Home

Awesome

Bastion — jump host (gate) based on OpenSSH Server (sshd)

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generallyhosts a single application, for example a proxy server, and all otherservices are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose,which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks orcomputers.


AWS Bastion

Useful cases

Bastion is an isolated Docker image that can work as a link between Public and Private network. It can be also useful for reverse SSH tunneling for a host behind a NAT. This image based on Alpine Linux last version.

Usage

Describing ENV variables

Run Bastion and expose port 22222 to outside a host machine

The container assumes your authorized_keys file with 644 permissions and mounted under /var/lib/bastion/authorized_keys.

Docker example:

$ docker volume create bastion
$ docker run -d \
    --name bastion \
    --hostname bastion \
    --restart unless-stopped \
    -v $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro \
    -v bastion:/usr/etc/ssh:rw \
    --add-host docker-host:172.17.0.1 \
    -p 22222:22/tcp \
    -e "PUBKEY_AUTHENTICATION=true" \
    -e "GATEWAY_PORTS=false" \
    -e "PERMIT_TUNNEL=false" \
    -e "X11_FORWARDING=false" \
    -e "TCP_FORWARDING=true" \
    -e "AGENT_FORWARDING=true" \
    binlab/bastion

Docker-compose example:

version: "3.6"
services:
  bastion:
    image: binlab/bastion
    container_name: bastion
    hostname: bastion
    restart: unless-stopped
    expose:
      - 22/tcp
    ports:
      - 22222:22/tcp
    environment:
      PUBKEY_AUTHENTICATION: "true"
      GATEWAY_PORTS: "false"
      PERMIT_TUNNEL: "false"
      X11_FORWARDING: "false"
      TCP_FORWARDING: "true"
      AGENT_FORWARDING: "true"
    volumes:
      - $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro
      - bastion:/usr/etc/ssh:rw
    extra_hosts:
      - docker-host:172.17.0.1
    networks:
      - bastion

networks:
  bastion:
    driver: bridge
    
volumes:
  bastion:

* When you are run Bastion container first time it generates dsa, ecdsa, ed25519 and rsa key pair and saves them in permanent volume bastion, When you need to regenerate key pair, you should remove volume bastion.

1. Connect to Bastion


$ sudo usermod -aG docker <your_user>
$ mkdir $HOME/docker 
$ cd $HOME/docker
$ git clone https://github.com/binlab/docker-bastion.git
$ cd docker-bastion
$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f $HOME/.ssh/id_rsa
$ cat $HOME/.ssh/id_rsa.pub > $PWD/.bastion_keys
$ docker-compose up
$ ssh -i $HOME/.ssh/id_rsa -p 22222 bastion@127.0.0.1
user@localhost:~$ ssh -p 22222 bastion@127.0.0.1
The authenticity of host '[127.0.0.1]:22222 ([127.0.0.1]:22222)' can't be established.
ECDSA key fingerprint is 
SHA256:********************************************
ECDSA key fingerprint is MD5:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:22222' (ECDSA) to the list of known hosts.
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

bastion:~$ 

2. Connect to Host through Bastion


To achieve this you should add your private key to SSH agent and turn on ForwardAgent in ~/.ssh/config or from a command line via flag -A

-A option enables forwarding of the authentication agent connection.

It means that, it forwards your SSH auth schema to the remote host. > So you can use SSH over there as if you were on your local machine.

$ ssh-add $HOME/.ssh/id_rsa
$ ssh -A -J bastion@127.0.0.1:22222 <your_user>@docker-host

3. Connect to another container with SSH through Bastion


$ ssh -A -J bastion@127.0.0.1:22222 bastion@docker-ssh