accountAddPersonalAccess
Add a personal server access to an account
usage
--osh accountAddPersonalAccess --account ACCOUNT --host HOST [OPTIONS]
- --account
Bastion account to add the access to
- --host HOST|IP|NET/CIDR
Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
- --user USER
Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern that will be matched against the actual remote user name.
- --port PORT
Remote port allowed to connect to
- --port-any
Allow access to any remote port
- --scpup
Allow SCP upload, you--bastion-->server (omit --user in this case)
- --scpdown
Allow SCP download, you<--bastion--server (omit --user in this case)
- --sftp
Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
- --force-key FINGERPRINT
Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
- --force-password HASH
Only use the password with the specified hash to connect to the server (cf accountListPasswords)
- --ttl SECONDS|DURATION
Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
- --comment "'ANY TEXT'"
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
The access will work only if one of the account's personal egress public key has been copied to the remote server.
To get the list of an account's personal egress public keys, see accountListEgressKeyss
and selfListEgressKeys
.
Plugin configuration
Options
- widest_v4_prefix (optional, integer, between 0 and 32)
When specified, this limits the size of prefixes that can be added to an ACL, e.g. 24 would not allow prefixes wider than /24 (such as /20 or /16). Note that this doesn't prevent users from adding thousands of ACLs to cover a wide range of networks, but this helps ensuring ACLs such as 0.0.0.0/0 can't be added in a single command.
- self_remote_user_only (optional, boolean)
When true, this only allows to add ACLs with the remote user being the same than the account name, i.e. adding an access to a bastion account named "johndoe" can only be done specifying this very account name as the remote user name, with
accountAddPersonalAccess --user johndoe
.
Example
Configuration, in JSON format, must be in /etc/bastion/plugin.accountAddPersonalAccess.conf
:
{ "widest_v4_prefix": 24, "self_remote_user_only": true }