starred/the-bastion
1
0
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 16:35:33 +02:00
Code Issues 46 Projects Packages Wiki Activity

[GH-ISSUE #392] Enforce connecting with user login8 on group access server #106

New issue
Closed
opened 2026-05-07 00:19:02 +02:00 by BreizhHardware · 2 comments
BreizhHardware commented 2026-05-07 00:19:02 +02:00
Owner
Copy link

Originally created by @al26p on GitHub (Apr 27, 2023).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/392

Hi,

Currently there is only the possibility to connect as (any) or as a certain user with Group Access.
Having the possibility to connect as (self) would be perfect !

│ Dear aprats, you have access to the following servers:
│              IP  PORT   USER                 ACCESS-BY ADDED-BY   ADDED-AT                                COMMENT
│ --------------- ----- ------ ------------------------- -------- ---------- --------------------------------------
│    11.11.111.1    22  (self) my-group(group-member)     gadmin  2021-11-15    mysuperserver.ovh

On this example I should only be able to connect as apratson mysuperserver.ovh

Thanks for your work !

Originally created by @al26p on GitHub (Apr 27, 2023). Original GitHub issue: https://github.com/ovh/the-bastion/issues/392 Hi, Currently there is only the possibility to connect as (any) or as a certain user with Group Access. Having the possibility to connect as (self) would be perfect ! ``` │ Dear aprats, you have access to the following servers: │ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT COMMENT │ --------------- ----- ------ ------------------------- -------- ---------- -------------------------------------- │ 11.11.111.1 22 (self) my-group(group-member) gadmin 2021-11-15 mysuperserver.ovh ``` On this example I should only be able to connect as `aprats`on mysuperserver.ovh Thanks for your work !
BreizhHardware 2026-05-07 00:19:02 +02:00
  • closed this issue
  • added the
    feature
         label
BreizhHardware commented 2026-05-07 00:19:03 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Apr 27, 2023):

Interesting, I think we can extend --user <user> and --user-any with --user-self indeed

<!-- gh-comment-id:1525932519 --> @speed47 commented on GitHub (Apr 27, 2023): Interesting, I think we can extend `--user <user>` and `--user-any` with `--user-self` indeed
BreizhHardware commented 2026-05-07 00:19:04 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Jun 1, 2023):

So, I've implemented this feature a bit differently in cf405badfb.

The idea is that if I had implemented something like --user-self in groups, this would have implied that all accounts on the remote server would have to share the same SSH key (namely, the group's egress key).

For example if we have 5 members in a group, and these 5 members would connect remotely using their own account name as the remote user name, because an ACL targeting the remote server would have been added with --user-self, the remote server would need to have 5 Linux accounts bearing these names, all sharing the group's egress key. This is already a bad practice per se, but it also means that if one of the group's ACLKeeper later added a new ACL with --user-any targeting the same remote server (or any CIDR in which the remote server would be included), any of these 5 members could connect using any of the 5 remote accounts on the remote server, which is probably not wanted at all. This would be an error on the ACLKeepers side, but it's not extremely obvious hence I don't want to add a feature that would make it too easy to make the mistake.

So, back to the feature I've implemented instead: two new options are available in the selfAddPersonalAccess plugin: widest_v4_prefix and self_remote_user_only, the documentation is available here. You can use this to allow this command to everyone (as explained here, but setting self_remote_user_only will ensure that accounts can only add accesses with their own account name as the remote user name. widest_v4_prefix optionally helps to further prevent abuse/misuse of this.

Another option is to auto-add such accesses directly on account creation (without requiring to grant selfAddPersonalAccess to users), as explained here.

<!-- gh-comment-id:1571766360 --> @speed47 commented on GitHub (Jun 1, 2023): So, I've implemented this feature a bit differently in cf405badfbed727bbfb4aa826f35dc268fd1160a. The idea is that if I had implemented something like `--user-self` in groups, this would have implied that all accounts on the remote server would have to share the same SSH key (namely, the group's egress key). For example if we have 5 members in a group, and these 5 members would connect remotely using their own account name as the remote user name, because an ACL targeting the remote server would have been added with `--user-self`, the remote server would need to have 5 Linux accounts bearing these names, *all sharing the group's egress key*. This is already a bad practice per se, but it also means that if one of the group's ACLKeeper later added a new ACL with `--user-any` targeting the same remote server (or any CIDR in which the remote server would be included), any of these 5 members could connect using any of the 5 remote accounts on the remote server, which is probably not wanted at all. This would be an error on the ACLKeepers side, but it's not extremely obvious hence I don't want to add a feature that would make it too easy to make the mistake. So, back to the feature I've implemented instead: two new options are available in the `selfAddPersonalAccess` plugin: `widest_v4_prefix` and `self_remote_user_only`, the documentation is available [here](https://ovh.github.io/the-bastion/plugins/restricted/selfAddPersonalAccess.html#plugin-configuration). You can use this to allow this command to everyone (as explained [here](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#accountcreatesupplementarygroups), but setting `self_remote_user_only` will ensure that accounts can only add accesses with their own account name as the remote user name. `widest_v4_prefix` optionally helps to further prevent abuse/misuse of this. Another option is to auto-add such accesses directly on account creation (without requiring to grant `selfAddPersonalAccess` to users), as explained [here](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#accountcreatedefaultpersonalaccesses).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
expifix
groupcreate_fix_uid
fix_group_gid_fast
gh-pages
clush
expiration
jsonvalidator
v3.23.01
v3.23.00
v3.22.00
v3.21.00
v3.20.00
v3.19.01
v3.19.00
v3.18.99-rc1
v3.18.00
v3.17.01
v3.17.00
v3.16.99-rc3
v3.16.99-rc2
v3.16.99-rc1
v3.16.01
v3.16.00
v3.15.00
v3.14.16
v3.14.15
v3.14.00
v3.13.01
v3.13.00
v3.12.00
v3.11.02
v3.11.01
v3.11.00
v3.10.00
v3.09.02
v3.09.00-really
v3.09.00
v3.09.00-rc3
v3.09.00-rc2
v3.09.00-rc1
v3.08.01
v3.08.00
v3.07.00
v3.06.00
v3.05.01
v3.05.00
v3.04.00
v3.03.99-rc2
v3.03.99-rc1
v3.03.01
v3.03.00
v3.02.00
v3.01.99-rc4
v3.01.99-rc3
v3.01.99-rc2
v3.01.99-rc1
v3.01.03
v3.01.02
v3.01.01
v3.01.00
v3.00.02
v3.00.01
v3.00.00
Labels
Clear labels   
answered

   
bug

   
documentation

   
enhancement

   
enhancement

   
feature

   
feature

   
kept-open-for-info

   
pull-request
Mirrored from GitHub Pull Request

  
question
No labels
answered
bug
documentation
enhancement
enhancement
feature
feature
kept-open-for-info
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/the-bastion#106
No description provided.