fix a typo 2022-03-18 14:19:08 +01:00
Stéphane Lesimple 6c1a430c66 fix: osh-encrypt-rsync.pl: don't add some folders twice 
This would lead to actually skipping some of the folders,
possibly an oddity of File::Find::find
 2022-03-18 14:19:08 +01:00
Stéphane Lesimple effab4a5c2 fix: workaround for undocumented caching in getpw/getgr funcs 2022-03-14 12:42:26 +01:00
Stéphane Lesimple d88cf637ee chore: add more info in syslog warnings for accountDelete 2022-03-14 12:42:26 +01:00
Stéphane Lesimple a7462c0ac7 enh: use snake_case for system scripts json config files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 633061872e chore: remove non-longer used param in load_configuration_file() calls 2022-02-09 14:31:33 +01:00
Stéphane Lesimple bbdf5a36b8 feat: add NRPE probes 2022-02-09 14:31:33 +01:00
Stéphane Lesimple e71aa7b975 feat: add osh-cleanup-guest-key-access.pl script 
This script removes system-level access to group keys to old guests
of groups that no longer have any active access to servers of that group.
This only happens when the last access to be removed from them had a TTL.
 2022-02-09 14:31:33 +01:00
Stéphane Lesimple f43fdaaf82 enh: osh-lingering-sessions-reaper: make it configurable 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 572ced2af7 enh: osh-piv-grace-reaper: run only on master, standardize config reading 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 07f5c35458 fix: piv-grace-reaper: don't use hash values (had no impact) 
This coding error had no impact because the values are hash references,
hence were rejected immediately as invalid accoounts by account_config()
 2022-02-09 14:31:33 +01:00
Stéphane Lesimple bd13e5a476 enh: osh-encrypt-rsync: catch warnings emitted by GetOptions 2022-02-09 14:31:33 +01:00
Stéphane Lesimple c38c9c09f2 chore: fix typos 2022-02-09 14:31:33 +01:00
Stéphane Lesimple a178aa7906 enh: cron scripts: factorize common code and standardize logging 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 2c2064a484 feat: osh-encrypt-rsync: handle sqlite and user logs along with ttyrec files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 86c7bf39e6 remove compress-old-logs script, as osh-encrypt-rsync will do the job instead 2022-02-09 14:31:33 +01:00
Stéphane Lesimple 6baa61a7f4 fix: accountInfo: missing creation date on non-json output 2022-02-03 14:27:15 +01:00