Commit graph

70 commits

Author SHA1 Message Date
Pierre-Elliott Bécue
d0ac9eabb9 Implement Ingress Secure Keys 2024-04-10 10:51:01 +02:00
Cody Robertson
f51bee273e Adjust etc/pam.d/sshd.rhel configuration
- Fix logic error breaking MFA handling if enabled
2024-04-08 16:31:14 +02:00
Stéphane Lesimple
7423f6ad63 feat: add dnsSupportLevel option for systems with broken DNS (fixes #397) 2024-03-20 11:53:00 +01:00
Stéphane Lesimple
f022bd9ac8 feat: add ttyrecStealthStdoutPattern config
Commands that generate a lot of stdout output and are M2M workflows, such as rsync,
can now be excluded from ttyrec to avoid filling up drives
2024-02-20 12:13:53 +01:00
Stéphane Lesimple
fd6850c7ef fix: osh-sync-watcher: default to a valid rshcmd (fixes #433) 2024-02-20 12:13:43 +01:00
Stéphane Lesimple
b48463076f feat: osh.pl: jit mfa for plugins 2023-11-08 13:21:20 +01:00
Stéphane Lesimple
708efd90ca chore: add RockyLinux 9 support 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
455fd8b8c3 chore: remove deprecated UseRoaming option from ssh_config 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
4cdd52d85f chore: add Debian 12 to tests
Note that Debian 12 is not released yet, so it's not yet supported.
2023-04-07 10:44:05 +02:00
Stéphane Lesimple
49dc104dd7 chore: push sandbox and tester images from Deb10 to Deb11
Also remove old config files from previsously dropped OS versions
2023-04-07 10:44:05 +02:00
Stéphane Lesimple
036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
7fafeb3e1d doc: osh-encrypt-rsync.conf: add verbose 2022-07-05 18:04:19 +02:00
Stéphane Lesimple
73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00
Stéphane Lesimple
ee776707c1 chore: standardize doc generation for config files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
a7462c0ac7 enh: use snake_case for system scripts json config files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
e71aa7b975 feat: add osh-cleanup-guest-key-access.pl script
This script removes system-level access to group keys to old guests
of groups that no longer have any active access to servers of that group.
This only happens when the last access to be removed from them had a TTL.
2022-02-09 14:31:33 +01:00
Stéphane Lesimple
f43fdaaf82 enh: osh-lingering-sessions-reaper: make it configurable 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
2c2064a484 feat: osh-encrypt-rsync: handle sqlite and user logs along with ttyrec files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
86c7bf39e6 remove compress-old-logs script, as osh-encrypt-rsync will do the job instead 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
9d371f90a9 doc: add documentation for osh-remove-empty-folders 2022-01-19 11:23:44 +01:00
Stéphane Lesimple
7bb0843de1 feat: add osh-remove-empty-folders.sh 2022-01-19 11:23:44 +01:00
Stéphane Lesimple
415bc9b903 doc: add more info about root 2FA in sshd_config templates 2021-12-21 14:44:48 +01:00
Stéphane Lesimple
a68ccb3f8c feat: add new OSes and deprecate old ones
add:
- Debian 11
- RockyLinux 8

remove:
- OpenSUSE Leap 15.2
- Old minor versions of CentOS 7.x
- Old minor versions of CentOS 8.x
2021-12-21 12:00:04 +01:00
Stéphane Lesimple
aaaa173764 feat: add the accountUnlock restricted plugin 2021-12-21 09:42:54 +01:00
Stéphane Lesimple
89ecb2c0d7 feat: add support for Duo PAM auth as MFA (#249) 2021-11-03 15:50:10 +01:00
Christophe Crochet
d85298f229 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-10-15 11:22:00 +02:00
madx
ea8ed97a34 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both 2021-10-15 11:22:00 +02:00
Jean "henyxia" Wasilewski
b40a2fd6e3 fix: add superowner group requirement
Signed-off-by: Jean "henyxia" Wasilewski <henyxia@revs0.com>
2021-09-24 11:56:35 +02:00
Stéphane Lesimple
b58388a3d9 feat: add --proactive-mfa and mfa/nofa interactive commands
For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush``  or ``batch``, and interactive mode.
2021-09-21 12:06:40 +02:00
Stéphane Lesimple
99686499b1 feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209) 2021-09-20 17:00:18 +02:00
Stéphane Lesimple
710eb2e4cb doc: use autosectionlabel 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
92d4a46ac5 doc: add osh-piv-grace-reaper.pl config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
9f28dfa977 doc: add osh-backup-acl-keys.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
3c6ce52e8e doc: add osh-encrypt-rsync.pl config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
0dc448943a doc: add osh-sync-watcher.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
a08f56df9f feat: support pam_faillock for Debian 11 (#163) 2021-07-05 10:35:58 +02:00
Stéphane Lesimple
d3f323d0c6 doc: micro fixes 2021-07-02 16:50:53 +02:00
Stéphane Lesimple
458c50eff1 documentation: add a lot of new documentation topics 2021-06-30 15:52:47 +02:00
Stéphane Lesimple
2193ee487d enh: replace 'allowUTF8' (introduced in rc1) by 'fanciness' 2021-06-30 09:53:04 +02:00
Stéphane Lesimple
2e9fe9288b enh: httpproxy: add options to fine-tune logging
Added the `log_request_response` and `log_request_response_max_size`
options to osh-http-proxy.conf.

By default, requests are logged, including their body, up to a size
of 64K per request response. Before, there was no size limit to the
logged body response.
2021-06-03 16:39:56 +02:00
Stéphane Lesimple
3925e67d43 feat: add groupDestroy command for owners
This command deletes a group, as `groupDelete` does, but works
for owners so that they can delete their own group.
`groupDelete` remains as a restricted command, able to delete any group.

Closes #40.
2021-06-02 15:32:40 +02:00
Stéphane Lesimple
adb9d8c374 feat: add UTF-8 chars to output when supported and allowed
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
2021-05-24 16:44:35 +02:00
Stéphane Lesimple
003052530e feat: preparatory work to support Debian 11 "Bullseye"
We still need to replacee pam_tally2 by pam_faillock
Debian 11 is NOT yet supported, and won't be before it's released as stable.
2021-03-24 17:41:29 +01:00
Stéphane Lesimple
e760cf6142 feat: add groupGenerateEgressKey and groupDelEgressKey 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
148d5206e5 enh: rootListIngressKeys: look for all well-known authkeys files 2021-01-21 15:06:27 +01:00
Stéphane Lesimple
928bf0c7b0 enh: config: detect warnBefore/idleTimeout misconfiguration
Before, an inconsistency in the configuration settings of the warnBefore(Lock|Kill)Seconds
and idle(Lock|Kill)Timeout could break any new connection (ttyrec refuses to launch).

Now we detect this case properly, and fallback to a sane setting for
warnBefore(Lock|Kill)Seconds (zero) if those were set without enabling the corresponding
idle(Lock|Kill)Timeout setting. We also log an error to syslog when it happens,
so that the sysadmin can fix their configuration.

Added hints about how these configuration options work together in the bastion.conf.dist file.

Fixes #125
2021-01-19 12:26:09 +01:00
Stéphane Lesimple
1676979913 feat: add PIV keys support and policy enforcement
A new global option 'ingressRequirePIV' was added, to enable or disable a
bastion-wide policy forcing everybody to use only PIV keys.
2021-01-12 12:05:06 +01:00
Stéphane Lesimple
16323667e2
Merge pull request #106 from ovh/logs
feat: revamp logs
2021-01-05 18:50:25 +01:00
Stéphane Lesimple
a479810d83
feat: revamp logs
All connections and plugin executions emit two logs, an 'open' and
a 'close' log. We now add all the details of the connection to
the 'close' logs, those that were previously only available in the
corresponding 'open' log. This way, it is no longer required to
correlate both logs with their uniqid to have all the data:
the 'close' log should suffice. The 'open' log is still there if
for some reason the 'close' log can't be emitted (kill -9, system
crash, etc.), or if the 'open' and the 'close' log are several
hours, days or months appart.

An additional field "duration" has been added to the 'close' logs,
this represents the number of seconds (with millisecond precision)
the connection lasted.

Two new fields "globalsql" and "accountsql" have been added to the
'open'-type logs. These will contain either "ok" if we successfully
logged to the corresponding log database, "no" if it is disabled,
or "error $aDetailedMessage" if we got an error trying to insert
the row. The 'close'-type log also has the new "accountsql_close"
field, but misses the "globalsql_close" field as we never update
the global database on this event. On the 'close' log, we can also
have the value "missing", indicating that we couldn't update the
access log row in the database, as the corresponding 'open' log
couldn't insert it.

The "ttyrecsize" log field for the 'close'-type logs has been removed,
as it was never completely implemented, and contains bogus data if
ttyrec log rotation occurs. It has also been removed from the sqlite
log databases.

The 'open' and 'close' events are now pushed to our own log files,
in addition to syslog, if logging to those files is enabled (see
``enableGlobalAccesssLog`` and ``enableAccountAccessLog``), previously
the 'close' events were only pushed to syslog.

The /home/osh.log is no longer used for ``enableGlobalAccessLog``, the
global log is instead written to /home/logkeeper/global-log-YYYYMM.log.

The global sql file, enabled with ``enableGlobalSqlLog``, is now
split by year-month instead of by year, to
/home/logkeeper/global-log-YYYYMM.sqlite.
2020-12-29 16:14:50 +00:00
Stéphane Lesimple
2cfde997f3 fix: realmDelete: bad sudoers configuration 2020-12-25 17:02:54 +01:00