mirror of
https://github.com/ovh/the-bastion.git
synced 2026-05-09 08:25:27 +02:00
[GH-ISSUE #157] Group members can connect under all target server users using the same group key #34
Labels
No labels
answered
bug
documentation
enhancement
enhancement
feature
feature
kept-open-for-info
pull-request
question
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/the-bastion#34
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @deepbluemussel on GitHub (Mar 15, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/157
Hello,
I guess this isn't a bug but just how ssh works (or maybe I just don't use OVH Bastion well).
All group members can connect under every users who use the group key on the target server.
For example a server has 3 system users and each of these users authorize the public key of a Bastion group.
If one user want's to connect under one of the two other users, well, he can do it.
In the end, the connection to the servers can be traced by going back to the history from the bastion, but I still wonder about it because it's quite a suspicious behaviour.
@speed47 commented on GitHub (Mar 16, 2021):
Hello,
If there are several accounts on the remote server, and these accounts should potentially not be used by the same people, then they shouldn't share the same keys. This is not bastion specific, this is how SSH works.
Group accesses are made to share the same accesses between people, with rights delegation so that teams can be independent, but in your case it sounds like, for the remote server you're talking about, people should probably use personal accesses, instead of group accesses. Indeed, each bastion user has their own set of "egress keys", that can be pushed to remote servers. These keys are specific to each account and can't be shared, so this sounds more like what you might need.
You might want to have a look at this blog post, it explains the two ways you can manage accesses (personal vs groups), most of the time, both are useful, as they answer different use cases.
@deepbluemussel commented on GitHub (Mar 16, 2021):
Okay. I was just wondering if it was possible from the bastion to make the members of a group connect only with their respective login (option that could have been defined when creating the server in the group).
It was mainly to facilitate the traceability but since we can trace the original connection on the bastion it is not a blocking point.
Thank you
@speed47 commented on GitHub (Mar 19, 2021):
If you want to have a better traceability while keeping group access, you can use the
LC_BASTIONandLC_BASTION_DETAILSenvironment variables that are pushed to each remote server when the bastion connects.LC_BASTIONbears the name of the account connecting (for legacy reasons)LC_BASTION_DETAILSis a json with a lot of information you can pick from, to build a log message on the remote serverWe use this in a
/etc/ssh/sshrcfile, which is a script launched by ssh when a user connects, this scripts gathers the information and pushes a log message to syslog, similar to this one:With the uniqid, you can find the corresponding ttyrec and any other logs related to the session.
Note that this message can only be trusted when the "from" IP is from a bastion (in our setups, you can't ssh from anything else than a bastion), as in this case you can trust the LC_BASTION_* envvars. Otherwise, a user might craft those vars themselves, if they come from a machine they have a shell access to, and can override envvars.