File: acl.db

package info (click to toggle)
sshproxy 0.6.0~beta2-2
  • links: PTS, VCS
  • area: main
  • in suites: lenny
  • size: 956 kB
  • ctags: 1,296
  • sloc: python: 8,932; sh: 268; sql: 40; makefile: 38; xml: 21
file content (92 lines) | stat: -rw-r--r-- 3,038 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# Example ACL file

# authenticate is for client authentication to the proxy
authenticate:
    # only clients connecting from these IPs are allowed
    (client.ip_addr in split("127.0.0.1 192.168.1.7"))
    # username begining (:=) with 'guest' are denied
    and (client.username := "guest" ) = False
    # check also the custom ACL called level_auth
    and acl(level_auth)
    # connections on work hours only
    and (proxy.time >= "08:00" and proxy.time <= "19:00")
    # on monday only (sunday is 0)
    and proxy.dow = "1"
    # after july, no connection allowed
    and proxy.date < "2006-08-01"

# ACLs can be broken down into shareable subparts, call with acl(level_auth)
# this one is a custom ACL
level_auth:
    # client has a custom tag named "level" which is an integer
    int(client.level) >= 7

# admin is for administration access
admin:
    # if the client tag "groups" contains the word "admin"
    "admin" in split(client.groups)


authorize:
    # localnet group members are allowed to connect to local network only
    ("localnet" in split(client.groups) and site.ip_address := "192.168.1.")
    # or any user must pass the "enforce" ACL attached to sites
    or acl(site.enforce)

# console_session is for the sshproxy console
console_session:
    # allow admin group members only
    "admin" in split(client.groups)

# shell_session controls normal ssh session
shell_session:
    # only client username "david" can connect anywhere as root
    site.login != "root" or client.username = "david"

# remote_exec controls remote command execution
remote_exec:
    # deny root login
    site.login != "root"
    # allow only the uname command
    and proxy.cmdline := "uname"
    # ensure there is only one command
    and not (";" in proxy.cmdline) and not ("&" in proxy.cmdline)

# ACLs can be given more than once,
# only one success is sufficient to allow access (OR relation)
remote_exec:
    # only david is allowed to connect as root
    site.login != "root" or client.username = "david"

# scp_upload is for file upload
# an ACL that is not declared is evaluated as False
#scp_upload:
#    # allow scp upload for any login anywhere, or root inside /tmp only
#    site.login != "root" or ( proxy.scp_path := "/tmp"
#                            and not ( ".." in proxy.scp_path ))

# scp_download is for file download
#scp_download:
#    # allow scp download for any login but root
#    site.login != "root"

# scp_transfer is for file upload AND download
# if the above rules failed, try the general rule
#scp_transfer: False


# options ######################################################

# opt_list_sites is to allow or deny the use of the --list-sites option:
#  $ pssh --list-sites
opt_list_sites:
    # guests group members can't see the list of allowed sites (they're blind)
    client.group != "guests"

# opt_get_pkey controls the option --get-pkey of pssh:
#  $ pssh --get-pkey root@host
opt_get_pkey:
    # only admins can get the public key of a site login
    "admin" in split(client.groups)