the-bastion

Commit Graph

Author	SHA1	Message	Date
Stéphane Lesimple	f77b8a25d3	fix: accountList: crash in some cases	3 years ago
Stéphane Lesimple	5cfb049a82	chore: doc: adding plugin configuration autogeneration	3 years ago
Stéphane Lesimple	cf405badfb	feat: add 2 configurable knobs to (self\|account)AddPersonalAccess widest_v4_prefix (maximum allowed prefix to add in a single ACL), and self_remote_user_only (only allow ACLs where the remote user is the same than the bastion account name)	3 years ago
Stéphane Lesimple	482eddb10c	feat: plugins: add loadConfig parameter & config validator support	3 years ago
Stéphane Lesimple	0515753f91	fix: add missing autocompletions, readonly flags and help category for some plugins	3 years ago
Stéphane Lesimple	f7f1514dd0	fix: groupInfo: show group name in human-readable output	3 years ago
Stéphane Lesimple	84687256a8	fix: --force-key wasn't working for groups Fixes #259	3 years ago
Stéphane Lesimple	eb9a25a9ac	fix: groupInfo: empty gk and guest accesses list Introduced in `7a825aeec4`	3 years ago
Stéphane Lesimple	7a825aeec4	feat: add --all to groupInfo and accountInfo	3 years ago
Stéphane Lesimple	f4abfc1ba8	feat: add sftp support	3 years ago
Stéphane Lesimple	036f921c40	feat: add accountFreeze/accountUnfreeze	3 years ago
Stéphane Lesimple	0e787f4ea9	enh: accountInfo: add --no-password-info and --no-output	3 years ago
Stéphane Lesimple	521836b17b	fix: rare race condition introduced by `b7f4909` Under some specific conditions, the execute() call could get deadlocked with the program it started, both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin, where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.	3 years ago
Stéphane Lesimple	21f29680b6	fix: basic mitigation for scp's CVE-2020-15778 This CVE will not be fixed by scp authors, and as far as The Bastion is concerned, this can't be achieved by anybody that doesn't already have shell access to the remote server in addition to the scp rights, but let's still block it for good measure.	3 years ago
Stéphane Lesimple	720222c423	fix: batch: don't attempt to read if stdin is closed	4 years ago
Stéphane Lesimple	8c82c3441b	fix: accountInfo wasn't showing TTL account expiration #329	4 years ago
Stéphane Lesimple	7b3c721f66	doc: add a missing parameter in ping's help	4 years ago
Stéphane Lesimple	a86f25470a	chore: selfListEgressKeys: fix typo	4 years ago
Stéphane Lesimple	72cefa6417	fix: performance issues introduced by `effab4a` Commit that introduced the performance degradation is `effab4a` (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%)	4 years ago
Thomas Soëte	da6d80bef1	fix: Bad plugin name	4 years ago
Stéphane Lesimple	3540dc309c	enh: groupInfo: clearer message for disabled idle/kill timeout policies	4 years ago
Stéphane Lesimple	46a01a546a	feat: groupModify: add --idle-lock-timeout and --idle-kill-timeout for group-specific timeouts	4 years ago
Stéphane Lesimple	6fb528ccf1	chore: rename some vars for clarity	4 years ago
Stéphane Lesimple	e040afb074	chore: new perltidy rules	4 years ago
Stéphane Lesimple	bd2f069c7e	enh: print a msg when no ingress keys are found	4 years ago
Stéphane Lesimple	4f99c4fe6c	fix: ping: force a deadline, and restore default sighandlers	4 years ago
Stéphane Lesimple	884b4bbaf0	fix: install: ensure that the healthcheck user can always connect from 127.0.0.1 Regardless of the bastion config about the ingressKeysFrom configuration	4 years ago
Romain Beuque	c1ca9b6374	fix: typo in the 'alive' command Signed-off-by: Romain Beuque <556072+rbeuque74@users.noreply.github.com>	4 years ago
Stéphane Lesimple	effab4a5c2	fix: workaround for undocumented caching in getpw/getgr funcs	4 years ago
Stéphane Lesimple	6baa61a7f4	fix: accountInfo: missing creation date on non-json output	4 years ago
Stéphane Lesimple	f609565fe8	enh: batch: detect when asked to start a plugin requiring MFA	4 years ago
Stéphane Lesimple	f8f193b298	enh: selfMFASetupPassword: add more messages for the user	4 years ago
Stéphane Lesimple	aaaa173764	feat: add the accountUnlock restricted plugin	4 years ago
Stéphane Lesimple	7cc350b40d	chore: check for spurious args in all helpers	4 years ago
Stéphane Lesimple	373f4907de	fix: tests under OpenSUSE (fping raw sockets)	4 years ago
Christophe Crochet	ff40617624	update of --force-password: guest support, autocompletion, new tests, code cleanups	4 years ago
Christophe Crochet	e4b132ed9a	new access option: --force-password <HASH>, to only try one specific password	4 years ago
Stéphane Lesimple	89ecb2c0d7	feat: add support for Duo PAM auth as MFA (#249 )	5 years ago
Stéphane Lesimple	00aa2e7efc	fix: selfMFASetupTOTP: bad return func	5 years ago
Christophe Crochet	d85298f229	new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required	5 years ago
madx	ea8ed97a34	new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both	5 years ago
Stéphane Lesimple	a65cbd55b8	accountPIV: fix bad autocompletion rule	5 years ago
Stéphane Lesimple	f64cf79260	chore: rename an envvar for clarity	5 years ago
Stéphane Lesimple	4a21cfc421	enh: add --max-inactive-days to accountCreate	5 years ago
Stéphane Lesimple	ef10d509fd	enh: add max_inactive_days to account configuration (#230 )	5 years ago
Stéphane Lesimple	15cb2c2453	enh: accountInfo: add --list-groups Listing groups can be slow on bastions having thousands of groups, hence this is now disabled by default.	5 years ago
Stéphane Lesimple	9b2aa996b3	enh: better use of account creation metadata Store account creation information in a JSON. Display this information in `accountInfo` for auditors.	5 years ago
Stéphane Lesimple	2390f56c9a	chore: groupCreate: fix help message	5 years ago
thibault.dewailly	5415ed2793	Feat: Add admin and super owner accounts list in info plugin For auditing purposes, get admin and super owner list in info plugin Available for auditor role only Closes #206	5 years ago
Stéphane Lesimple	d400ceeb9f	doc: clush: document --user and --port Partly fixes #201	5 years ago
Thomas Soëte	c61a3eaae9	Remove duplicate groupAddGuestAccess groupDelGuestAccess groupAddGuestAccess groupDelGuestAccess are present twice in help	5 years ago
Stéphane Lesimple	3925e67d43	feat: add groupDestroy command for owners This command deletes a group, as `groupDelete` does, but works for owners so that they can delete their own group. `groupDelete` remains as a restricted command, able to delete any group. Closes #40.	5 years ago
Stéphane Lesimple	8cc990ad57	feat: add filtering options to several cmds,nicify print_acls() The commands selfListAccesses, accountListAccesses, groupList, groupListServers, groupListGuestAccesses and accountList now have options to filter their output through pattern matching, with --include and --exclude. The output from the commands using print_acls() is also more human-friendly, with auto-adjusting column length, and empty columns omitted. Closes #60.	5 years ago
Stéphane Lesimple	adb9d8c374	feat: add UTF-8 chars to output when supported and allowed To enhance the readability and visibility of important messages (such as critical ones). This can be disabled with the `allowUTF8` global option set to `false`. It's never enabled if the user locale or their terminal don't seem to support it.	5 years ago
Stéphane Lesimple	344865884b	fix: groupCreate: deny groups starting with 'key' Mitigates #178	5 years ago
Stéphane Lesimple	68e088a607	doc: accountModify: more details on the --egress-strict-host-key-checking option	5 years ago
Jonathan Marsaud	b7b2533604	accountModify - Add a new `accept-new` POLICY in egress-strict-host-key-checking parameter	5 years ago
Stéphane Lesimple	c2b4bb192a	fix: osh-help: put groupDelEgressKey in the proper category Fixes #174	5 years ago
Stéphane Lesimple	e412083272	fix: accountCreate: incorrect help message (#167 )	5 years ago
Stéphane Lesimple	5ec805f26b	fix: groupGenerateEgressKey: --help wasn't working properly	5 years ago
Stéphane Lesimple	c5cd5d4464	fix: groupDelServer: missing autocompletion in interactive mode	5 years ago
Stéphane Lesimple	255f0684cc	fix: scp: abort early if host is not found to avoid a warn() The following warn would happen if the scp wrapper was called with an invalid hostname: Use of uninitialized value in bitwise and (&) at /usr/share/perl5/Net/Netmask.pm line 699. at /opt/bastion/bin/plugin/open/../../../lib/perl/OVH/Bastion.pm line 41. OVH::Bastion::__ANON__("Use of uninitialized value \ in bitwise and (&) at /usr/shar"...) called at /usr/share/perl5/Net/Netmask.pm line 697 Net::Netmask::match(Net::Netmask=HASH(0x55b1d5f11860), undef) called at /opt/bastion/lib/perl/OVH/Bastion/allowdeny.inc line 214 OVH::Bastion::is_access_way_granted("port", 22, "exactUserMatch", 1, "ipfrom", "X.X.X.X", "ip", undef, ...) called at /opt/bastion/lib/perl/OVH/Bastion/allowdeny.inc line 688 OVH::Bastion::is_access_granted(\"account\", \"johndoe\", \"user\", \"!scpupload\", \"ipfrom\", \"X.X.X.X\", \"ip\", undef, ...) called at /opt/bastion/bin/plugin/open/scp line 136	5 years ago
Stéphane Lesimple	4fd010c355	chore: microfixes after review	5 years ago
Stéphane Lesimple	8a0f7c6b4f	fix: accountInfo: get rid of a warn() This occurred since v3.01.99-rc1 when requesting an accountInfo of an account without an ingress_piv_policy set. Use of uninitialized value in concatenation (.) or string at /usr/share/perl/5.28/Term/ANSIColor.pm line 510. at /opt/bastion/bin/plugin/restricted/../../../lib/perl/OVH/Bastion.pm line 41. OVH::Bastion::__ANON__("Use of uninitialized value \ in concatenation (.) or st"...) called at /usr/share/perl/5.28/Term/ANSIColor.pm line 510 Term::ANSIColor::colored(undef, "green") called at /opt/bastion/bin/plugin/restricted/accountInfo line 178	5 years ago
Stéphane Lesimple	edb1b77dfc	feat: auto-add hostname as comment in groupAddServer / selfAddPersonalAccesss Implements a side suggestion of #60	5 years ago
Stéphane Lesimple	383f2a011c	enh: guests: groupAddGuestAccess now supports setting a comment If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17	5 years ago
Stéphane Lesimple	5eb5135d26	doc: update	5 years ago
Stéphane Lesimple	e760cf6142	feat: add groupGenerateEgressKey and groupDelEgressKey	5 years ago
Stéphane Lesimple	e235199715	fix: groupModify: deny early if user is not an owner of the group This way, the error message is clearer	5 years ago
Stéphane Lesimple	7eeccb7c5d	enh: groupInfo: nicer message when no egress key exists	5 years ago
Stéphane Lesimple	efe3710e4c	feat: groupList/accountList: add --include --exclude	5 years ago
Stéphane Lesimple	148d5206e5	enh: rootListIngressKeys: look for all well-known authkeys files	5 years ago
Stéphane Lesimple	69778815bb	enh: groupList: use cache to speedup calls On bastions with thousands of group, the speedup is ~x10	5 years ago
Pierre Kuhner	e7e045a40d	fix: confusing error messages in groupDelServer	5 years ago
Stéphane Lesimple	1676979913	feat: add PIV keys support and policy enforcement A new global option 'ingressRequirePIV' was added, to enable or disable a bastion-wide policy forcing everybody to use only PIV keys.	5 years ago
Stéphane Lesimple	a204313af9	feat: accountModify: add --osh-only (closes #97 )	5 years ago
Stéphane Lesimple	03ad1da046	chore: perlcritic: including forgotten .inc files	5 years ago
Thomas Soëte	9647ae9cdb	fix: Fix 'selfAddPersonalAccess' helptext	5 years ago
Stéphane Lesimple	4cb09a9570	nh: remove hardcoded .ssh/authorized_keys2 everywhere	5 years ago
Stéphane Lesimple	71cd9a46df	Merge branch 'master' into autocompletion	5 years ago
Stéphane Lesimple	9fb6b8d444	enh: accountCreate: handle --uid-auto in autocompletion rules	5 years ago
Thomas SOËTE	ef531308d5	enh: doc: add from parameter as it is mandatory	5 years ago
Stéphane Lesimple	f07e00b1e9	Merge branch 'master' into adminSudo	5 years ago
Stéphane Lesimple	e2a64a9d8f	enh: adminSudo: better autocompletion rules	5 years ago
Thomas SOËTE	2a51a78b54	fix: Enable perl-tidy.sh test * Move to ubuntu-20.04 runner * Remove check in dockers tests	5 years ago
Thomas SOËTE	632076565e	Fix sort of the list of past sessions	6 years ago
Stéphane Lesimple	60cea897f8	enh: osh.pl: replace harcoded selfMFASetupPassword logic by configuration	6 years ago
snk33	7685114cfd	allow adminSudo plugin to read from stdin add expects_stdin to the execute call so an admin will be able to replay session from another account	6 years ago
Stéphane Lesimple	5c72c92bdd	chore: fix typos everywhere	6 years ago
Stéphane Lesimple	d3a7818046	Merge pull request #10 from ovh/issue-8 fix: accountModify is master-only	6 years ago
Stéphane Lesimple	4b8b1457e9	fix: accountModify is master-only	6 years ago
Romain Beuque	cb1e54b42a	clush: change description for --no-pause-on-failure to represent the actual behavior Signed-off-by: Romain Beuque <romain.beuque@ovhcloud.com>	6 years ago
Stéphane Lesimple	fde20136ef	Initial commit	6 years ago

1 2 3

143 Commits (jsonvalidator)