|
|
|
|
@ -30,16 +30,21 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
|
|
|
|
|
|
|
|
|
|
--account ACCOUNT Bastion account to work on
|
|
|
|
|
--pam-auth-bypass yes|no Enable or disable PAM auth bypass for this account in addition to pubkey auth (default is 'no'),
|
|
|
|
|
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
|
|
|
|
|
does not change the behaviour of the code, just the PAM auth handled by SSH itself
|
|
|
|
|
in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
|
|
|
|
|
does not change the behaviour of the code, just the PAM auth handled by SSH itself
|
|
|
|
|
--mfa-password-required yes|no|bypass Enable or disable UNIX password requirement for this account in addition to pubkey auth (default is 'no'),
|
|
|
|
|
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
|
|
|
|
|
no password will ever be asked, even for groups or plugins explicitly requiring it
|
|
|
|
|
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
|
|
|
|
|
no password will ever be asked, even for groups or plugins explicitly requiring it
|
|
|
|
|
--mfa-totp-required yes|no|bypass Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'),
|
|
|
|
|
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
|
|
|
|
|
no OTP will ever be asked, even for groups or plugins explicitly requiring it
|
|
|
|
|
--egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
|
|
|
|
|
POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
|
|
|
|
|
this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
|
|
|
|
|
no OTP will ever be asked, even for groups or plugins explicitly requiring it
|
|
|
|
|
--egress-strict-host-key-checking POLICY Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
|
|
|
|
|
POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'.
|
|
|
|
|
'bypass' means setting ``StrictHostKeyChecking=no`` and ``UserKnownHostsFile=/dev/null``,
|
|
|
|
|
which will permit egress connections in all cases, even when host keys change all the time on the same target.
|
|
|
|
|
This effectively suppress the host key checking entirely. Please don't enable this blindly.
|
|
|
|
|
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
|
|
|
|
|
All the other policies carry the same meaning that what is documented in `man ssh_config`.
|
|
|
|
|
--personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
|
|
|
|
|
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
|
|
|
|
|
--always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
|
|
|
|
|
|
Stéphane Lesimple
5 years ago
committed by
Stéphane Lesimple