fix: allow ssh-as in connect.pl

ovh · Oct 16, 2024 · 1ffa2e9 · 1ffa2e9
1 parent eb866bd
commit 1ffa2e9
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 3 deletions.
diff --git a/bin/shell/connect.pl b/bin/shell/connect.pl
@@ -84,18 +84,32 @@ sub exit_sig {
     }
 
     # clush plugin
-    elsif ($pargv[1] =~ m{^/opt/bastion/bin/plugin/(open|restricted)/clush$}) {
+    elsif ($pargv[1] =~ m{/bin/plugin/(open|restricted)/clush$}) {
         ;    # we're being called by the clush plugin, ok
     }
 
     # interactive mode: our parent is osh.pl
-    elsif ($pargv[0] eq 'perl' and $pargv[1] eq '/opt/bastion/bin/shell/osh.pl') {
+    elsif ($pargv[0] eq 'perl' and $pargv[1] =~ m{/bin/shell/osh\.pl$}) {
+        ;    # we're being called by the interactive mode of osh.pl, ok
+    }
+
+    # --ssh-as
+    elsif ( @pargv == 9
+        and $pargv[0] eq 'sudo'
+        and $pargv[1] eq '-n'
+        and $pargv[2] eq '-u'
+        and $pargv[4] eq '--'
+        and $pargv[5] eq '/usr/bin/env'
+        and $pargv[6] eq 'perl'
+        and $pargv[7] =~ m{/bin/shell/osh\.pl$}
+        and $pargv[8] eq '-c')
+    {
         ;    # we're being called by the interactive mode of osh.pl, ok
     }
 
     # else: it sucks.
     else {
-        #foreach (@pargv) { print "<".$_.">\n" };
+        foreach (@pargv) { print "<".$_.">\n" };
         die("SECURITY VIOLATION, ABORTING.");
     }
 }

diff --git a/tests/functional/tests.d/300-activeness.sh b/tests/functional/tests.d/300-activeness.sh
@@ -40,6 +40,37 @@ testsuite_activeness()
     # for remaining tests, disable the feature
     configchg 's=^\\\\x22accountExternalValidationProgram\\\\x22.+=\\\\x22accountExternalValidationProgram\\\\x22:\\\\x22\\\\x22,='
 
+    # SSH-AS
+
+    grant accountAddPersonalAccess
+
+    # allow account1 to localhost, just so that ssh-as calls connect.pl (even if the connection doesn't make it through in the end)
+    success add_access_to_a1 $a0 --osh accountAddPersonalAccess --account $account2 --host 127.0.0.1 --user sshas --port 22
+
+    revoke accountAddPersonalAccess
+
+    # now, test ssh-as
+    run ssh_as_denied $a1 --ssh-as $account2 [email protected]
+    retvalshouldbe 106
+    json .error_code KO_SSHAS_DENIED
+
+    # set account1 as admin
+    success set_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-admin\""
+    configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22,\\\\x22'"$account1"'\\\\x22],='
+
+    # test ssh-as again
+    run ssh_as_allowed $a1 --ssh-as $account2 [email protected]
+    retvalshouldbe 255
+    contain "you'll now impersonate"
+    contain "Connecting..."
+    contain "Permission denied (publickey)"
+
+    # and finally remove admin grant
+    success del_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-admin\""
+    configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],='
+
+    # /SSH-AS
+
     grant accountDelete
 
     # delete account1