From 3ba789ed34b0a35d6409c0469248475d9bfa8ee1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 2 Jul 2024 15:11:00 +0000 Subject: [PATCH] chore: adapt help messages for wildcard --user support --- bin/plugin/group-aclkeeper/groupAddServer | 19 ++++++------ bin/plugin/group-aclkeeper/groupDelServer | 24 +++++++++++---- .../group-gatekeeper/groupAddGuestAccess | 24 ++++++++------- .../group-gatekeeper/groupDelGuestAccess | 25 +++++++++------- .../restricted/accountAddPersonalAccess | 13 ++++---- .../restricted/accountDelPersonalAccess | 21 +++++++------ bin/plugin/restricted/selfAddPersonalAccess | 15 ++++++---- bin/plugin/restricted/selfDelPersonalAccess | 19 +++++++----- .../group-aclkeeper/groupAddServer.rst | 21 ++++++------- .../group-aclkeeper/groupDelServer.rst | 24 +++++++++++---- .../group-gatekeeper/groupAddGuestAccess.rst | 30 +++++++++++-------- .../group-gatekeeper/groupDelGuestAccess.rst | 30 +++++++++++-------- .../restricted/accountAddPersonalAccess.rst | 15 ++++++---- .../restricted/accountDelPersonalAccess.rst | 15 ++++++---- .../restricted/selfAddPersonalAccess.rst | 17 ++++++----- .../restricted/selfDelPersonalAccess.rst | 15 ++++++---- 16 files changed, 197 insertions(+), 130 deletions(-) diff --git a/bin/plugin/group-aclkeeper/groupAddServer b/bin/plugin/group-aclkeeper/groupAddServer index 1d1948b0e..0e8d12561 100755 --- a/bin/plugin/group-aclkeeper/groupAddServer +++ b/bin/plugin/group-aclkeeper/groupAddServer @@ -31,14 +31,15 @@ Add an IP or IP block to a group's servers list Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS] - --group GROUP Specify which group this machine should be added to (it should have the public group key of course) - --host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP, - or a whole network using the NET/CIDR notation - --user USER Specify which remote user should be allowed (root, run, etc...). - Globbing characters '*' and '?' are supported. - --user-any Synonym of '--user *', allows any remote user (the remote user should still have the public group key in all cases) - --port PORT Only allow access to this port (e.g. 22) - --port-any Allow access to any port + --group GROUP Specify which group this machine should be added to + --host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allows connecting as any remote user. + --port PORT Remote port allowed to connect to + --port-any Allow access to any remote port --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) --sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) @@ -46,7 +47,7 @@ Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS] --force-key FINGERPRINT Only use the key with the specified fingerprint to connect to the server (cf groupInfo) --force-password HASH Only use the password with the specified hash to connect to the server (cf groupListPasswords) --ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire - --comment '"ANY TEXT'" Add a comment alongside this server + --comment "'ANY TEXT'" Add a comment alongside this server. Quote it twice as shown if you're under a shell. Examples:: diff --git a/bin/plugin/group-aclkeeper/groupDelServer b/bin/plugin/group-aclkeeper/groupDelServer index 7463340b6..e54161e6a 100755 --- a/bin/plugin/group-aclkeeper/groupDelServer +++ b/bin/plugin/group-aclkeeper/groupDelServer @@ -25,17 +25,29 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( helptext => <<'EOF', Remove an IP or IP block from a group's server list -Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS] +Usage: --osh SCRIPT_NAME --group GROUP --host HOST [OPTIONS] --group GROUP Specify which group this machine should be removed from - --host HOST|IP|NET/CIDR Host(s) we want to remove access to - --user USER Remote user that was allowed, if any user was allowed, use --user-any - --user-any Use if any remote login was allowed - --port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any - --port-any Use if any remote port was allowed + --host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allowed connecting as any remote user. + --port PORT Remote port that was allowed to connect to + --port-any Use when access was allowed to any remote port --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) --sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + +This command adds, to an existing bastion account, access to a given server, using the +egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers`` + +If you want to add member access to an account to all the present and future servers +of the group, using the group key, please use ``groupAddMember`` instead. + +If you want to add access to an account to a group server but using their personal bastion +key instead of the group key, please use ``accountAddPersonalAccess`` instead. EOF ); diff --git a/bin/plugin/group-gatekeeper/groupAddGuestAccess b/bin/plugin/group-gatekeeper/groupAddGuestAccess index cd83ba77b..12e1e38cf 100755 --- a/bin/plugin/group-gatekeeper/groupAddGuestAccess +++ b/bin/plugin/group-gatekeeper/groupAddGuestAccess @@ -30,16 +30,20 @@ Add a specific group server access to an account Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS] - --group GROUP group to add guest access to - --account ACCOUNT name of the other bastion account to add access to, they'll be given access to the GROUP key - --host HOST|IP add access to this HOST (which must belong to the GROUP) - --user USER allow connecting to HOST only with remote login USER - --user-any allow connecting to HOST with any remote login - --port PORT allow connecting to HOST only to remote port PORT - --port-any allow connecting to HOST with any remote port - --scpup allow SCP upload, you--bastion-->server (omit --user in this case) - --scpdown allow SCP download, you<--bastion--server (omit --user in this case) - --sftp allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + --account ACCOUNT Name of the other bastion account to add access to, they'll be given access to the GROUP key + --group GROUP Group to add the guest access to, note that this group should already have access + to the USER/HOST/PORT tuple you'll specify with the options below. + --host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allows connecting as any remote user. + --port PORT Remote port allowed to connect to + --port-any Allow access to any remote port + --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) + --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) + --sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) --ttl SECONDS|DURATION specify a number of seconds after which the access will automatically expire --comment '"ANY TEXT"' add a comment alongside this access. If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers diff --git a/bin/plugin/group-gatekeeper/groupDelGuestAccess b/bin/plugin/group-gatekeeper/groupDelGuestAccess index 224cf633b..dbaef8155 100755 --- a/bin/plugin/group-gatekeeper/groupDelGuestAccess +++ b/bin/plugin/group-gatekeeper/groupDelGuestAccess @@ -28,16 +28,19 @@ Remove a specific group server access from an account Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS] - --group GROUP group to remove guest access from - --account ACCOUNT name of the other bastion account to remove access from - --host HOST|IP remove access from this HOST (which must belong to the GROUP) - --user USER allow connecting to HOST only with remote login USER - --user-any allow connecting to HOST with any remote login - --port PORT allow connecting to HOST only to remote port PORT - --port-any allow connecting to HOST with any remote port - --scpup allow SCP upload, you--bastion-->server (omit --user in this case) - --scpdown allow SCP download, you<--bastion--server (omit --user in this case) - --sftp allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + --group GROUP Specify which group to remove the guest access to ACCOUNT from + --account ACCOUNT Bastion account remove the guest access from + --host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allowed connecting as any remote user. + --port PORT Remote port that was allowed to connect to + --port-any Use when access was allowed to any remote port + --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) + --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) + --sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) This command removes, from an existing bastion account, access to a given server, using the egress keys of the group. The list of such servers is given by ``groupListGuestAccesses`` @@ -45,7 +48,7 @@ egress keys of the group. The list of such servers is given by ``groupListGuestA If you want to remove member access from an account to all the present and future servers of the group, using the group key, please use ``groupDelMember`` instead. -If you want to remove access from an account from a group server but using his personal bastion +If you want to remove access from an account from a group server but using their personal bastion key instead of the group key, please use ``accountDelPersonalAccess`` instead. This command is the opposite of ``groupAddGuestAccess``. diff --git a/bin/plugin/restricted/accountAddPersonalAccess b/bin/plugin/restricted/accountAddPersonalAccess index 2173dc07c..dbb9acfc2 100755 --- a/bin/plugin/restricted/accountAddPersonalAccess +++ b/bin/plugin/restricted/accountAddPersonalAccess @@ -32,11 +32,14 @@ Add a personal server access to an account Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS] --account Bastion account to add the access to - --host IP|HOST|IP/MASK Server to add access to - --user USER Remote login to use, globbing characters '?' and '*' are supported - --user-any Allow access with any remote login (synonym of ``--user *``) - --port PORT Remote SSH port to use, if you want to allow any port, use --port-any - --port-any Allow access to all remote ports + --host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allows connecting as any remote user. + --port PORT Remote port allowed to connect to + --port-any Allow access to any remote port --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) --sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) diff --git a/bin/plugin/restricted/accountDelPersonalAccess b/bin/plugin/restricted/accountDelPersonalAccess index 381d89293..25316a865 100755 --- a/bin/plugin/restricted/accountDelPersonalAccess +++ b/bin/plugin/restricted/accountDelPersonalAccess @@ -26,15 +26,18 @@ Remove a personal server access from an account Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS] - --account Bastion account to remove access from - --host IP|HOST|IP/MASK Server to remove access from - --user USER Remote user that was allowed, if any user was allowed, use --user-any - --user-any Use if any remote login was allowed - --port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any - --port-any Use if any remote port was allowed - --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) - --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) - --sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + --account Bastion account to remove access from + --host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allowed connecting as any remote user. + --port PORT Remote port that was allowed to connect to + --port-any Use when access was allowed to any remote port + --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) + --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) + --sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) EOF ); diff --git a/bin/plugin/restricted/selfAddPersonalAccess b/bin/plugin/restricted/selfAddPersonalAccess index 7e07b0a4e..4af46c3ec 100755 --- a/bin/plugin/restricted/selfAddPersonalAccess +++ b/bin/plugin/restricted/selfAddPersonalAccess @@ -27,15 +27,18 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( "comment=s" => \my $comment, }, helptext => <<'EOF', -Add a personal server access on your account +Add a personal server access to your account Usage: --osh SCRIPT_NAME --host HOST [OPTIONS] - --host IP|HOST|IP/MASK Server to add access to - --user USER Remote login to use, globbing characters '?' and '*' are supported - --user-any Allow access with any remote login (synonym of ``--user *``) - --port PORT Remote SSH port to use, if you want to allow any port, use --port-any - --port-any Allow access to all remote ports + --host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allows connecting as any remote user. + --port PORT Remote port allowed to connect to + --port-any Allow access to any remote port --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) --scpdown Allow SCP download, you<--bastion--server (omit --user in this case) --sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) diff --git a/bin/plugin/restricted/selfDelPersonalAccess b/bin/plugin/restricted/selfDelPersonalAccess index 8a42c91ab..f49cf5a1e 100755 --- a/bin/plugin/restricted/selfDelPersonalAccess +++ b/bin/plugin/restricted/selfDelPersonalAccess @@ -25,14 +25,17 @@ Remove a personal server access from your account Usage: --osh SCRIPT_NAME --host HOST [OPTIONS] - --host IP|HOST|IP/MASK Server to remove access from - --user USER Remote user that was allowed, if any user was allowed, use --user-any - --user-any Use if any remote login was allowed - --port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any - --port-any Use if any remote port was allowed - --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) - --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) - --sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + --host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation + --user USER Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. + --user-any Synonym of '--user *', allowed connecting as any remote user. + --port PORT Remote port that was allowed to connect to + --port-any Use when access was allowed to any remote port + --scpup Remove SCP upload right, you--bastion-->server (omit --user in this case) + --scpdown Remove SCP download right, you<--bastion--server (omit --user in this case) + --sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) EOF ); diff --git a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst index 915e5db82..3ddbbcb89 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst @@ -16,29 +16,30 @@ Add an IP or IP block to a group's servers list .. option:: --group GROUP - Specify which group this machine should be added to (it should have the public group key of course) + Specify which group this machine should be added to .. option:: --host HOST|IP|NET/CIDR - Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP, + Host(s) to add access to, either a HOST which will be resolved to an IP immediately, - or a whole network using the NET/CIDR notation + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - Specify which remote user should be allowed (root, run, etc...). + Specify which remote user should be allowed to connect as. - Globbing characters '*' and '?' are supported. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - Synonym of '--user *', allows any remote user (the remote user should still have the public group key in all cases) + Synonym of '--user *', allows connecting as any remote user. .. option:: --port PORT - Only allow access to this port (e.g. 22) + Remote port allowed to connect to .. option:: --port-any - Allow access to any port + Allow access to any remote port .. option:: --scpup @@ -68,9 +69,9 @@ Add an IP or IP block to a group's servers list Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire -.. option:: --comment '"ANY TEXT'" +.. option:: --comment "'ANY TEXT'" - Add a comment alongside this server + Add a comment alongside this server. Quote it twice as shown if you're under a shell. Examples:: diff --git a/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst index 72e5b21db..b1bf0a42c 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst @@ -9,7 +9,7 @@ Remove an IP or IP block from a group's server list .. admonition:: usage :class: cmdusage - --osh groupDelServer --group GROUP [OPTIONS] + --osh groupDelServer --group GROUP --host HOST [OPTIONS] .. program:: groupDelServer @@ -20,23 +20,26 @@ Remove an IP or IP block from a group's server list .. option:: --host HOST|IP|NET/CIDR - Host(s) we want to remove access to + Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - Remote user that was allowed, if any user was allowed, use --user-any + Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - Use if any remote login was allowed + Synonym of '--user *', allowed connecting as any remote user. .. option:: --port PORT - Remote SSH port that was allowed, if any port was allowed, use --port-any + Remote port that was allowed to connect to .. option:: --port-any - Use if any remote port was allowed + Use when access was allowed to any remote port .. option:: --scpup @@ -50,3 +53,12 @@ Remove an IP or IP block from a group's server list Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + +This command adds, to an existing bastion account, access to a given server, using the +egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers`` + +If you want to add member access to an account to all the present and future servers +of the group, using the group key, please use ``groupAddMember`` instead. + +If you want to add access to an account to a group server but using their personal bastion +key instead of the group key, please use ``accountAddPersonalAccess`` instead. diff --git a/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst b/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst index be9a99edf..c7e5d898d 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst @@ -14,45 +14,49 @@ Add a specific group server access to an account .. program:: groupAddGuestAccess -.. option:: --group GROUP +.. option:: --account ACCOUNT - group to add guest access to + Name of the other bastion account to add access to, they'll be given access to the GROUP key -.. option:: --account ACCOUNT +.. option:: --group GROUP - name of the other bastion account to add access to, they'll be given access to the GROUP key + Group to add the guest access to, note that this group should already have access -.. option:: --host HOST|IP + to the USER/HOST/PORT tuple you'll specify with the options below. +.. option:: --host HOST|IP|NET/CIDR - add access to this HOST (which must belong to the GROUP) + Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - allow connecting to HOST only with remote login USER + Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - allow connecting to HOST with any remote login + Synonym of '--user *', allows connecting as any remote user. .. option:: --port PORT - allow connecting to HOST only to remote port PORT + Remote port allowed to connect to .. option:: --port-any - allow connecting to HOST with any remote port + Allow access to any remote port .. option:: --scpup - allow SCP upload, you--bastion-->server (omit --user in this case) + Allow SCP upload, you--bastion-->server (omit --user in this case) .. option:: --scpdown - allow SCP download, you<--bastion--server (omit --user in this case) + Allow SCP download, you<--bastion--server (omit --user in this case) .. option:: --sftp - allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) .. option:: --ttl SECONDS|DURATION diff --git a/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst b/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst index 8e293ec72..e2a414baf 100644 --- a/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst +++ b/doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst @@ -16,40 +16,46 @@ Remove a specific group server access from an account .. option:: --group GROUP - group to remove guest access from + Specify which group to remove the guest access to ACCOUNT from - --account ACCOUNT name of the other bastion account to remove access from -.. option:: --host HOST|IP +.. option:: --account ACCOUNT - remove access from this HOST (which must belong to the GROUP) + Bastion account remove the guest access from +.. option:: --host HOST|IP|NET/CIDR + + Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - allow connecting to HOST only with remote login USER + Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - allow connecting to HOST with any remote login + Synonym of '--user *', allowed connecting as any remote user. .. option:: --port PORT - allow connecting to HOST only to remote port PORT + Remote port that was allowed to connect to .. option:: --port-any - allow connecting to HOST with any remote port + Use when access was allowed to any remote port .. option:: --scpup - allow SCP upload, you--bastion-->server (omit --user in this case) + Remove SCP upload right, you--bastion-->server (omit --user in this case) .. option:: --scpdown - allow SCP download, you<--bastion--server (omit --user in this case) + Remove SCP download right, you<--bastion--server (omit --user in this case) .. option:: --sftp - allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) + Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case) This command removes, from an existing bastion account, access to a given server, using the @@ -58,7 +64,7 @@ egress keys of the group. The list of such servers is given by ``groupListGuestA If you want to remove member access from an account to all the present and future servers of the group, using the group key, please use ``groupDelMember`` instead. -If you want to remove access from an account from a group server but using his personal bastion +If you want to remove access from an account from a group server but using their personal bastion key instead of the group key, please use ``accountDelPersonalAccess`` instead. This command is the opposite of ``groupAddGuestAccess``. diff --git a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst index 91ef8918c..5bfaf4069 100644 --- a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst @@ -18,25 +18,28 @@ Add a personal server access to an account Bastion account to add the access to -.. option:: --host IP|HOST|IP/MASK +.. option:: --host HOST|IP|NET/CIDR - Server to add access to + Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - Remote login to use, globbing characters '?' and '*' are supported + Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - Allow access with any remote login (synonym of ``--user *``) + Synonym of '--user *', allows connecting as any remote user. .. option:: --port PORT - Remote SSH port to use, if you want to allow any port, use --port-any + Remote port allowed to connect to .. option:: --port-any - Allow access to all remote ports + Allow access to any remote port .. option:: --scpup diff --git a/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst index a18562330..34da98c6b 100644 --- a/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst @@ -18,25 +18,28 @@ Remove a personal server access from an account Bastion account to remove access from -.. option:: --host IP|HOST|IP/MASK +.. option:: --host HOST|IP|NET/CIDR - Server to remove access from + Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - Remote user that was allowed, if any user was allowed, use --user-any + Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - Use if any remote login was allowed + Synonym of '--user *', allowed connecting as any remote user. .. option:: --port PORT - Remote SSH port that was allowed, if any port was allowed, use --port-any + Remote port that was allowed to connect to .. option:: --port-any - Use if any remote port was allowed + Use when access was allowed to any remote port .. option:: --scpup diff --git a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst index 4443ee50b..94909fd12 100644 --- a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst @@ -2,7 +2,7 @@ selfAddPersonalAccess ====================== -Add a personal server access on your account +Add a personal server access to your account ============================================ @@ -14,25 +14,28 @@ Add a personal server access on your account .. program:: selfAddPersonalAccess -.. option:: --host IP|HOST|IP/MASK +.. option:: --host HOST|IP|NET/CIDR - Server to add access to + Host(s) to add access to, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - Remote login to use, globbing characters '?' and '*' are supported + Specify which remote user should be allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - Allow access with any remote login (synonym of ``--user *``) + Synonym of '--user *', allows connecting as any remote user. .. option:: --port PORT - Remote SSH port to use, if you want to allow any port, use --port-any + Remote port allowed to connect to .. option:: --port-any - Allow access to all remote ports + Allow access to any remote port .. option:: --scpup diff --git a/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst index a059a2fea..c990d3a79 100644 --- a/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst @@ -14,25 +14,28 @@ Remove a personal server access from your account .. program:: selfDelPersonalAccess -.. option:: --host IP|HOST|IP/MASK +.. option:: --host HOST|IP|NET/CIDR - Server to remove access from + Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, + or an IP, or a whole network using the NET/CIDR notation .. option:: --user USER - Remote user that was allowed, if any user was allowed, use --user-any + Specify which remote user was allowed to connect as. + Globbing characters '*' and '?' are supported, so you can specify a pattern + that will be matched against the actual remote user name. .. option:: --user-any - Use if any remote login was allowed + Synonym of '--user *', allowed connecting as any remote user. .. option:: --port PORT - Remote SSH port that was allowed, if any port was allowed, use --port-any + Remote port that was allowed to connect to .. option:: --port-any - Use if any remote port was allowed + Use when access was allowed to any remote port .. option:: --scpup