Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User suffix for device/network #461

Closed
killsudo opened this issue Apr 1, 2024 · 3 comments
Closed

User suffix for device/network #461

killsudo opened this issue Apr 1, 2024 · 3 comments
Labels
feature This is a new feature request

Comments

@killsudo
Copy link

killsudo commented Apr 1, 2024

Would be possible to have a 'Server' include an optional field for a username suffix? This would be helpful for ssh devices that expose access to additional devices.

Usecase: Opengear serial console servers for out-of-band access in networks.

The device consumes a username+delimiter+port_name@device_ip to expose a unique serial port directly over ssh.

Example:
ssh [email protected]

What we would like to achieve is 'any-user' + suffix @ host stored in bastion.

osh:
groupAddServer --group Site01.OOB --user_suffix "+port_3" --host console1 --user-any --port 22 --comment "Site01 - Serial Port 3"

Result:
bssh admin1+port_3@console1

Bastion checks user's access to console1 and suffix '+port_3' then allows the egress connection.

Benefit:
Users can list out group 'Site01.OOB' to show all available serial ports with associated device ip + suffix available to them.

@speed47
Copy link
Collaborator

speed47 commented Apr 3, 2024

Hello,

If I understand correctly, your use case could work with a more generic version of what you're proposing, by supporting wildcards in --user. Namely * (matching any number of characters) and ? (matching exactly one character), that would be evaluated on runtime when somebody is requesting a connection.

This would translate, in your example, as:
groupAddServer --group Site01.OOB --user "?*+port_3" --host console1 --port 22

The ?* would be to force the "prefix" to have at least one character, i.e. connecting as +port_3 would be refused, but connecting as admin1+port_3, user12+port_3 or root+port_3 would all be allowed.

Note that the same mechanic would also enable a similar use case: johndoe+*, that could be added as a personal access to some user, allowing them to connect as johndoe to any port of the opengear.

Would this work for you?

@killsudo
Copy link
Author

killsudo commented Apr 3, 2024

That sounds like a very elegant solution that would work perfectly for these type of devices. It would also eliminate the need to adjust the username validation check to deal with delimiters used by these type of devices.

@speed47
Copy link
Collaborator

speed47 commented Apr 4, 2024

Good, I'll draft a branch to test this implementation. In the end, --user-any would become a synonym of --user *

@speed47 speed47 added the feature This is a new feature request label Apr 4, 2024
@speed47 speed47 closed this as completed in 2e96603 Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature This is a new feature request
Projects
None yet
Development

No branches or pull requests

2 participants