Create an authorized_keys
file and add the public keys you wish to use for this bastion. Make the file publicly readable or the user in the bastion container will not be able to read it.
chmod a+r authorized_keys
Put the options you want in an sshd_config
file. Suggested options are in the sshd_config.bastion
file in this repo.
Change the port to match the one specified in your sshd_config
then run the following command to start the bastion.
docker run --name bastion -d \
--restart=unless-stopped \
-v /some/path/you/like/authorized_keys:/home/dev/.ssh/authorized_keys:ro \
-v /some/path/you/like/sshd_config:/etc/ssh/sshd_config:ro \
-p 9022:9022 \
ghcr.io/nfugal/bastion
Or you can deploy the bastion using docker-compose
:
---
version: "3.7"
services:
bastion:
container_name: bastion
image: ghcr.io/nfugal/bastion:latest
restart: unless-stopped
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"
ports:
- 9022:9022
volumes:
- /some/path/you/like/authorized_keys:/home/dev/.ssh/authorized_keys:ro
- /some/path/you/like/sshd_config:/etc/ssh/sshd_config:ro
I prefer to use the bastion with the ProxyJump directive in a client's ~/.ssh/config
file. Much less typing than specifying things every single time you connect to a target host.
For example, placing the following in a client's ~/.ssh/config
would allow accessing targetmachine1
through the bastion with a simple ssh targetmachine1
, rather than the longer and more tedious to type ssh -J [email protected]:9022 user@targetmachine1
. You can specify multiple target hosts, and many other things, in a client's ~/.ssh/config
### bastion host definition
Host bastion
HostName bastion.local.lan
Port 9022
User dev
AddressFamily inet
### endpoint definitions
Host targetmachine1
HostName target1
ProxyJump bastion
Host targetmachine2
HostName target2
ProxyJump bastion
The bastion does not utilize a firewall itself. Take care of that another way, on the Docker host, at the edge, etc.
You can build the image yourself with the following commands:
git clone https://github.com/nfugal/bastion.git
docker build -t <fork-name-of-your-choice>/bastion bastion
With that done, you can essentially use the docker run
command or docker-compose
file above by simply replacing the image name with your newly built image.
Thanks to chentmin for the original work. My version relies heavily on their's.
This bastion is based on Alpine Linux v3.
Security harden script is based on and modified from this