Secure-Shell-Bastion (SSB) is a fully automated tool for generating jailed chroot enviroments for ssh users. This is most commonly refered to as a "SSH Bastion", which acts a secure singular endpoint for external users to verify themselvs and safely reach unexposed infustructure (typically behind a firewall). SSB leverages the extreamly lightweight and powerful features of Alpine Linux and MUSL to generate entire chroot in less than 10MB. This means a single SSB can service hundereds of users safely on exreamly small VM's (1 core - 512MB Ram - 10GB disk).
To create an isolated enviroment for each user, SSB uses chroot and the ChrootDirectory option in OpenSSH to isolate users to there own File System Tree. Rather than soft or hard linking each binary, binaries are copied into each chroot preventing user tampering and potenial escape from the isolated file system tree. On a typical linux system this can result with a fairly messy enviroment, but with the power of MUSL each chroot can be kept extreamly small.
SSB also uses a "double-key" model. This means that a user uses their private key to connect to the bastion, then another interal private key, generated by the bastion, to access the unexposed infustructure. This results in extreamly granular control over access to each vm while simultaneously removing the need for password authentication anywhere in the network.
Another critcal feature of SSB is its ability to prevent unwanted tampering and access to unneeded binaries. Since a Bastion by defenition needs broad access to your network to serve users, it is critcal to limit access to binaries that could be used to attack the infustructure behind the bastion. For this reason, SSB only links the following binaries to each chroot:
- ash
- ls
- date
- cp
- rm
- mv
- pwd
- cat
- echo
- mkdir
- touch
- grep
- sed
- vi
- ssh
- ssh-add
- ssh-keygen
- Setup a Alpine Linux VM with access to your protected internal network.
- Ensure that all machines within the internal network, INCULDING THE BASTION, are using key only authentication for SSH!
- Install SSB with:
curl https://raw.githubusercontent.com/JustinTimperio/secure-shell-bastion/master/bin/ssb_install.sh | sudo sh
- Port forward your SSH Port to an external port on your public IP
- Setup your bastion users using the guide below.
-l,--listList all jailed SSB user accounts
sudo ssb --list
-n,--new_userCreate a new jailed SSB user account
sudo ssb --new_user USERNAME
-r,--remove_userRemove a existing jailed SSB user account
sudo ssb --remove_user USERNAME
-ak,--add_keyOpen a users authorized_keys file to add a new key
sudo ssb --add_key USERNAME
-rk,--remove_keyRemoves all authorized_keys for a user, locking the account
sudo ssb --remove_key USERNAME
-sp,--show_pubShow the internal pubkey for a SSB user
sudo ssb --show_pub USERNAME
- First list all your SSB users and remove each account with
sudo ssb --remove_user USERNAME - Run
sudo ./opt/secure-shell-bastion/bin/ssb_remove.sh