selfAddPersonalAccess
Add a personal server access on your account
usage
--osh selfAddPersonalAccess --host HOST [OPTIONS]
- --host IP|HOST|IP/MASK
Server to add access to
- --user USER
Remote login to use, if you want to allow any login, use --user-any
- --user-any
Allow access with any remote login
- --port PORT
Remote SSH port to use, if you want to allow any port, use --port-any
- --port-any
Allow access to all remote ports
- --scpup
Allow SCP upload, you--bastion-->server (omit --user in this case)
- --scpdown
Allow SCP download, you<--bastion--server (omit --user in this case)
- --sftp
Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
- --force
Add the access without checking that the public SSH key is properly installed remotely
- --force-key FINGERPRINT
Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
- --force-password HASH
Only use the password with the specified hash to connect to the server (cf selfListPasswords)
- --ttl SECONDS|DURATION
Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
- --comment "'ANY TEXT'"
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
Plugin configuration
Options
- widest_v4_prefix (optional, integer, between 0 and 32)
When specified, this limits the size of prefixes that can be added to an ACL, e.g. 24 would not allow prefixes wider than /24 (such as /20 or /16). Note that this doesn't prevent users from adding thousands of ACLs to cover a wide range of networks, but this helps ensuring ACLs such as 0.0.0.0/0 can't be added in a single command.
- self_remote_user_only (optional, boolean)
When true, this only allows to add ACLs with the remote user being the same than the account name, i.e. a bastion account named "johndoe" would only be able to use
selfAddPersonalAccess --user johndoe.
Example
Configuration, in JSON format, must be in /etc/bastion/plugin.selfAddPersonalAccess.conf:
{ "widest_v4_prefix": 24, "self_remote_user_only": true }