Skip to content

Commit

Permalink
feat: add BastionHost ACL check
Browse files Browse the repository at this point in the history
Needed to reject known key if the requested bastion host is not accessible to that user, so ssh client tries next key.
See moul#453
  • Loading branch information
systemmonkey42 authored and libvoid committed Jul 13, 2023
1 parent 1a0cce5 commit a3d4e03
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions pkg/bastion/ssh.go
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,19 @@ func PublicKeyAuthHandler(db *gorm.DB, logsLocation, aclCheckCmd, aesKey, dbDriv
if actx.userType() == userTypeInvite {
actx.err = fmt.Errorf("invites are only supported for new SSH keys; your ssh key is already associated with the user %q", actx.user.Email)
}
if actx.userType() == userTypeBastion {
log.Printf("Checking if %s has access to %s\n", actx.user.Name, actx.inputUsername)
host, err := dbmodels.HostByName(actx.db, actx.inputUsername)
if err != nil {
actx.err = err
return false
}
_, err = bastionClientConfig(ctx, host)
if err != nil {
actx.err = err
return false
}
}
return true
}

Expand Down

0 comments on commit a3d4e03

Please sign in to comment.