SSH Bastion Docker image

This project is not in active development anymore

soar/sshbastion

SSH-based bastion host implementation as Docker image

Dockerfile

Usage
#

Some variables will be used here:

$JUMPER_PORT - SSH port which will be used for jumping to another hosts. As port 22 most likely will be busy by system SSH daemon, we will use another port, for example 10022.
$JUMPER_HOST - host which will be used as bastion, it may be dedicated server or part of your cluster. For examples we will use localhost.
$JUMPER_USER - user which will be used to login on this host, something like developer or admin. By default it is jumper.

So, here is defaults:

1JUMPER_PORT=10022
2JUMPER_HOST=localhost
3JUMPER_USER=jumper

Quick way
#

Create your own image based on this image with following files:

Dockerfile:

1FROM docker.pkg.github.com/soar/sshbastion/sshbastion:latest

homefs/.ssh/authorized_keys:

1ssh-rsa AAAA... your first user rsa key
2ssh-rsa AAAA... your second user rsa key

Build and run your image:

1docker build -t mybastion .
2docker run -p $JUMPER_PORT:$JUMPER_PORT -it mybastion

Test it with commands above
Deploy it on your infrastructure

Connecting
#

With port forwarding
#

Establish connection to bastion-host and open local port

1ssh -N -L $LP:$TARGET_HOSTNAME:$TARGET_PORT -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST

where:

-N - not to try to allocate PTY
-L - local port redirection mode
$LP - local port to open (1024+ if you are not root)
$TARGET_HOSTNAME - target hostname to connect to
$TARGET_PORT - target port to connect to
$JUMPER_PORT, $JUMPER_USER, $JUMPER_HOST - see above

for example:

1# connect to another machine over SSH
2ssh -N -L 2022:anotherhost.example.com:22 -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST
3# connect to remote MySQL server
4ssh -N -L 13306:anotherhost.example.com:3306 -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST

Connect via opened local port Now you can use any application forwarded in previous step, just use localhost:$LP as target. For example for SSH:
```
1ssh -p $LP $REMOTE_USER@localhost
```
where:
- $LP - locally opened port from previous step
- $REMOTE_USER - user to authenticate on target host
- localhost - your address, where you’ve started tunnel
for example:
```
1# connect to another machine over SSH
2ssh -p 2022 targetuser@localhost
3# connect to remote MySQL server
4mysql -u root -h localhost -P 13306
```

With SSH proxy-command
#

SSH will open tunnel for you automatically with next command:

1ssh -o ProxyCommand="ssh -W %h:%p -p $JUMPER_PORT $JUMPER_USER@$JUMPER_HOST" targetuser@$TARGET_HOSTNAME

For example:

1ssh -o ProxyCommand="ssh -W %h:%p -p 10022 jumper@localhost" [email protected]

Environment variables
#

WHITELIST - comma-separated list of allowed IPs (or ranges in wildcard form) to connect.
See: man 5 sshd_config / Match or Patterns section
Examples:
- 192.0.2.1
- 192.0.2.1,192.0.2.2,192.0.2.3
- 192.0.2.*,10.0.0.1
- 192.0.2.0/24,10.0.0.0/24
- 2001:db8::/32

Author

@soar

Senior SRE/DevOps engineer

Usage#

Quick way#

Connecting#

With port forwarding#

With SSH proxy-command#

Environment variables#

Usage
#

Quick way
#

Connecting
#

With port forwarding
#

With SSH proxy-command
#

Environment variables
#