ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-11 07:24:14 +08:00
Code Issues Projects Releases Packages Wiki Activity
511 commits 6 branches 53 tags 7.4 MiB
Commit graph

85 commits

Author SHA1 Message Date
Stéphane Lesimple
7a825aeec4 feat: add --all to groupInfo and accountInfo 2023-03-23 14:37:45 +01:00
Stéphane Lesimple
f4abfc1ba8 feat: add sftp support 2023-03-16 13:45:42 +01:00
Stéphane Lesimple
036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
0e787f4ea9 enh: accountInfo: add --no-password-info and --no-output 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
521836b17b fix: rare race condition introduced by b7f4909 
Under some specific conditions, the execute() call could get deadlocked with the program it started,
both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin,
where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.
 2022-11-15 17:34:47 +01:00
Stéphane Lesimple
21f29680b6 fix: basic mitigation for scp's CVE-2020-15778 
This CVE will not be fixed by scp authors, and as far as The Bastion
is concerned, this can't be achieved by anybody that doesn't already
have shell access to the remote server in addition to the scp rights,
but let's still block it for good measure.
 2022-11-15 14:56:49 +01:00
Stéphane Lesimple
720222c423 fix: batch: don't attempt to read if stdin is closed 2022-09-21 11:57:55 +02:00
Stéphane Lesimple
8c82c3441b fix: accountInfo wasn't showing TTL account expiration #329 2022-09-09 17:14:25 +02:00
Stéphane Lesimple
7b3c721f66 doc: add a missing parameter in ping's help 2022-07-29 11:34:43 +02:00
Stéphane Lesimple
a86f25470a chore: selfListEgressKeys: fix typo 2022-07-29 11:29:58 +02:00
Stéphane Lesimple
72cefa6417 fix: performance issues introduced by effab4a 
Commit that introduced the performance degradation is effab4a
(fix: workaround for undocumented caching in getpw/getgr funcs)

Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level,
which restores performance pre-effab4a and even enhances it in somes cases,
for example on a 2000-accounts and 2000-groups bastion, we are:

- 11% faster on --osh help
- 35% faster on --osh selfListAccesses (reduces syscalls by 87%)
 2022-07-12 10:07:16 +02:00
Thomas Soëte
da6d80bef1 fix: Bad plugin name 2022-07-05 10:02:37 +02:00
Stéphane Lesimple
3540dc309c enh: groupInfo: clearer message for disabled idle/kill timeout policies 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
46a01a546a feat: groupModify: add --idle-lock-timeout and --idle-kill-timeout for group-specific timeouts 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
6fb528ccf1 chore: rename some vars for clarity 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
e040afb074 chore: new perltidy rules 2022-07-01 10:21:19 +02:00
Stéphane Lesimple
bd2f069c7e enh: print a msg when no ingress keys are found 2022-07-01 10:10:17 +02:00
Stéphane Lesimple
4f99c4fe6c fix: ping: force a deadline, and restore default sighandlers 2022-06-29 11:34:24 +02:00
Stéphane Lesimple
884b4bbaf0 fix: install: ensure that the healthcheck user can always connect from 127.0.0.1 
Regardless of the bastion config about the ingressKeysFrom configuration
 2022-06-29 11:33:41 +02:00
Romain Beuque
c1ca9b6374 fix: typo in the 'alive' command 
Signed-off-by: Romain Beuque <556072+rbeuque74@users.noreply.github.com>
 2022-06-08 12:01:10 +02:00
Stéphane Lesimple
effab4a5c2 fix: workaround for undocumented caching in getpw/getgr funcs 2022-03-14 12:42:26 +01:00
Stéphane Lesimple
6baa61a7f4 fix: accountInfo: missing creation date on non-json output 2022-02-03 14:27:15 +01:00
Stéphane Lesimple
f609565fe8 enh: batch: detect when asked to start a plugin requiring MFA 2021-12-29 11:20:55 +01:00
Stéphane Lesimple
f8f193b298 enh: selfMFASetupPassword: add more messages for the user 2021-12-28 09:54:17 +01:00
Stéphane Lesimple
aaaa173764 feat: add the accountUnlock restricted plugin 2021-12-21 09:42:54 +01:00
Stéphane Lesimple
7cc350b40d chore: check for spurious args in all helpers 2021-12-16 11:02:13 +01:00
Stéphane Lesimple
373f4907de fix: tests under OpenSUSE (fping raw sockets) 2021-12-13 09:32:52 +01:00
Christophe Crochet
ff40617624 update of --force-password: guest support, autocompletion, new tests, code cleanups 2021-12-09 16:51:40 +01:00
Christophe Crochet
e4b132ed9a new access option: --force-password <HASH>, to only try one specific password 2021-12-09 16:51:40 +01:00
Stéphane Lesimple
89ecb2c0d7 feat: add support for Duo PAM auth as MFA (#249) 2021-11-03 15:50:10 +01:00
Stéphane Lesimple
00aa2e7efc fix: selfMFASetupTOTP: bad return func 2021-10-20 13:42:13 +02:00
Christophe Crochet
d85298f229 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-10-15 11:22:00 +02:00
madx
ea8ed97a34 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both 2021-10-15 11:22:00 +02:00
Stéphane Lesimple
a65cbd55b8 accountPIV: fix bad autocompletion rule 2021-10-08 22:19:51 +02:00
Stéphane Lesimple
f64cf79260 chore: rename an envvar for clarity 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
4a21cfc421 enh: add --max-inactive-days to accountCreate 2021-09-06 14:52:46 +02:00
Stéphane Lesimple
ef10d509fd enh: add max_inactive_days to account configuration (#230) 2021-09-06 14:52:46 +02:00
Stéphane Lesimple
15cb2c2453 enh: accountInfo: add --list-groups 
Listing groups can be slow on bastions having thousands
of groups, hence this is now disabled by default.
 2021-09-02 13:13:44 +02:00
Stéphane Lesimple
9b2aa996b3 enh: better use of account creation metadata 
Store account creation information in a JSON.
Display this information in `accountInfo` for auditors.
 2021-07-23 09:50:18 +02:00
Stéphane Lesimple
2390f56c9a chore: groupCreate: fix help message 2021-07-02 18:25:24 +02:00
thibault.dewailly
5415ed2793 Feat: Add admin and super owner accounts list in info plugin 
For auditing purposes, get admin and super owner list in info plugin
Available for auditor role only
Closes #206
 2021-06-28 11:13:30 +02:00
Stéphane Lesimple
d400ceeb9f doc: clush: document --user and --port 
Partly fixes #201
 2021-06-23 12:24:32 +02:00
Thomas Soëte
c61a3eaae9 Remove duplicate groupAddGuestAccess groupDelGuestAccess 
groupAddGuestAccess groupDelGuestAccess are present twice in help
 2021-06-21 09:39:35 +02:00
Stéphane Lesimple
3925e67d43 feat: add groupDestroy command for owners 
This command deletes a group, as `groupDelete` does, but works
for owners so that they can delete their own group.
`groupDelete` remains as a restricted command, able to delete any group.

Closes #40.
 2021-06-02 15:32:40 +02:00
Stéphane Lesimple
8cc990ad57 feat: add filtering options to several cmds,nicify print_acls() 
The commands selfListAccesses, accountListAccesses,
groupList, groupListServers, groupListGuestAccesses and
accountList now have options to filter their output through
pattern matching, with --include and --exclude.

The output from the commands using print_acls() is also more
human-friendly, with auto-adjusting column length, and empty
columns omitted.

Closes #60.
 2021-05-25 09:42:28 +02:00
Stéphane Lesimple
adb9d8c374 feat: add UTF-8 chars to output when supported and allowed 
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
 2021-05-24 16:44:35 +02:00
Stéphane Lesimple
344865884b fix: groupCreate: deny groups starting with 'key' 
Mitigates #178
 2021-05-21 14:13:22 +02:00
Stéphane Lesimple
68e088a607 doc: accountModify: more details on the --egress-strict-host-key-checking option 2021-05-19 18:55:54 +02:00
Jonathan Marsaud
b7b2533604 accountModify - Add a new accept-new POLICY in egress-strict-host-key-checking parameter 2021-05-19 16:34:35 +02:00
Stéphane Lesimple
c2b4bb192a fix: osh-help: put groupDelEgressKey in the proper category 
Fixes #174
 2021-04-16 09:09:26 +02:00