[GH-ISSUE #461] User suffix for device/network #120

New issue

Closed

opened 2026-05-07 00:19:09 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:19:09 +02:00

Owner

Originally created by @killsudo on GitHub (Apr 1, 2024).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/461

Would be possible to have a 'Server' include an optional field for a username suffix? This would be helpful for ssh devices that expose access to additional devices.

Usecase: Opengear serial console servers for out-of-band access in networks.

The device consumes a username+delimiter+port_name@device_ip to expose a unique serial port directly over ssh.

Example:
ssh admin1+port_3@192.168.0.1

What we would like to achieve is 'any-user' + suffix @ host stored in bastion.

osh:
groupAddServer --group Site01.OOB --user_suffix "+port_3" --host console1 --user-any --port 22 --comment "Site01 - Serial Port 3"

Result:
bssh admin1+port_3@console1

Bastion checks user's access to console1 and suffix '+port_3' then allows the egress connection.

Benefit:
Users can list out group 'Site01.OOB' to show all available serial ports with associated device ip + suffix available to them.

Originally created by @killsudo on GitHub (Apr 1, 2024). Original GitHub issue: https://github.com/ovh/the-bastion/issues/461 Would be possible to have a 'Server' include an optional field for a username suffix? This would be helpful for ssh devices that expose access to additional devices. Usecase: Opengear serial console servers for out-of-band access in networks. The device consumes a username+delimiter+port_name@device_ip to expose a unique serial port directly over ssh. Example: ssh admin1+port_3@192.168.0.1 What we would like to achieve is 'any-user' + suffix @ host stored in bastion. osh: groupAddServer --group Site01.OOB --user_suffix "+port_3" --host console1 --user-any --port 22 --comment "Site01 - Serial Port 3" Result: bssh admin1+port_3@console1 Bastion checks user's access to console1 and suffix '+port_3' then allows the egress connection. Benefit: Users can list out group 'Site01.OOB' to show all available serial ports with associated device ip + suffix available to them.

BreizhHardware

2026-05-07 00:19:09 +02:00

closed this issue
added the
feature
label

BreizhHardware commented

2026-05-07 00:19:09 +02:00

Author

Owner

@speed47 commented on GitHub (Apr 3, 2024):

Hello,

If I understand correctly, your use case could work with a more generic version of what you're proposing, by supporting wildcards in --user. Namely * (matching any number of characters) and ? (matching exactly one character), that would be evaluated on runtime when somebody is requesting a connection.

This would translate, in your example, as:
groupAddServer --group Site01.OOB --user "?*+port_3" --host console1 --port 22

The ?* would be to force the "prefix" to have at least one character, i.e. connecting as +port_3 would be refused, but connecting as admin1+port_3, user12+port_3 or root+port_3 would all be allowed.

Note that the same mechanic would also enable a similar use case: johndoe+*, that could be added as a personal access to some user, allowing them to connect as johndoe to any port of the opengear.

Would this work for you?

@speed47 commented on GitHub (Apr 3, 2024): Hello, If I understand correctly, your use case could work with a more generic version of what you're proposing, by supporting wildcards in ``--user``. Namely `*` (matching any number of characters) and `?` (matching exactly one character), that would be evaluated on runtime when somebody is requesting a connection. This would translate, in your example, as: ``groupAddServer --group Site01.OOB --user "?*+port_3" --host console1 --port 22`` The ``?*`` would be to force the "prefix" to have at least one character, i.e. connecting as ``+port_3`` would be refused, but connecting as ``admin1+port_3``, ``user12+port_3`` or ``root+port_3`` would all be allowed. Note that the same mechanic would also enable a similar use case: ``johndoe+*``, that could be added as a personal access to some user, allowing them to connect as ``johndoe`` to any port of the opengear. Would this work for you?

BreizhHardware commented

2026-05-07 00:19:10 +02:00

Author

Owner

@killsudo commented on GitHub (Apr 3, 2024):

That sounds like a very elegant solution that would work perfectly for these type of devices. It would also eliminate the need to adjust the username validation check to deal with delimiters used by these type of devices.

@killsudo commented on GitHub (Apr 3, 2024): That sounds like a very elegant solution that would work perfectly for these type of devices. It would also eliminate the need to adjust the username validation check to deal with delimiters used by these type of devices.

BreizhHardware commented

2026-05-07 00:19:10 +02:00

Author

Owner

@speed47 commented on GitHub (Apr 4, 2024):

Good, I'll draft a branch to test this implementation. In the end, --user-any would become a synonym of --user *

@speed47 commented on GitHub (Apr 4, 2024): Good, I'll draft a branch to test this implementation. In the end, ``--user-any`` would become a synonym of ``--user *``

BreizhHardware referenced this issue

2026-05-07 00:20:00 +02:00

[PR #120] [MERGED] fix: confusing error messages in groupDelServer #253