bastrd - bastion server for secure environments
bastrd
builds on top of the ideas behind keymaker and toolbox to build a secure shared bastion server for restricted environments.
bastrd
is in early development stage
How does it work?
bastrd
has 3 components:
-
bastrd sync
, an agent to sync AWS IAM groups and users to Linux -
bastrd authorized-keys
, SSH authorized keys command to authenticate the user login against AWS IAM registered SSH Public Keys and groups -
bastrd toolbox
, a session wrapper for a customizable toolbox container, the user must provide an AWS IAM account MFA token for authentication and setup of the session scoped credentials.
Toolbox features
The toolbox container has the following features:
- Validates MFA against user's AWS IAM MFA device
- Create temporary user session AWS credentials
- Write temporary credentials as
/home/<username>/.aws/
for easy of use - Customizable session container image for advanced tools, check
Dockerfile.toolbox
for the default settings - Session resuming, for easier recovery of connections issues
- SSH-agent forwarding (note: doesn't work on session resuming)
- Firewall rule to block containers from hijacking the AWS EC2 instance profile used by bastrd itself
- Reduced container capabilities for improved security, e.g., no socket binding
Installing on AWS with Terraform
This repository was configured to be used as a quick way to create a bastrd
instance on your AWS environment, fork it and customize as necessary.
- Clone this repo
- Configure
main.tf
with your state andterrraform.tfvars
for your desired settings and runterraform init
- Run
terraform apply
to bootstrap the CoreOS instance and setup required AWS IAM groups - Now wait a few minutes while your instance starts and connect to it via
ssh -A my-iam-username@$(terraform output)
Uninstall
-
terraform destroy
to remove instance and related resources