Groups that were containing 'lock' or 'retry' in their name
would falsely trigger the /etc/passwd and /etc/group lock
contention detection, due to their presence in the output of
the system command, implying several retries that were not
needed.
For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush`` or ``batch``, and interactive mode.
This happened when a free UID was found, along with a corresponding GID,
but the corresponding GID for the ttyrec group of the account was not
available. Now this is checked directly in get_next_available_uid()
The chain of executions is as is:
- `docker_build_and_run_tests_all.sh`
- launches several instances of `docker_build_and_run_tests.sh`
- builds docker images with the `target_role.sh` and `tester_role.sh` entrypoints
- inside the tester docker, `tester_role.sh` launches `launch_tests_on_instance.sh`
- the target docker gets tested after setting up accounts, SSH etc.
Previously, these scripts passed options to each other either by a mix of environment
variables and command-line arguments, with some inconsistencies here and there.
Now, `launch_tests_on_instance.sh` supports a lot of command-line options, which can
be specified directly if testing a remote server, or can be passed-through by the calling
script in case of docker tests. `docker_build_and_run_tests.sh` and
`docker_build_and_run_tests_all.sh` also support to passthrough these options down.
Added the `log_request_response` and `log_request_response_max_size`
options to osh-http-proxy.conf.
By default, requests are logged, including their body, up to a size
of 64K per request response. Before, there was no size limit to the
logged body response.
The following additional header is now allowed to come back from the remote server to the client:
* Content-Length
The following additional headers are now passed through to the remote server:
* Content-Length
* Content-Encoding
The commands selfListAccesses, accountListAccesses,
groupList, groupListServers, groupListGuestAccesses and
accountList now have options to filter their output through
pattern matching, with --include and --exclude.
The output from the commands using print_acls() is also more
human-friendly, with auto-adjusting column length, and empty
columns omitted.
Closes#60.
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
If no comment is set, the comment is inherited from the group ACL,
as seen in groupListServers.
selfAddPersonalAccess now also return details
about the added server in the returned JSON.
Closes#18Closes#17
This fixes a race condition in sudo where it would log a log of
error messages to syslog if used while we're running the install
script: files around sudoers.d/ are then moved around, and it'll
yell for each file it previously listed if the file no longer
exists when it tries to stat() it. It also deprecates the --no-wait
flag of the install script, as now the sudoers.d/ directory will
always have integrity at all times.
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
Before, an inconsistency in the configuration settings of the warnBefore(Lock|Kill)Seconds
and idle(Lock|Kill)Timeout could break any new connection (ttyrec refuses to launch).
Now we detect this case properly, and fallback to a sane setting for
warnBefore(Lock|Kill)Seconds (zero) if those were set without enabling the corresponding
idle(Lock|Kill)Timeout setting. We also log an error to syslog when it happens,
so that the sysadmin can fix their configuration.
Added hints about how these configuration options work together in the bastion.conf.dist file.
Fixes#125
All connections and plugin executions emit two logs, an 'open' and
a 'close' log. We now add all the details of the connection to
the 'close' logs, those that were previously only available in the
corresponding 'open' log. This way, it is no longer required to
correlate both logs with their uniqid to have all the data:
the 'close' log should suffice. The 'open' log is still there if
for some reason the 'close' log can't be emitted (kill -9, system
crash, etc.), or if the 'open' and the 'close' log are several
hours, days or months appart.
An additional field "duration" has been added to the 'close' logs,
this represents the number of seconds (with millisecond precision)
the connection lasted.
Two new fields "globalsql" and "accountsql" have been added to the
'open'-type logs. These will contain either "ok" if we successfully
logged to the corresponding log database, "no" if it is disabled,
or "error $aDetailedMessage" if we got an error trying to insert
the row. The 'close'-type log also has the new "accountsql_close"
field, but misses the "globalsql_close" field as we never update
the global database on this event. On the 'close' log, we can also
have the value "missing", indicating that we couldn't update the
access log row in the database, as the corresponding 'open' log
couldn't insert it.
The "ttyrecsize" log field for the 'close'-type logs has been removed,
as it was never completely implemented, and contains bogus data if
ttyrec log rotation occurs. It has also been removed from the sqlite
log databases.
The 'open' and 'close' events are now pushed to our own log files,
in addition to syslog, if logging to those files is enabled (see
``enableGlobalAccesssLog`` and ``enableAccountAccessLog``), previously
the 'close' events were only pushed to syslog.
The /home/osh.log is no longer used for ``enableGlobalAccessLog``, the
global log is instead written to /home/logkeeper/global-log-YYYYMM.log.
The global sql file, enabled with ``enableGlobalSqlLog``, is now
split by year-month instead of by year, to
/home/logkeeper/global-log-YYYYMM.sqlite.
We now warn (to syslog) for invalid values where
we have to fallback to defaults, and for boolean
options, actual true/false JSON values are now
properly recognized. 0 and 1 will still always
be parsed correctly, to not break compatibility.
Adding a guest access to a member of a group is now denied, to avoid having
dangling guest accesses when their membership is revoked. In effect, they
could no longer access the group servers, even as guest, because they no longer
had access to the group key, but their previous guest accesses were still
visible in groupListGuestAccesses, causing possible confusion.
We now also revoke all guest accesses of an account to a group, if any,
when it's being set as a member of this group, so that when/if the account
membership is revoked, we don't end up with the same ghost guest accesses as above.