ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-01 13:01:53 +08:00
Code Issues Projects Releases Packages Wiki Activity
371 commits 6 branches 48 tags 7.3 MiB
Commit graph

371 commits

This branch
This branch
All branches
Author SHA1 Message Date
Christophe Crochet
d85298f229 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-10-15 11:22:00 +02:00
madx
4d3ee1b99d regenerated doc 2021-10-15 11:22:00 +02:00
madx
ea8ed97a34 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both 2021-10-15 11:22:00 +02:00
Stéphane Lesimple
a65cbd55b8 accountPIV: fix bad autocompletion rule 2021-10-08 22:19:51 +02:00
Stéphane Lesimple
a6488ee6fb fix: groupdel: false positive in lock contention detection 
Groups that were containing 'lock' or 'retry' in their name
would falsely trigger the /etc/passwd and /etc/group lock
contention detection, due to their presence in the output of
the system command, implying several retries that were not
needed.
 2021-09-28 09:08:31 +02:00
Jean "henyxia" Wasilewski
b40a2fd6e3 fix: add superowner group requirement 
Signed-off-by: Jean "henyxia" Wasilewski <henyxia@revs0.com>
 2021-09-24 11:56:35 +02:00
Stéphane Lesimple
8d84fce34f fix: proactive-mfa: make it work for --osh batch and --osh clush 2021-09-22 11:32:19 +02:00
Stéphane Lesimple
b5c5d9d5ee release v3.05.01 2021-09-22 10:43:40 +02:00
Stéphane Lesimple
b58388a3d9 feat: add --proactive-mfa and mfa/nofa interactive commands 
For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush``  or ``batch``, and interactive mode.
 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
f64cf79260 chore: rename an envvar for clarity 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
db8f621abf doc: add help about the interactive builtin commands (#227) 2021-09-20 17:00:46 +02:00
Stéphane Lesimple
99686499b1 feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209) 2021-09-20 17:00:18 +02:00
Stéphane Lesimple
8e6c247cdf doc: add upgrading notice 2021-09-14 16:05:27 +02:00
Stéphane Lesimple
d3f443a532 release v3.05.00 2021-09-14 10:21:04 +02:00
Stéphane Lesimple
f6e4ec81a8 chore: remove useless 'section' test info 
As tests are now split by modules, the section is autodetected
and taken as the module name, hence a test now only needs a name,
instead of a section & a name.
 2021-09-13 17:45:36 +02:00
Stéphane Lesimple
4a21cfc421 enh: add --max-inactive-days to accountCreate 2021-09-06 14:52:46 +02:00
Stéphane Lesimple
ef10d509fd enh: add max_inactive_days to account configuration (#230) 2021-09-06 14:52:46 +02:00
Stéphane Lesimple
15cb2c2453 enh: accountInfo: add --list-groups 
Listing groups can be slow on bastions having thousands
of groups, hence this is now disabled by default.
 2021-09-02 13:13:44 +02:00
Stéphane Lesimple
82b681a38d doc: add faq about session locking (#226) 2021-09-02 11:42:48 +02:00
Stéphane Lesimple
f1e875ca4b fix: erroneous message in connect.pl 2021-09-02 11:42:18 +02:00
Stéphane Lesimple
56d4078605 feat: add --fallback-password-delay (3) for ssh password autologin 2021-09-02 11:42:18 +02:00
Stéphane Lesimple
5930775626 enh: better error message when unknown option is used 2021-09-02 10:07:03 +02:00
Stéphane Lesimple
5d188faac0 chore: trick perltidy 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
cd5b61b239 chore: perlcritic: remove Variables::RequireInitializationForLocalVars check 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
2510de0cd5 doc: generate scripts doc reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
710eb2e4cb doc: use autosectionlabel 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
92d4a46ac5 doc: add osh-piv-grace-reaper.pl config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
9f28dfa977 doc: add osh-backup-acl-keys.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
3c6ce52e8e doc: add osh-encrypt-rsync.pl config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
0dc448943a doc: add osh-sync-watcher.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
873804dbbe enh: config reading: add rootonly option 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
9b2aa996b3 enh: better use of account creation metadata 
Store account creation information in a JSON.
Display this information in `accountInfo` for auditors.
 2021-07-23 09:50:18 +02:00
Stéphane Lesimple
a2626e6970 chore: tests: add json_document() func 2021-07-23 09:50:18 +02:00
Stéphane Lesimple
c0bebf23d4 fix: accountCreate --uid-auto: rare case where a free UID couldn't be found 
This happened when a free UID was found, along with a corresponding GID,
but the corresponding GID for the ttyrec group of the account was not
available. Now this is checked directly in get_next_available_uid()
 2021-07-19 11:53:18 +02:00
Stéphane Lesimple
6b4418e864 chore: fixrights: ensure tests/functional/proxy/remote-daemon is +x 2021-07-16 11:05:04 +02:00
Stéphane Lesimple
858598d80b chore: add debug info in get_acls() 2021-07-15 18:27:42 +02:00
Stéphane Lesimple
a08f56df9f feat: support pam_faillock for Debian 11 (#163) 2021-07-05 10:35:58 +02:00
Stéphane Lesimple
2390f56c9a chore: groupCreate: fix help message 2021-07-02 18:25:24 +02:00
Stéphane Lesimple
f483b1540a enh: max account length is now 28 chars up from 18 2021-07-02 17:41:12 +02:00
Stéphane Lesimple
a447662cfd release v3.04.00 2021-07-02 17:31:47 +02:00
Stéphane Lesimple
d3f323d0c6 doc: micro fixes 2021-07-02 16:50:53 +02:00
Stéphane Lesimple
01690e8111 bump to v3.03.99-rc2 2021-06-30 17:20:48 +02:00
Stéphane Lesimple
ecee68c8bc chore: fix spurious empty lines at end of generated rst files 2021-06-30 15:52:47 +02:00
Stéphane Lesimple
458c50eff1 documentation: add a lot of new documentation topics 2021-06-30 15:52:47 +02:00
Stéphane Lesimple
b942131092 fix: use local $_ before while(<>) loops 
This closes a range of bugs that can happen if a function using $_ implicitly
in a while is called in a grep {} or map {} which also uses $_
 2021-06-30 09:53:04 +02:00
Stéphane Lesimple
2193ee487d enh: replace 'allowUTF8' (introduced in rc1) by 'fanciness' 2021-06-30 09:53:04 +02:00
thibault.dewailly
5415ed2793 Feat: Add admin and super owner accounts list in info plugin 
For auditing purposes, get admin and super owner list in info plugin
Available for auditor role only
Closes #206
 2021-06-28 11:13:30 +02:00
Stéphane Lesimple
c201f44d83 enh: tests: refactor the framework for more maintainability 
The chain of executions is as is:
- `docker_build_and_run_tests_all.sh`
  - launches several instances of `docker_build_and_run_tests.sh`
    - builds docker images with the `target_role.sh` and `tester_role.sh` entrypoints
      - inside the tester docker, `tester_role.sh` launches `launch_tests_on_instance.sh`
      - the target docker gets tested after setting up accounts, SSH etc.

Previously, these scripts passed options to each other either by a mix of environment
variables and command-line arguments, with some inconsistencies here and there.

Now, `launch_tests_on_instance.sh` supports a lot of command-line options, which can
be specified directly if testing a remote server, or can be passed-through by the calling
script in case of docker tests. `docker_build_and_run_tests.sh` and
`docker_build_and_run_tests_all.sh` also support to passthrough these options down.
 2021-06-25 16:02:38 +02:00
Stéphane Lesimple
2f1e3fbfa8 support: del deb8/ubuntu1404/opensuse150/opensuse151, add opensuse153 
Remove support for EOL OSes:
- Debian 8
- Ubuntu 14.04
- OpenSUSE 15.0
- OpenSUSE 15.1

Add support for:
- OpenSUSE 15.3
 2021-06-25 16:02:38 +02:00
Stéphane Lesimple
d400ceeb9f doc: clush: document --user and --port 
Partly fixes #201
 2021-06-23 12:24:32 +02:00