Skip to content

Commit

Permalink
feat: add BastionHost ACL check
Browse files Browse the repository at this point in the history
Needed to reject known key if the requested bastion host is not accessible to that user, so ssh client tries next key.
See moul#453
  • Loading branch information
systemmonkey42 authored and libvoid committed Jul 17, 2023
1 parent 561e482 commit 66ee7e6
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions pkg/bastion/ssh.go
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,19 @@ func PublicKeyAuthHandler(db *gorm.DB, logsLocation, aclCheckCmd, aesKey, dbDriv
if actx.userType() == userTypeInvite {
actx.err = fmt.Errorf("invites are only supported for new SSH keys; your ssh key is already associated with the user %q", actx.user.Email)
}
if actx.userType() == userTypeBastion {
log.Printf("Checking if %s has access to %s\n", actx.user.Name, actx.inputUsername)
host, err := dbmodels.HostByName(actx.db, actx.inputUsername)
if err != nil {
actx.err = err
return false
}
_, err = bastionClientConfig(ctx, host)
if err != nil {
actx.err = err
return false
}
}
return true
}

Expand Down

0 comments on commit 66ee7e6

Please sign in to comment.