From 03e435f07a7a08040fe2256cd3e7ca2ea34d093c Mon Sep 17 00:00:00 2001 From: jon4hz Date: Thu, 4 Dec 2025 11:58:29 +0100 Subject: [PATCH] chore: regenerate docs --- .../group-aclkeeper/groupAddServer.rst | 38 ++++++++++------- .../group-aclkeeper/groupDelServer.rst | 10 +++++ .../group-gatekeeper/groupAddGuestAccess.rst | 42 ++++++++++++------- .../group-gatekeeper/groupDelGuestAccess.rst | 38 ++++++++++------- .../plugins/group-owner/groupModify.rst | 7 +++- doc/sphinx/plugins/open/selfListSessions.rst | 12 ++++++ .../restricted/accountAddPersonalAccess.rst | 10 +++++ .../restricted/accountDelPersonalAccess.rst | 10 +++++ .../restricted/selfAddPersonalAccess.rst | 11 +++++ .../restricted/selfDelPersonalAccess.rst | 10 +++++ .../plugins/restricted/whoHasAccessTo.rst | 12 ++++++ 11 files changed, 155 insertions(+), 45 deletions(-) diff --git a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst index a8d3070..65342af 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst @@ -22,24 +22,24 @@ Add an IP or IP block to a group's servers list Host(s) to add access to, either a HOST which will be resolved to an IP immediately, - or an IP, or a whole subnet using the PREFIX/SIZE notation - --user USER|PATTERN|* Specify which remote user should be allowed to connect as. - Globbing characters '*' and '?' are supported, so you can specify a pattern - that will be matched against the actual remote user name. - To allow any user, use '--user *' (you might need to escape '*' from your shell) - --port PORT|* Remote port allowed to connect to - To allow any port, use '--port *' (you might need to escape '*' from your shell) + or an IP, or a whole subnet using the PREFIX/SIZE notation + --user USER|PATTERN|* Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + To allow any user, use '--user *' (you might need to escape '*' from your shell) + --port PORT|* Remote port allowed to connect to + To allow any port, use '--port *' (you might need to escape '*' from your shell) .. option:: --protocol PROTO Specify that a special protocol should be allowed for this HOST:PORT tuple, note that you - must not specify --user in that case. However, for this protocol to be usable under a given - remote user, access to the USER@HOST:PORT tuple must also be allowed. - PROTO must be one of: - scpup allow SCP upload, you--bastion-->server - scpdown allow SCP download, you<--bastion--server - sftp allow usage of the SFTP subsystem, through the bastion - rsync allow usage of rsync, through the bastion + must not specify --user in that case. However, for this protocol to be usable under a given + remote user, access to the USER@HOST:PORT tuple must also be allowed. + PROTO must be one of: + scpup allow SCP upload, you--bastion-->server + scpdown allow SCP download, you<--bastion--server + sftp allow usage of the SFTP subsystem, through the bastion + rsync allow usage of rsync, through the bastion .. option:: --force Don't try the ssh connection, just add the host to the group blindly @@ -60,6 +60,16 @@ Add an IP or IP block to a group's servers list Add a comment alongside this server. Quote it twice as shown if you're under a shell. +.. option:: --proxy-host HOST|IP + + Use this host as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy host port to connect to (mandatory when --proxy-host is specified) + + --proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. Examples:: diff --git a/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst index 4c90666..8eba0af 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst @@ -39,6 +39,16 @@ Remove an IP or IP block from a group's server list scpdown allow SCP download, you<--bastion--server sftp allow usage of the SFTP subsystem, through the bastion rsync allow usage of rsync, through the bastion +.. option:: --proxy-host HOST|IP + + Specify which host was used as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy port that was used to reach the target server + + --proxy-user USER|PATTERN|* Proxy user that was configured for this access (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. This command adds, to an existing bastion account, access to a given server, using the egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers`` diff --git a/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst b/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst index 000b606..581fb7b 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst @@ -22,29 +22,29 @@ Add a specific group server access to an account Group to add the guest access to, note that this group should already have access - to the USER/HOST/PORT tuple you'll specify with the options below. + to the USER/HOST/PORT tuple you'll specify with the options below. .. option:: --host HOST|IP|SUBNET Host(s) to add access to, either a HOST which will be resolved to an IP immediately, - or an IP, or a whole subnet using the PREFIX/SIZE notation - --user USER|PATTERN|* Specify which remote user should be allowed to connect as. - Globbing characters '*' and '?' are supported, so you can specify a pattern - that will be matched against the actual remote user name. - To allow any user, use '--user *' (you might need to escape '*' from your shell) - --port PORT|* Remote port allowed to connect to - To allow any port, use '--port *' (you might need to escape '*' from your shell) + or an IP, or a whole subnet using the PREFIX/SIZE notation + --user USER|PATTERN|* Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + To allow any user, use '--user *' (you might need to escape '*' from your shell) + --port PORT|* Remote port allowed to connect to + To allow any port, use '--port *' (you might need to escape '*' from your shell) .. option:: --protocol PROTO Specify that a special protocol should be allowed for this HOST:PORT tuple, note that you - must not specify --user in that case. However, for this protocol to be usable under a given - remote user, access to the USER@HOST:PORT tuple must also be allowed. - PROTO must be one of: - scpupload allow SCP upload, you--bastion-->server - scpdownload allow SCP download, you<--bastion--server - sftp allow usage of the SFTP subsystem, through the bastion - rsync allow usage of rsync, through the bastion + must not specify --user in that case. However, for this protocol to be usable under a given + remote user, access to the USER@HOST:PORT tuple must also be allowed. + PROTO must be one of: + scpupload allow SCP upload, you--bastion-->server + scpdownload allow SCP download, you<--bastion--server + sftp allow usage of the SFTP subsystem, through the bastion + rsync allow usage of rsync, through the bastion .. option:: --ttl SECONDS|DURATION Specify a number of seconds after which the access will automatically expire @@ -53,7 +53,17 @@ Add a specific group server access to an account Add a comment alongside this access. Quote it twice as shown if you're under a shell. - If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers + If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers +.. option:: --proxy-host HOST|IP + + Use this host as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy host port to connect to (mandatory when --proxy-host is specified) + + --proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. This command adds, to an existing bastion account, access to the egress keys of a group, but only to accessing one or several given servers, instead of all the servers of this group. diff --git a/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst b/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst index 6717a2b..e1c190d 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst @@ -26,24 +26,34 @@ Remove a specific group server access from an account Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, - or an IP, or a whole subnet using the PREFIX/SIZE notation - --user USER|PATTERN|* Specify which remote user was allowed to connect as. - Globbing characters '*' and '?' are supported, so you can specify a pattern - that will be matched against the actual remote user name. - If any user was allowed, use '--user *' (you might need to escape '*' from your shell) - --port PORT|* Remote port that was allowed to connect to - If any user was allowed, use '--port *' (you might need to escape '*' from your shell) + or an IP, or a whole subnet using the PREFIX/SIZE notation + --user USER|PATTERN|* Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + If any user was allowed, use '--user *' (you might need to escape '*' from your shell) + --port PORT|* Remote port that was allowed to connect to + If any user was allowed, use '--port *' (you might need to escape '*' from your shell) .. option:: --protocol PROTO Specify that a special protocol was allowed for this HOST:PORT tuple, note that you - must not specify --user in that case. However, for this protocol to be usable under a given - remote user, access to the USER@HOST:PORT tuple must also be allowed. - PROTO must be one of: - scpupload allow SCP upload, you--bastion-->server - scpdownload allow SCP download, you<--bastion--server - sftp allow usage of the SFTP subsystem, through the bastion - rsync allow usage of rsync, through the bastion + must not specify --user in that case. However, for this protocol to be usable under a given + remote user, access to the USER@HOST:PORT tuple must also be allowed. + PROTO must be one of: + scpupload allow SCP upload, you--bastion-->server + scpdownload allow SCP download, you<--bastion--server + sftp allow usage of the SFTP subsystem, through the bastion + rsync allow usage of rsync, through the bastion +.. option:: --proxy-host HOST|IP + + Use this host as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy host port to connect to (mandatory when --proxy-host is specified) + + --proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. This command removes, from an existing bastion account, access to a given server, using the egress keys of the group. The list of such servers is given by ``groupListGuestAccesses`` diff --git a/doc/sphinx/plugins/group-owner/groupModify.rst b/doc/sphinx/plugins/group-owner/groupModify.rst index d173d6f..7089130 100644 --- a/doc/sphinx/plugins/group-owner/groupModify.rst +++ b/doc/sphinx/plugins/group-owner/groupModify.rst @@ -9,7 +9,7 @@ Modify the configuration of a group .. admonition:: usage :class: cmdusage - --osh groupModify --group GROUP [--mfa-required password|totp|any|none] [--guest-ttl-limit DURATION] + --osh groupModify --group GROUP [--mfa-required password|totp|any|none] [--guest-ttl-limit DURATION] [--try-personal-keys yes|no] .. program:: groupModify @@ -31,6 +31,11 @@ Modify the configuration of a group This group will enforce TTL setting, on guest access creation, to be set, and not to a higher value than DURATION, set to zero to allow guest accesses creation without any TTL set (default) +.. option:: --try-personal-keys yes|no + + When a user accesses a server through his group permission, his personal access keys will also be added + + to the connection attempt (default: no) Note that `--idle-lock-timeout` and `--idle-kill-timeout` will NOT be applied for catch-all groups (having 0.0.0.0/0 in their server list). diff --git a/doc/sphinx/plugins/open/selfListSessions.rst b/doc/sphinx/plugins/open/selfListSessions.rst index 325fed2..96084a0 100644 --- a/doc/sphinx/plugins/open/selfListSessions.rst +++ b/doc/sphinx/plugins/open/selfListSessions.rst @@ -68,6 +68,18 @@ List the few past sessions of your account Only sessions that connected through bastion PORT +.. option:: --proxyuser USER + + Only sessions that used proxy USER + +.. option:: --proxyip HOST + + Only sessions that used proxy IP + +.. option:: --proxyport PORT + + Only sessions that used proxy PORT + Note that only the sessions that happened on this precise bastion instance will be shown, not the sessions from its possible cluster siblings. diff --git a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst index 843ecd7..02d8d5a 100644 --- a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst @@ -56,6 +56,16 @@ Add a personal server access to an account Add a comment alongside this server. Quote it twice as shown if you're under a shell. +.. option:: --proxy-host HOST|IP + + Use this host as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy host port to connect to (mandatory when --proxy-host is specified) + + --proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. The access will work only if one of the account's personal egress public key has been copied to the remote server. To get the list of an account's personal egress public keys, see ``accountListEgressKeyss`` and ``selfListEgressKeys``. diff --git a/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst index a393432..aaaf73a 100644 --- a/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst @@ -39,3 +39,13 @@ Remove a personal server access from an account scpdownload allow SCP download, you<--bastion--server sftp allow usage of the SFTP subsystem, through the bastion rsync allow usage of rsync, through the bastion +.. option:: --proxy-host HOST|IP + + Specify which host was used as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy port that was used to reach the target server + + --proxy-user USER|PATTERN|* Proxy user that was configured for this access (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. diff --git a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst index c37ea50..7ebb515 100644 --- a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst @@ -56,6 +56,17 @@ Add a personal server access to your account Add a comment alongside this server. Quote it twice as shown if you're under a shell. +.. option:: --proxy-host HOST|IP + + Use this host as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy host port to connect to (mandatory when --proxy-host is specified) + + --proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. + When connecting via SSH (not plugins), defaults to --user value for convenience. Plugin configuration ==================== diff --git a/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst index 2528f9c..6339bc2 100644 --- a/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst @@ -35,3 +35,13 @@ Remove a personal server access from your account scpdownload allow SCP download, you<--bastion--server sftp allow usage of the SFTP subsystem, through the bastion rsync allow usage of rsync, through the bastion +.. option:: --proxy-host HOST|IP + + Specify which host was used as a proxy/jump host to reach the target server + +.. option:: --proxy-port PORT + + Proxy port that was used to reach the target server + + --proxy-user USER|PATTERN|* Proxy user that was configured for this access (mandatory when --proxy-host is specified). + Globbing characters '*' and '?' are supported for pattern matching. diff --git a/doc/sphinx/plugins/restricted/whoHasAccessTo.rst b/doc/sphinx/plugins/restricted/whoHasAccessTo.rst index 24ba23a..d297152 100644 --- a/doc/sphinx/plugins/restricted/whoHasAccessTo.rst +++ b/doc/sphinx/plugins/restricted/whoHasAccessTo.rst @@ -26,6 +26,18 @@ List the accounts that have access to a given server Remote port allowed (if not specified, ignore port specifications) +.. option:: --proxy-user USER + + Proxy user allowed (if egress connection goes through a proxyjump) + +.. option:: --proxy-host HOST + + Proxy host allowed (if egress connection goes through a proxyjump + +.. option:: --proxy-port PORT + + Proxy port allowed (if egress connection goes through a proxyjump) + .. option:: --ignore-personal Don't check accounts' personal accesses (i.e. only check groups)