SSH connection

Defines the behavior of the SSH protocol for a user who is connecting to Bifröst.

Configuration

`addresses`

[]Net Address = [":22"]

To which address the service will bind and listen to. ``

`keys`

Keys

See below.

`idleTimeout`

Duration = "10m"

For how long a connection can be idle before it will forcibly be closed. The client can send keep alive packages to extend the idle time. 0 means that the connection will never time out.

`maxTimeout`

Duration = 0

The maximum duration a connection can be open before it will be forcibly be closed, regardless whether there are actions or not. 0 means that the connection will never time out.

`maxAuthTries`

uint8 = 6

How many different authentication methods a client can use before the connection will be rejected.

`maxConnections`

uint8 = 255

The maximum amount of parallel connections on this service. Every additional connection beyond will be rejected.

`banner`

string Connection =

"{{ \`/etc/ssh/sshd-banner\` | file \`optional\` | default \`Transcend with Engity's Bifröst\n\n\` }}"

Banner which will be shown when the client connects to the server even before the first validation of authorizations or similar happens.

Examples

addresses: [ ":22" ]
keys:
  hostKeys: [ /etc/engity/bifroest/key ]
  # ...
idleTimeout: 10m
maxTimeout: 0
maxAuthTries: 6
maxConnections: 255
banner: "Yeah!"

`preparationMessages`

Preparation Messages

See below.

Keys

Configuration

`hostKeys`

[]File Path = ["<defaultLocation>"]

Where to store the host keys at. If they do not exist, they will be created as Ed25519 key.

Default Locations:

Linux: /etc/engity/bifroest/key
Windows: C:\ProgramData\Engity\Bifroest\key

`rsaRestriction`

RSA Restriction = "at-least-4096-bits"

Restrict which RSA keys are allowed to be used.

`dsaRestriction`

DSA Restriction = "none"

Restrict which DSA keys are allowed to be used.

`ecdsaRestriction`

ECDSA Restriction = "at-least-384-bits"

Restrict which ECDSA keys are allowed to be used.

`ed25519Restriction`

ED25519 Restriction = "all"

Restrict which ED25519 keys are allowed to be used.

`rememberMeNotification`

string Authorization =

"If you return until {{.session.validUntil | format \`dateTimeT\`}} with the same public key ({{.key | fingerprint}}), you can seamlessly log in again.\n\n"

Banner which will be shown if the connection was based on an authentication method (like OIDC) which does not have its own public key authentication. At this point, the authentication was successful AND the client submitted at least one public key (as authentication try). This key will be used and this message will be shown to the client to inform that this key will be used for the session from now on. As a result, the original authentication will be skipped (like OIDC) as long as it is not expired and the client presents the same public key.

Examples

hostKeys: [ /etc/engity/bifroest/key ]
rsaRestriction: at-least-4096-bits
dsaRestriction: none
ecdsaRestriction: at-least-384-bits
ed25519Restriction: all
rememberMeNotification: "If you return until {{.session.validUntil | format `dateTimeT`}} with the same public key {{.key | fingerprint}}), you can seamlessly login again.\n\n"

Preparation Messages

In some cases the connection will not be available instantly. For example if the docker environment is used and an image needs to be downloaded first, this could take some seconds. In these cases different parts of Bifröst might trigger these messages being displayed. By default, all of them are displayed as described below.

As this is an array of preparation messages, the first which matches, wins.

Configuration

`id`

Regex = ".*"

Each preparation proces has a unique ID (like pull-image of the docker environment).

This property defines a regular expression this ID has to match together with flow.

`flow`

Regex = ".*"

Each preparation process will be produces by a flow.

This property defines a regular expression the name of this flow has to match together with id.

`start`

string Preparation Process = "{{.title}}..."

This message is shown when a preparation process starts.

`update`

string Preparation Process =

"\r{{.title}}... {{.percentage | printf \`%.0f%%\`}}"

This message is shown on each status change of a preparation process.

`end`

string Preparation Process = "\r{{.title}}... DONE!\n"

This message is shown if the preparation process finishes successful.

`error`

string Preparation Process =

"\r{{.title}}... FAILED! Contact server operator for more information. Disconnecting now...\n"

This message is shown if the preparation process finishes with an error. The direct consequence will be that the connection will be closed by Bifröst immediately.

Examples

Show special message for pull-image process (all flows), but default for the rest
preparationMessages:
  - id: ^pull-image$
    # {{.image}} is NOT part of the common set of properties of
    # a Preparation Message it is specific to this message.
    # Please visit the details of each Preparation Message type
    # for details.
    start: "Going to download image {{.image}}..."
    update: "\rGoing to download image {{.image}}... {{.percentage | printf `%.0f%%`}}"
    end: "\rImage {{.image}} downloaded.\n"
    error: "\rFailed to download image {{.image}}.\n"
  - {} # Entry with all default values as mentioned above

Disable messages completely, for all preparation processes
preparationMessages:
  - start: ""
    update: ""
    end: ""
    error: ""

Compatibility

`linux`	`windows`
/	/