Skip to content

Commit

Permalink
feat: add --egress-session-multiplexing option to accountModify
Browse files Browse the repository at this point in the history
  • Loading branch information
speed47 committed Sep 12, 2024
1 parent 733e67e commit d90a6ba
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 0 deletions.
44 changes: 44 additions & 0 deletions bin/helper/osh-accountModify
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,50 @@ foreach my $tuple (@modify) {
}
}
}
elsif ($key eq 'egress-session-multiplexing') {
osh_info "Changing the egress ControlMaster/ControlPath options for this account...";
my $controlPath;
my $controlMaster;
if ($value eq 'default') {
# keep both vars undef, which will remove them from the account config file
;
}
elsif ($value eq 'yes') {
$controlMaster = 'auto';
# '~' is handled by ssh_config as the account's home directory
# '%C' is a hash of local hostname, remote host, remote user, remote port
$controlPath = "~/tmp/ssh_egress_%C";
}
elsif ($value eq 'no') {
# never create a master connection
$controlMaster = 'no';
# 'none' is understood specifically for ssh_config as 'never try to use a master connection'
$controlPath = 'none';
}
else {
osh_warn "Invalid parameter '$value', skipping";
$result{$jsonkey} = R('ERR_INVALID_PARAMETER');
}
$fnret = OVH::Bastion::account_ssh_config_set(
account => $account,
key => "ControlMaster",
value => $controlMaster,
);
if ($fnret) {
$fnret = OVH::Bastion::account_ssh_config_set(
account => $account,
key => "ControlPath",
value => $controlPath,
);
}
$result{$jsonkey} = $fnret;
if ($fnret) {
osh_info "... modification done";
}
else {
osh_warn "... error while setting policy: $fnret";
}
}
elsif ($key eq 'personal-egress-mfa-required') {
osh_info
"Changing the MFA policy for egress connections using the personal access (and keys) of the account...";
Expand Down
11 changes: 11 additions & 0 deletions bin/plugin/restricted/accountModify
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
"pam-auth-bypass=s" => \$modify{'pam-auth-bypass'},
"always-active=s" => \$modify{'always-active'},
"egress-strict-host-key-checking=s" => \$modify{'egress-strict-host-key-checking'},
"egress-session-multiplexing=s" => \$modify{'egress-session-multiplexing'},
"personal-egress-mfa-required=s" => \$modify{'personal-egress-mfa-required'},
"idle-ignore=s" => \$modify{'idle-ignore'},
"max-inactive-days=i" => \$modify{'max-inactive-days'},
Expand Down Expand Up @@ -47,6 +48,10 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
This effectively suppress the host key checking entirely. Please don't enable this blindly.
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
All the other policies carry the same meaning that what is documented in `man ssh_config`.
--egress-session-multiplexing POLICY Modify the egress SSH behavior of this account regarding ``ControlMaster`` and ``ControlPath``. POLICY can be:
'yes', setting ``ControlMaster`` to 'auto' and setting ``ControlPath`` properly for session sharing,
'no', setting ``ControlMaster`` to 'no' and ``ControlPath`` to 'none',
'default', removing this account ``ControlMaster`` and ``ControlPath`` overrides altogether.
--personal-egress-mfa-required POLICY Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
--always-active yes|no Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
Expand Down Expand Up @@ -110,6 +115,12 @@ if ($modify{'personal-egress-mfa-required'} && !grep { $modify{'personal-egress-
osh_exit 'ERR_INVALID_PARAMETER',
"Expected option 'password', 'totp', 'any', 'none' to --personal-egress-mfa-required";
}
if ($modify{'egress-session-multiplexing'} && !grep { $modify{'egress-session-multiplexing'} eq $_ }
qw{ yes no default })
{
help();
osh_exit 'ERR_INVALID_PARAMETER', "Expected option 'yes', 'no' or 'default' --egress-session-multiplexing";
}
if ($modify{'max-inactive-days'} && $modify{'max-inactive-days'} !~ /^(?:\d+|-1)$/) {
help();
osh_exit "ERR_INVALID_PARAMETER",
Expand Down
4 changes: 4 additions & 0 deletions bin/shell/osh.pl
Original file line number Diff line number Diff line change
Expand Up @@ -1570,6 +1570,10 @@ sub main_exit {
# then convert to json:
$ENV{'LC_BASTION_DETAILS'} = encode_json(\@details_json);

# make sure $home/tmp exists, as it might be used for egress ssh connection multiplexing.
# just attempt to create it instead of check+create, as it's not faster to do otherwise.
mkdir "$home/tmp", 0700;

# here is a nice hack to drastically improve the memory footprint of a
# heavily used bastion. we exec() another script that is way lighter, see
# comments in the connect.pl file for more information.
Expand Down
7 changes: 7 additions & 0 deletions doc/sphinx/plugins/restricted/accountModify.rst
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,13 @@ Modify an account configuration
This effectively suppress the host key checking entirely. Please don't enable this blindly.
'default' will remove this account's ``StrictHostKeyChecking`` setting override.
All the other policies carry the same meaning that what is documented in `man ssh_config`.
.. option:: --egress-session-multiplexing POLICY

Modify the egress SSH behavior of this account regarding ``ControlMaster`` and ``ControlPath``. POLICY can be:

'yes', setting ``ControlMaster`` to 'auto' and setting ``ControlPath`` properly for session sharing,
'no', setting ``ControlMaster`` to 'no' and ``ControlPath`` to 'none',
'default', removing this account ``ControlMaster`` and ``ControlPath`` overrides altogether.
.. option:: --personal-egress-mfa-required POLICY

Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
Expand Down
1 change: 1 addition & 0 deletions etc/bastion/osh-sync-watcher.rsyncfilter.dist
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
- /home/*/*.log
- /home/*/*.gz
- /home/*/lastlog
- /home/*/tmp/
- /home/*/.ssh/known_hosts

+ /home/*/***
Expand Down

0 comments on commit d90a6ba

Please sign in to comment.