Skip to content

Flows

A flow represents a flow of a user's session from the authorization to the active environment. Unlike the majority of the SSH servers, Bifröst cannot only interpret one flow, it can interpret one or more. With this approach Bifröst can do something similar like HTTP servers are implementing Virtual hosting - but in this case it is based on the combination of the requesting usernames (see requirement) and which authorization the user can fulfill.

For each configured flow, Bifröst will evaluate the following checks. If one of them does not succeed, Bifröst will end the evaluating of the current flow and will try the next one as long as more candidates are available:

  1. Is there already a matching session existing; if yes: Execute immediately into the environment of this session and skip the following evaluations.
  2. Is the requirement fulfilled?
  3. Is the user successfully authorized?
  4. Is the configured environment able to handle the current connection and authorization?
  5. Is it possible to create a session for the combination of connection, authorization and environment?

Configuration

name

Defines the unique name of the flow. It will be used inside logs, as references for the stored sessions, ...

Warning

Changing this value afterward means to break all existing sessions.

requirement

See Requirement, below.

authorization

Will be evaluated to ensure the requesting user is allowed to access the environment of this flow.

environment

Once all requirements are fulfilled and the user is successfully authorized, he will execute into this environment.

Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
flows:
  - name: sso
    requirement:
      includedRequestingName: ^sso$
    authorization:
      type: oidc
      # ...
    environment:
      type: local
      # ...

  - name: local
    authorization:
      type: local
      # ...
    environment:
      type: local
      # ...

Requirement

The requirement has to be fulfilled, even before the authorization is evaluated.

Configuration

includedRequestingName

Regex = "\"\""

If this property is set, the requesting name (ssh <requesting name>@my-host.tld) has to fulfill this regular expression. If empty everything will be included.

Warning

Keep ^ and $ to ensure a full match, otherwise it matches only a part of it.

excludedRequestingName

Regex = "\"\""

If this property is set, the requesting name (ssh <requesting name>@my-host.tld) has to NOT fulfill this regular expression. If empty everything will be included.

Warning

Keep ^ and $ to ensure a full match, otherwise it matches only a part of it.

Example

1
2
3
requirement:
  includedRequestingName: ^foo$
  excludedRequestingName: ^bar$

Next topics