Bastions are a cluster of machines used as the unique entry point by operational teams (such as sysadmins, developers, database admins, ...) to securely connect to devices (servers, virtual machines, cloud instances, network equipment, ...), usually using
Bastions provides mechanisms for authentication, authorization, traceability and auditability for the whole infrastructure.
Learn more by reading the blog post series that announced the release:
Please see the online documentation, or the corresponding text-based version found in the
This is a good way to test The Bastion within seconds, but read the FAQ if you're serious about using containerization in production.
The sandbox image is available for the following architectures: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/ppc64le, linux/s390x.
Let's run the docker image:
docker run -d -p 22 --name bastiontest ovhcom/the-bastion:sandbox
Get your public SSH key at hand, then configure the first administrator account:
docker exec -it bastiontest /opt/bastion/bin/admin/setup-first-admin-account.sh poweruser auto
We're now up and running with the default configuration! Let's setup a handy bastion alias, and test the
PORT=$(docker port bastiontest | cut -d: -f2) alias bastion="ssh [email protected] -tp $PORT -- " bastion --osh info
It should greet you as being a bastion admin, which means you have access to all commands. Let's enter interactive mode:
This is useful to call several
--osh plugins in a row. Now we can ask for help to see all plugins:
If you have a remote machine you want to try to connect to through the bastion, fetch your egress key:
Copy this public key to the remote machine's
authorized_keys under the
.ssh/ folder of the account you want to connect to, then:
$> selfAddPersonalAccess --host <remote_host> --user <remote_account_name> --port-any $> ssh <remote_account_name>@<remote_host>
Note that you can connect directly without using interactive mode, with:
That's it! Of course, there is a lot more to it, documentation is available under the
doc/ folder and online.
Be sure to check the help of the bastion (
bastion --help) and the help of each osh plugin (
bastion --osh command --help).
Also don't forget to customize your
bastion.conf file, which can be found in
/etc/bastion/bastion.conf (for Linux).
Linux distros below are tested with each release, but as this is a security product, you are warmly advised to run it on the latest up-to-date stable version of your favorite OS:
*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of
pam-google-authenticator, or both. Of course, you may compile those yourself.
Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments.
The following OS are also tested with each release:
**: Note that these have partial MFA support, due to their reduced set of available
pam plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0.
Other BSD variants, such as OpenBSD and NetBSD, are unsupported as they have a severe limitation over the maximum number of supplementary groups, causing problems for group membership and restricted commands checks, as well as no filesystem-level ACL support and missing PAM support (hence no MFA).
Nothing fancy is needed either on the ingress or the egress side of The Bastion to make it work.
In other words, only your good old
ssh client is needed to connect through it, and on the other side, any standard
sshd server will do the trick. This includes, for example, network devices on which you may not have the possibility to install any custom software.
Even with the most conservative, precautionous and paranoid coding process, code has bugs, so it shouldn't be trusted blindly. Hence the bastion doesn't trust its own code. It leverages the operating system security primitives to get additional security, as seen below.
Uses the well-known and trusted UNIX Discretionary Access Control:
The bastion main script is declared as the bastion user's system shell:
bash-like) shell access on the system
The code is modular
sshaccess to other machines
All the code needing extended system privileges is separated from the main code, in modules called helpers
sudoersconfiguration is attached to a system group specific to the command, which is granted to accounts on a need-to-use basis
-T) is used for all code running under
sudo, preventing any user-input to interfere with the logic, by halting execution immediately
sudodoesn't trust its caller and re-checks every input
A protocol break is operated between the ingress and the egress side, rendering most protocol-based vulnerabilities ineffective
syslog, which should also be sent to a remote syslog server to ensure even bastion administrators can't tamper their tracks, and/or
sqlite3databases for easy searching
ttyrec, helper scripts are provided to encrypt and push these records on a remote escrow filer
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.