#! /usr/bin/env perl # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; use OVH::Result; use OVH::Bastion; use OVH::Bastion::Plugin qw( :DEFAULT help ); my $remainingOptions = OVH::Bastion::Plugin::begin( argv => \@ARGV, header => "create a new bastion account", options => { 'uid=i' => \my $uid, 'account=s' => \my $account, 'always-active' => \my $alwaysActive, 'pubKey=s' => \my $pubKey, # deprecated, keep it not to break scripts or people 'public-key=s' => \my $pubKey, 'comment=s' => \my $comment, 'uid-auto' => \my $uidAuto, 'osh-only' => \my $oshOnly, 'immutable-key' => \my $immutableKey, 'no-key' => \my $noKey, 'ttl=s' => \my $ttl, }, helptext => <<'EOF', Create a new bastion account Usage: --osh SCRIPT_NAME --account ACCOUNT [OPTIONS] --account NAME Account name to create, NAME must contain only valid UNIX account name characters --uid UID Account system UID, also see --uid-auto --uid-auto Auto-select an UID from the allowed range (the upper available one will be used) --always-active This account's activation won't be challenged on connection, even if the bastion is globally configured to check for account activation --osh-only This account will only be able to use OSH commands, and not connecting to machines (ssh or telnet) --immutable-key Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied) --comment '"STRING"' An optional comment when creating the account. Quote it twice as shown if you're under a shell. --public-key '"KEY"' Account public SSH key to deposit on the bastion, if not present, you'll be prompted interactively for it. Quote it twice as shown if your're under a shell. --no-key Don't prompt for an SSH key, no ingress public key will be installed --ttl SECONDS|DURATION Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m") EOF ); # ugly hack for space-enabled parameter # XXX should be removed, double quoting fixes the problem, but keep it for compatibility if (ref $remainingOptions eq 'ARRAY' and @$remainingOptions) { $pubKey .= " " . join(" ", @$remainingOptions); } # # code # my $fnret; # # params check # if ((not $account) or (not defined $uid and not $uidAuto)) { help(); osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'account' or ('uid' or 'uid-auto')"; } # quicky ensure these params are not pure bullshit (real check is done by helper script) if ($account !~ /^[a-z0-9._-]+$/i) { osh_exit 'ERR_INVALID_PARAMETER', "Parameter 'account' seems invalid"; } if (defined $ttl) { $fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl); $fnret or osh_exit $fnret; $ttl = $fnret->value->{'seconds'}; } if (defined $uid && $uid == 0) { osh_exit 'ERR_IN_YOUR_DREAMS', "Tu l'as vu ?"; } if (defined $uid && $uidAuto) { osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't specify UID and ask auto UID assignment at the same time"; } if (defined $pubKey && $noKey) { osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use pubKey as you also specified noKey"; } if (!$pubKey && !$noKey) { $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); $fnret or osh_exit $fnret; my @algoList = @{$fnret->value}; my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; if (grep { 'ed25519' eq $_ } @algoList) { osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; } if (grep { 'ecdsa' eq $_ } @algoList) { osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; } if (grep { 'rsa' eq $_ } @algoList) { osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; } osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed)."; $pubKey = ; ## use critic } if (!$noKey) { $fnret = OVH::Bastion::is_valid_public_key(pubKey => $pubKey, way => 'ingress'); $fnret or osh_exit $fnret; } # # Now create it # my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountCreate'; push @command, "--type", "normal"; push @command, "--account", $account; push @command, "--pubKey", $pubKey if !$noKey; push @command, "--always-active" if $alwaysActive; push @command, "--comment", $comment if $comment; push @command, "--uid", $uid if defined $uid; push @command, "--osh-only", $oshOnly if $oshOnly; push @command, "--uid-auto" if $uidAuto; push @command, "--immutable-key" if $immutableKey; push @command, '--ttl', $ttl if $ttl; osh_exit OVH::Bastion::helper(cmd => \@command);