ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-01 13:01:53 +08:00
Code Issues Projects Releases Packages Wiki Activity
599 commits 6 branches 48 tags 7.3 MiB
Commit graph

292 commits

Author SHA1 Message Date
Stéphane Lesimple
6f13149093 chore: bump OpenSUSE Leap tests from 15.3 to 15.4 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
49dc104dd7 chore: push sandbox and tester images from Deb10 to Deb11 
Also remove old config files from previsously dropped OS versions
 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
eb9a25a9ac fix: groupInfo: empty gk and guest accesses list 
Introduced in 7a825aeec4
 2023-03-27 17:04:32 +02:00
Stéphane Lesimple
7a825aeec4 feat: add --all to groupInfo and accountInfo 2023-03-23 14:37:45 +01:00
Stéphane Lesimple
a1812e34bb fix: race condition when two parallel account creations used --uid-auto 
Fixes #363
 2023-03-22 11:00:16 +01:00
Stéphane Lesimple
f4abfc1ba8 feat: add sftp support 2023-03-16 13:45:42 +01:00
Stéphane Lesimple
a7c0b5ec23 fix: typo in a func name in an error code path 
Fixes #372
 2023-03-14 13:33:45 +01:00
Stéphane Lesimple
76f25f287e enh: setup-encryption.sh: don't require install to be called before us 2023-03-03 10:32:10 +01:00
Stéphane Lesimple
036f921c40 feat: add accountFreeze/accountUnfreeze 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
0e787f4ea9 enh: accountInfo: add --no-password-info and --no-output 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
b3683dfe6e enh: osh.pl: add the account name on each error message 
This makes it clearer which bastion is outputing the error when
multiple bastions are involved, for example in realm cases
 2022-12-30 17:53:08 +01:00
Stéphane Lesimple
4508b6b6a8 enh: more precise matching of ssh client error messages 2022-12-30 17:52:42 +01:00
Stéphane Lesimple
f82ff21062 chore: generate-sudoers.sh: sort alphabetically 2022-11-23 17:17:51 +01:00
Stéphane Lesimple
521836b17b fix: rare race condition introduced by b7f4909 
Under some specific conditions, the execute() call could get deadlocked with the program it started,
both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin,
where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.
 2022-11-15 17:34:47 +01:00
Stéphane Lesimple
21f29680b6 fix: basic mitigation for scp's CVE-2020-15778 
This CVE will not be fixed by scp authors, and as far as The Bastion
is concerned, this can't be achieved by anybody that doesn't already
have shell access to the remote server in addition to the scp rights,
but let's still block it for good measure.
 2022-11-15 14:56:49 +01:00
Stéphane Lesimple
720222c423 fix: batch: don't attempt to read if stdin is closed 2022-09-21 11:57:55 +02:00
Stéphane Lesimple
8c82c3441b fix: accountInfo wasn't showing TTL account expiration #329 2022-09-09 17:14:25 +02:00
Stéphane Lesimple
0c96df0a3d enh: tests: faster perl-check script 2022-07-29 11:35:26 +02:00
Stéphane Lesimple
ebebed7be0 fix: remove spurious set +e/-e after commit bdea34c 2022-07-29 11:34:56 +02:00
Stéphane Lesimple
7b3c721f66 doc: add a missing parameter in ping's help 2022-07-29 11:34:43 +02:00
Stéphane Lesimple
a86f25470a chore: selfListEgressKeys: fix typo 2022-07-29 11:29:58 +02:00
Stéphane Lesimple
8c2b6a410a fix: accountUnlock: add missing check_spurious_args and no_auto_abbrev 2022-07-29 11:29:34 +02:00
Stéphane Lesimple
72cefa6417 fix: performance issues introduced by effab4a 
Commit that introduced the performance degradation is effab4a
(fix: workaround for undocumented caching in getpw/getgr funcs)

Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level,
which restores performance pre-effab4a and even enhances it in somes cases,
for example on a 2000-accounts and 2000-groups bastion, we are:

- 11% faster on --osh help
- 35% faster on --osh selfListAccesses (reduces syscalls by 87%)
 2022-07-12 10:07:16 +02:00
Stéphane Lesimple
7a3306a00d fix: cleanup-guest-key-access: use cache for performance 2022-07-12 10:07:16 +02:00
Stéphane Lesimple
bdea34ccad enh: install: better error detection 2022-07-11 12:06:42 +02:00
Stéphane Lesimple
45070f833c enh: MFA: specify account name in message 2022-07-05 18:06:41 +02:00
Thomas Soëte
da6d80bef1 fix: Bad plugin name 2022-07-05 10:02:37 +02:00
Stéphane Lesimple
73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00
Stéphane Lesimple
d75b221deb fix: group-specific idle timeouts: also handle password-only groups 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
291d897832 fix: group-specific timeouts: advertise the proper timeout that will be applied when connecting 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
3540dc309c enh: groupInfo: clearer message for disabled idle/kill timeout policies 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
46a01a546a feat: groupModify: add --idle-lock-timeout and --idle-kill-timeout for group-specific timeouts 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
6fb528ccf1 chore: rename some vars for clarity 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
e040afb074 chore: new perltidy rules 2022-07-01 10:21:19 +02:00
Stéphane Lesimple
bd2f069c7e enh: print a msg when no ingress keys are found 2022-07-01 10:10:17 +02:00
Stéphane Lesimple
077735908a fix: {group,account}Delete: move() would sometimes fail, replace by mv 2022-06-29 11:35:04 +02:00
Stéphane Lesimple
4f99c4fe6c fix: ping: force a deadline, and restore default sighandlers 2022-06-29 11:34:24 +02:00
Stéphane Lesimple
884b4bbaf0 fix: install: ensure that the healthcheck user can always connect from 127.0.0.1 
Regardless of the bastion config about the ingressKeysFrom configuration
 2022-06-29 11:33:41 +02:00
Romain Beuque
c1ca9b6374 fix: typo in the 'alive' command 
Signed-off-by: Romain Beuque <556072+rbeuque74@users.noreply.github.com>
 2022-06-08 12:01:10 +02:00
Stéphane Lesimple
d254ad0ba0 fix: osh-cleanup-guest-key-access.pl: load proper config file 2022-03-21 10:57:19 +01:00
Stéphane Lesimple
6d3bd00d4c fix: osh-encrypt-rsync: delete +a source files properly 2022-03-21 10:56:58 +01:00
Stéphane Lesimple
10fcb7ebc5 fix: osh-encrypt-rsync.pl: ensure $verbose is always set, make it configurable, fix a typo 2022-03-18 14:19:08 +01:00
Stéphane Lesimple
6c1a430c66 fix: osh-encrypt-rsync.pl: don't add some folders twice 
This would lead to actually skipping some of the folders,
possibly an oddity of File::Find::find
 2022-03-18 14:19:08 +01:00
Stéphane Lesimple
effab4a5c2 fix: workaround for undocumented caching in getpw/getgr funcs 2022-03-14 12:42:26 +01:00
Stéphane Lesimple
d88cf637ee chore: add more info in syslog warnings for accountDelete 2022-03-14 12:42:26 +01:00
Stéphane Lesimple
a7462c0ac7 enh: use snake_case for system scripts json config files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
633061872e chore: remove non-longer used param in load_configuration_file() calls 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
bbdf5a36b8 feat: add NRPE probes 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
e71aa7b975 feat: add osh-cleanup-guest-key-access.pl script 
This script removes system-level access to group keys to old guests
of groups that no longer have any active access to servers of that group.
This only happens when the last access to be removed from them had a TTL.
 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
f43fdaaf82 enh: osh-lingering-sessions-reaper: make it configurable 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
572ced2af7 enh: osh-piv-grace-reaper: run only on master, standardize config reading 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
07f5c35458 fix: piv-grace-reaper: don't use hash values (had no impact) 
This coding error had no impact because the values are hash references,
hence were rejected immediately as invalid accoounts by account_config()
 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
bd13e5a476 enh: osh-encrypt-rsync: catch warnings emitted by GetOptions 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
c38c9c09f2 chore: fix typos 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
a178aa7906 enh: cron scripts: factorize common code and standardize logging 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
2c2064a484 feat: osh-encrypt-rsync: handle sqlite and user logs along with ttyrec files 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
86c7bf39e6 remove compress-old-logs script, as osh-encrypt-rsync will do the job instead 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
6baa61a7f4 fix: accountInfo: missing creation date on non-json output 2022-02-03 14:27:15 +01:00
Stéphane Lesimple
e5cfa26853 fix: install: avoid cases of sigpipe on tr 2022-02-01 10:53:01 +01:00
Stéphane Lesimple
dc16e628e2 fix: osh-remove-empty-folders: fix folders counting (logging only) 2022-01-19 16:19:52 +01:00
Stéphane Lesimple
3331e158a0 enh: better error detection and logging in (account|group)Delete 2022-01-19 11:24:03 +01:00
Stéphane Lesimple
7bb0843de1 feat: add osh-remove-empty-folders.sh 2022-01-19 11:23:44 +01:00
Stéphane Lesimple
744bd5fa0c enh: introduce exit_fail and exit_success for shell scripts 2022-01-19 11:23:44 +01:00
Antoine Leblanc
1c8efa6590 fix: osh-accountCreate: fix typo 
Signed-off-by: Antoine Leblanc <antoine.leblanc@ovhcloud.com>
 2021-12-31 16:22:03 +01:00
Stéphane Lesimple
7f28cce490 chore: install: remove obsolete upgrading sections 
These portions of code were only useful to upgrade bastions from
versions older than v3.00.00, which was the first public release.

There has been no remaining pre-v3.x version in production internally
since some time now, so there is no use keeping that code.
 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
37842c29d3 chore: packages-check.sh: remove obsolete -t and -v options 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
da5cb3c232 chore: packages-check.sh: implement installed pkg detection in rhel/suse, use proper pkg names 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
6694518ab5 chore: remove obsolete check-ssh-hardening.pl 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
ae74a823f8 chore: perltidy: rewrite perl-tidy.sh to support single-file tidy 2021-12-29 11:40:34 +01:00
Stéphane Lesimple
ae997dd93c chore: shellcheck: rewrite shell-check.sh and make files compliant with v0.8.0 2021-12-29 11:40:34 +01:00
Stéphane Lesimple
f609565fe8 enh: batch: detect when asked to start a plugin requiring MFA 2021-12-29 11:20:55 +01:00
Stéphane Lesimple
000ed4e8af feat: move scripts to GnuPG 2.x and add tests 2021-12-29 11:20:43 +01:00
Stéphane Lesimple
f8f193b298 enh: selfMFASetupPassword: add more messages for the user 2021-12-28 09:54:17 +01:00
Stéphane Lesimple
e847a19857 enh: ttyrec & yubico installs: hardcode URLs for when API is down 2021-12-22 18:00:21 +01:00
Stéphane Lesimple
a68ccb3f8c feat: add new OSes and deprecate old ones 
add:
- Debian 11
- RockyLinux 8

remove:
- OpenSUSE Leap 15.2
- Old minor versions of CentOS 7.x
- Old minor versions of CentOS 8.x
 2021-12-21 12:00:04 +01:00
Stéphane Lesimple
aaaa173764 feat: add the accountUnlock restricted plugin 2021-12-21 09:42:54 +01:00
Stéphane Lesimple
d51c4c8be0 fix: tests: full tests on FreeBSD 2021-12-20 12:54:32 +01:00
Stéphane Lesimple
7cc350b40d chore: check for spurious args in all helpers 2021-12-16 11:02:13 +01:00
Stéphane Lesimple
90dbe04dde enh: detect silent password change failures 2021-12-15 18:20:46 +01:00
Stéphane Lesimple
850152a88c enh: ensure proper Getopt::Long options are set everywhere 2021-12-13 09:51:00 +01:00
Stéphane Lesimple
d4cc727f74 chore: factorize helpers header 2021-12-13 09:51:00 +01:00
Stéphane Lesimple
2c2f723bbb fix: add helpers handling of SIGPIPE/SIGHUP 
To avoid having e.g. a group creation interrupted in the middle just because
the caller killed their ssh connection while we're still working
 2021-12-13 09:51:00 +01:00
Stéphane Lesimple
1725130a15 fix: avoid double-close log messages on HUP 2021-12-13 09:50:36 +01:00
Stéphane Lesimple
373f4907de fix: tests under OpenSUSE (fping raw sockets) 2021-12-13 09:32:52 +01:00
Christophe Crochet
98c1c79382 update of --force-password: code style cleanup 2021-12-09 16:51:40 +01:00
Christophe Crochet
e9841b89bc update of --force-password: removed guest support 2021-12-09 16:51:40 +01:00
Christophe Crochet
ff40617624 update of --force-password: guest support, autocompletion, new tests, code cleanups 2021-12-09 16:51:40 +01:00
Christophe Crochet
e4b132ed9a new access option: --force-password <HASH>, to only try one specific password 2021-12-09 16:51:40 +01:00
Stéphane Lesimple
89ecb2c0d7 feat: add support for Duo PAM auth as MFA (#249) 2021-11-03 15:50:10 +01:00
Stéphane Lesimple
7dcbfeebc6 fix: --self-password was missing as a -P synonym (#257) 2021-10-28 11:33:13 +02:00
Stéphane Lesimple
00aa2e7efc fix: selfMFASetupTOTP: bad return func 2021-10-20 13:42:13 +02:00
Christophe Crochet
d85298f229 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-10-15 11:22:00 +02:00
madx
ea8ed97a34 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both 2021-10-15 11:22:00 +02:00
Stéphane Lesimple
a65cbd55b8 accountPIV: fix bad autocompletion rule 2021-10-08 22:19:51 +02:00
Stéphane Lesimple
8d84fce34f fix: proactive-mfa: make it work for --osh batch and --osh clush 2021-09-22 11:32:19 +02:00
Stéphane Lesimple
b58388a3d9 feat: add --proactive-mfa and mfa/nofa interactive commands 
For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush``  or ``batch``, and interactive mode.
 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
f64cf79260 chore: rename an envvar for clarity 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
99686499b1 feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209) 2021-09-20 17:00:18 +02:00
Stéphane Lesimple
4a21cfc421 enh: add --max-inactive-days to accountCreate 2021-09-06 14:52:46 +02:00
Stéphane Lesimple
ef10d509fd enh: add max_inactive_days to account configuration (#230) 2021-09-06 14:52:46 +02:00