Skip to main content
  1. Projects/

SSH Bastion Docker image

·414 words·2 mins· loading · loading ·
DevOps Ssh
This project is not in active development anymore

📦 Build

Usage
#

Some variables will be used here:

  • $JUMPER_PORT - SSH port which will be used for jumping to another hosts. As port 22 most likely will be busy by system SSH daemon, we will use another port, for example 10022.
  • $JUMPER_HOST - host which will be used as bastion, it may be dedicated server or part of your cluster. For examples we will use localhost.
  • $JUMPER_USER - user which will be used to login on this host, something like developer or admin. By default it is jumper.

So, here is defaults:

1JUMPER_PORT=10022
2JUMPER_HOST=localhost
3JUMPER_USER=jumper

Quick way
#

  1. Create your own image based on this image with following files:

    Dockerfile:

    1FROM docker.pkg.github.com/soar/sshbastion/sshbastion:latest
    

    homefs/.ssh/authorized_keys:

    1ssh-rsa AAAA... your first user rsa key
    2ssh-rsa AAAA... your second user rsa key
    
  2. Build and run your image:

    1docker build -t mybastion .
    2docker run -p $JUMPER_PORT:$JUMPER_PORT -it mybastion
    
  3. Test it with commands above

  4. Deploy it on your infrastructure

Connecting
#

With port forwarding
#

  1. Establish connection to bastion-host and open local port

    1ssh -N -L $LP:$TARGET_HOSTNAME:$TARGET_PORT -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST
    

    where:

    • -N - not to try to allocate PTY
    • -L - local port redirection mode
    • $LP - local port to open (1024+ if you are not root)
    • $TARGET_HOSTNAME - target hostname to connect to
    • $TARGET_PORT - target port to connect to
    • $JUMPER_PORT, $JUMPER_USER, $JUMPER_HOST - see above

    for example:

    1# connect to another machine over SSH
    2ssh -N -L 2022:anotherhost.example.com:22 -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST
    3# connect to remote MySQL server
    4ssh -N -L 13306:anotherhost.example.com:3306 -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST
    
  2. Connect via opened local port Now you can use any application forwarded in previous step, just use localhost:$LP as target. For example for SSH:

    1ssh -p $LP $REMOTE_USER@localhost
    

    where:

    • $LP - locally opened port from previous step
    • $REMOTE_USER - user to authenticate on target host
    • localhost - your address, where you’ve started tunnel

    for example:

    1# connect to another machine over SSH
    2ssh -p 2022 targetuser@localhost
    3# connect to remote MySQL server
    4mysql -u root -h localhost -P 13306
    

With SSH proxy-command
#

SSH will open tunnel for you automatically with next command:

1ssh -o ProxyCommand="ssh -W %h:%p -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST" targetuser@$TARGET_HOSTNAME

For example:

1ssh -o ProxyCommand="ssh -W %h:%p -p 10022 jumper@localhost" [email protected]

Environment variables
#

  • WHITELIST - comma-separated list of allowed IPs (or ranges in wildcard form) to connect.

    See: man 5 sshd_config / Match or Patterns section

    Examples:

    • 192.0.2.1
    • 192.0.2.1,192.0.2.2,192.0.2.3
    • 192.0.2.*,10.0.0.1
    • 192.0.2.0/24,10.0.0.0/24
    • 2001:db8::/32
@soar
Author
@soar
Senior SRE/DevOps engineer

comments powered by Disqus