Enforce connecting with user login8 on group access server

[al26p]

Hi,

Currently there is only the possibility to connect as (any) or as a certain user with Group Access.
Having the possibility to connect as (self) would be perfect !

│ Dear aprats, you have access to the following servers:
│              IP  PORT   USER                 ACCESS-BY ADDED-BY   ADDED-AT                                COMMENT
│ --------------- ----- ------ ------------------------- -------- ---------- --------------------------------------
│    11.11.111.1    22  (self) my-group(group-member)     gadmin  2021-11-15    mysuperserver.ovh

On this example I should only be able to connect as apratson mysuperserver.ovh

Thanks for your work !

[speed47]

Interesting, I think we can extend --user <user> and --user-any with --user-self indeed

[speed47]

So, I've implemented this feature a bit differently in cf405ba.

The idea is that if I had implemented something like --user-self in groups, this would have implied that all accounts on the remote server would have to share the same SSH key (namely, the group's egress key).

For example if we have 5 members in a group, and these 5 members would connect remotely using their own account name as the remote user name, because an ACL targeting the remote server would have been added with --user-self, the remote server would need to have 5 Linux accounts bearing these names, all sharing the group's egress key. This is already a bad practice per se, but it also means that if one of the group's ACLKeeper later added a new ACL with --user-any targeting the same remote server (or any CIDR in which the remote server would be included), any of these 5 members could connect using any of the 5 remote accounts on the remote server, which is probably not wanted at all. This would be an error on the ACLKeepers side, but it's not extremely obvious hence I don't want to add a feature that would make it too easy to make the mistake.

So, back to the feature I've implemented instead: two new options are available in the selfAddPersonalAccess plugin: widest_v4_prefix and self_remote_user_only, the documentation is available here. You can use this to allow this command to everyone (as explained here, but setting self_remote_user_only will ensure that accounts can only add accesses with their own account name as the remote user name. widest_v4_prefix optionally helps to further prevent abuse/misuse of this.

Another option is to auto-add such accesses directly on account creation (without requiring to grant selfAddPersonalAccess to users), as explained here.