the-bastion

Commit Graph

Author	SHA1	Message	Date
jon4hz	2637281424	fix: missing syslog-ng config for bastion-scripts	1 month ago
Stéphane Lesimple	b0868c1f29	enh: better interaction between systemd units and /home encryption	3 months ago
Stephane Lesimple	44488e8300	fix: add accountGidMin to avoid stealing an account's GID Between account system groups (bearing the same GID number than the UID they pertain to) and bastion groups, there might be collisions on bastions with a very high amount of both accounts and groups. This is only of importance if you're using fixed UIDs to create accounts, and can't let the system pick the UIDs itself (for example because these UIDs are referenced in some other system of your company). This fix applies a GID shifting to all the bastion groups to ensure they can never take a GID that would pertain to a later-to-be-created account with a fixed GID. This shift amount is configurable in bastion.conf as ``accountGidMin``, 500000 by default. Use the updated bin/admin/fix-group-gid.sh script to shift any preexisting group GID that would be out of the new groupGidMin range.	3 months ago
Stéphane Lesimple	98336fdafe	feat: httpproxy: add support for more HTTP methods (#601 ) By default this stays as before (GET and POST), but more methods can be allowed through the HTTP Proxy configuration.	4 months ago
jon4hz	9daf0007e1	feat: switch banner if node is sealed	7 months ago
Stéphane Lesimple	9529ec07fa	doc: note about the refresh of bastion.conf (#573 )	7 months ago
Stéphane Lesimple	c4112994f4	chg: drop Debian 10, preliminary support for Debian 13	8 months ago
Nabil	fcc3044903	Fix: typos	1 year ago
Stéphane Lesimple	11cb6ce351	feat: httpproxy: optional support for plain http on egress	1 year ago
Roy van Baekel	c9503f50e7	Implement ssh --forward-agent \| -x functionality	1 year ago
Stéphane Lesimple	fdb6c292a8	chore: use proper naming of 'subnet' instead of 'prefix' or 'slash' To avoid confusion, we now use 'subnet' to talk about a subnet represented with the CIDR notation, such as 10.0.0.0/8. In in that case: - 10.0.0.0/8 is a 'subnet' - 10.0.0.0 is the 'prefix' - 8 is the 'prefix length', or by extension the 'subnet length' Use these words everywhere in the code and documentation for clarity.	1 year ago
Stéphane Lesimple	8d33197061	feat: IPv6 support	1 year ago
Stéphane Lesimple	1d9ae483da	chg: set ECDSA as default egress key algo for new installs	1 year ago
Stéphane Lesimple	92bc512050	feat: add assetForgetHostKey	1 year ago
Stéphane Lesimple	4ef9c6ddde	feat: add --egress-session-multiplexing option to accountModify	2 years ago
Stéphane Lesimple	f4de5957a3	feat: add groupSetServers	2 years ago
Stéphane Lesimple	3d2cf21e0b	release v3.16.99-rc1	2 years ago
Stéphane Lesimple	cccbdc09f3	chg: Debian12, Ubuntu20+: enable sntrup KEX by default	2 years ago
Stéphane Lesimple	914d8b30b4	chg: remove support for EOL CentOS 7	2 years ago
Stéphane Lesimple	47b51c79ee	feat: accountFreeze: terminate running sessions if any	2 years ago
Stéphane Lesimple	3c9382a192	enh: use print_accepted_key_algorithms everywhere	2 years ago
Pierre-Elliott Bécue	d0ac9eabb9	Implement Ingress Secure Keys	2 years ago
Cody Robertson	f51bee273e	Adjust etc/pam.d/sshd.rhel configuration - Fix logic error breaking MFA handling if enabled	2 years ago
Stéphane Lesimple	7423f6ad63	feat: add dnsSupportLevel option for systems with broken DNS (fixes #397 )	2 years ago
Stéphane Lesimple	f022bd9ac8	feat: add ttyrecStealthStdoutPattern config Commands that generate a lot of stdout output and are M2M workflows, such as rsync, can now be excluded from ttyrec to avoid filling up drives	2 years ago
Stéphane Lesimple	fd6850c7ef	fix: osh-sync-watcher: default to a valid rshcmd (fixes #433 )	2 years ago
Stéphane Lesimple	b48463076f	feat: osh.pl: jit mfa for plugins	2 years ago
Stéphane Lesimple	708efd90ca	chore: add RockyLinux 9 support	3 years ago
Stéphane Lesimple	455fd8b8c3	chore: remove deprecated UseRoaming option from ssh_config	3 years ago
Stéphane Lesimple	4cdd52d85f	chore: add Debian 12 to tests Note that Debian 12 is not released yet, so it's not yet supported.	3 years ago
Stéphane Lesimple	49dc104dd7	chore: push sandbox and tester images from Deb10 to Deb11 Also remove old config files from previsously dropped OS versions	3 years ago
Stéphane Lesimple	036f921c40	feat: add accountFreeze/accountUnfreeze	3 years ago
Stéphane Lesimple	7fafeb3e1d	doc: osh-encrypt-rsync.conf: add verbose	4 years ago
Stéphane Lesimple	73b6a625f5	feat: add support and tests for Ubuntu 22.04 LTS	4 years ago
Stéphane Lesimple	ee776707c1	chore: standardize doc generation for config files	4 years ago
Stéphane Lesimple	a7462c0ac7	enh: use snake_case for system scripts json config files	4 years ago
Stéphane Lesimple	e71aa7b975	feat: add osh-cleanup-guest-key-access.pl script This script removes system-level access to group keys to old guests of groups that no longer have any active access to servers of that group. This only happens when the last access to be removed from them had a TTL.	4 years ago
Stéphane Lesimple	f43fdaaf82	enh: osh-lingering-sessions-reaper: make it configurable	4 years ago
Stéphane Lesimple	2c2064a484	feat: osh-encrypt-rsync: handle sqlite and user logs along with ttyrec files	4 years ago
Stéphane Lesimple	86c7bf39e6	remove compress-old-logs script, as osh-encrypt-rsync will do the job instead	4 years ago
Stéphane Lesimple	9d371f90a9	doc: add documentation for osh-remove-empty-folders	4 years ago
Stéphane Lesimple	7bb0843de1	feat: add osh-remove-empty-folders.sh	4 years ago
Stéphane Lesimple	415bc9b903	doc: add more info about root 2FA in sshd_config templates	4 years ago
Stéphane Lesimple	a68ccb3f8c	feat: add new OSes and deprecate old ones add: - Debian 11 - RockyLinux 8 remove: - OpenSUSE Leap 15.2 - Old minor versions of CentOS 7.x - Old minor versions of CentOS 8.x	4 years ago
Stéphane Lesimple	aaaa173764	feat: add the accountUnlock restricted plugin	4 years ago
Stéphane Lesimple	89ecb2c0d7	feat: add support for Duo PAM auth as MFA (#249 )	5 years ago
Christophe Crochet	d85298f229	new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required	5 years ago
madx	ea8ed97a34	new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both	5 years ago
Jean "henyxia" Wasilewski	b40a2fd6e3	fix: add superowner group requirement Signed-off-by: Jean "henyxia" Wasilewski <henyxia@revs0.com>	5 years ago
Stéphane Lesimple	b58388a3d9	feat: add --proactive-mfa and mfa/nofa interactive commands For bastions using JIT MFA, where MFA can be requested when attempting to connect through specific groups, or when using some commands, with respect to MFA being enforced at connection time directly through the sshd authentication process, one can now request MFA validation in advance, to workaround problems in commands such as ``clush`` or ``batch``, and interactive mode.	5 years ago

1 2

91 Commits (groupcreate_fix_uid)