-
-
Notifications
You must be signed in to change notification settings - Fork 114
/
README.yaml
204 lines (137 loc) · 8.99 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
---
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: bastion
# Logo for this project
#logo: docs/logo.png
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: cloudposse/bastion
# Badges to display
badges:
- name: "Latest Release"
image: "https://img.shields.io/github/release/cloudposse/bastion.svg"
url: "https://github.com/cloudposse/bastion/releases/latest"
- name: "Build & Test Status"
image: "https://github.com/cloudposse/bastion/actions/workflows/integration-tests.yml/badge.svg"
url: "https://github.com/cloudposse/bastion/actions/workflows/integration-tests.yml"
- name: "Slack Community"
image: "https://slack.cloudposse.com/badge.svg"
url: "https://slack.cloudposse.com"
# Short description of this project
description: |-
This is a secure/locked-down bastion implemented as a Docker Container. It uses Alpine Linux as the base image and ships with support for Google Authenticator & DUO MFA support.
It was designed to be used on Kubernetes together with [GitHub Authorized Keys](https://github.com/cloudposse/github-authorized-keys) to provide secure remote access to production clusters.
### MFA Setup & Usage
Here's a demo of what a user experiences when setting up Google Authenticator for the first time.
![Demo 1](docs/demo.gif)
When using Duo as the MFA provider, this becomes even more magical because Duo supports automatic Push notifications to your mobile device.
Just approve the request on your mobile phone (e.g. with a thumb press on iOS) when prompted.
### Slack Notifications
Here's what it looks like when someone connects to the bastion if Slack notifications are enabled.
![Demo 2](docs/slack.png)
We recommend using Slack notifications for self-reporting.
* Any time a user accesses production systems, they should reply to the slack notification to justify their remote access.
* A "buddy" should approve the login by adding a reaction (e.g. ✅).
* If no one approves the login, it should trigger an *incident response* to track down the unauthorized access.
quickstart: |-
Here's how you can quickly demo the `bastion`. We assume you have `~/.ssh/authorized_keys` properly configured and your SSH key (e.g. `~/.ssh/id_rsa`) added to your SSH agent.
```bash
$ docker run -it -p 1234:22 \
-e MFA_PROVIDER=google-authenticator \
-v ~/.ssh/authorized_keys:/root/.ssh/authorized_keys \
cloudposse/bastion
```
Now, in another terminal you should be able to run:
```bash
$ ssh root@localhost -p 1234
```
The first time you connect, you'll be asked to setup your MFA device. Subsequently, each time you connect, you'll be prompted to enter your MFA token.
# How to use this project
usage: |-
### Running
Refer to the [Environment Variables](#environment-variables) section below to tune how the `bastion` operates.
```bash
$ docker run -p 1234:22 cloudposse/bastion:latest
```
### Building
```bash
$ git clone https://github.com/cloudposse/bastion.git
$ cd bastion
$ make docker:build
```
### Testing
Run basic connection tests
```bash
$ make test
```
### Configuration
## Recommendations
* Do not allow `root` (or `sudo`) access to this container as doing so would allow remote users to manipulate audit-logs in `/var/log/sudo-io`
* Use the bastion as a "jump host" for accessing other internal systems rather than installing a lot of unnecessary stuff, which increases the overall attack surface.
* Sync the contents of `/var/log/sudo-io` to a remote, offsite location. If using S3, we recommend enabling bucket-versioning.
* Use [`github-authorized-keys](https://github.com/cloudposse/github-authorized-keys/) to automatically provision users; or use the [Helm chart](https://github.com/cloudposse/charts/tree/master/incubator/bastion).
* Bind-mount `/etc/passwd`, `/etc/shadow` and `/etc/group` into the container as *read-only*
* Bind-mount `/home` into container; the bastion does not manage authorized keys
#### Environment Variables
The following tables lists the most relevant environment variables of the `bastion` image and their default values.
##### Duo Settings
Duo is a enterprise MFA provider that is very affordable. Details here: https://duo.com/pricing
| ENV | Description | Default |
|-------------------|:----------------------------------------------------|:--------:|
| `MFA_PROVIDER` | Enable the Duo MFA provider | duo |
| `DUO_IKEY` | Duo Integration Key | |
| `DUO_SKEY` | Duo Secret Key | |
| `DUO_HOST` | Duo Host Endpoint | |
| `DUO_FAILMODE` | How to fail if Duo cannot be reached | secure |
| `DUO_AUTOPUSH` | Automatically send a push notification | yes |
| `DUO_PROMPTS` | How many times to prompt for MFA | 1 |
##### Google Authenticator Settings
Google Authenticator is a free & open source MFA solution. It's less secure than Duo because tokens are stored on the server under each user account.
| ENV | Description | Default |
|-------------------|:----------------------------------------------------|:---------------------:|
| `MFA_PROVIDER` | Enable the Google Authenticator provider | google-authenticator |
##### Enforcer Settings
The enforcer ensures certain conditions are satisfied. Currently, these options are supported.
| ENV | Description | Default |
|-------------------------------|:-------------------------------------------------------------|:--------:|
| `ENFORCER_ENABLED` | Enable general enforcement | `true` |
| `ENFORCER_CLEAN_HOME_ENABLED` | Erase dot files in home directory before starting session | `true` |
##### Slack Notifications
The enforcer is able to send notifications to a slack channel anytime there is an SSH login.
| ENV | Description | Default |
|----------------------------|:----------------------------------------------------|:---------:|
| `SLACK_ENABLED` | Enabled Slack integration | `false` |
| `SLACK_HOOK` | Slack integration method (e.g. `pam`, `sshrc`) | `sshrc` |
| `SLACK_WEBHOOK_URL` | Webhook URL | |
| `SLACK_USERNAME` | Slack handle of bot (defaults to short-dns name) | |
| `SLACK_TIMEOUT` | Request timeout | `2` |
| `SLACK_FATAL_ERRORS` | Deny logins if slack notification fails | `true` |
##### SSH Auditor
The SSH auditor uses [`sudosh`](https://github.com/cloudposse/sudosh/) to record entire SSH sessions (`stdin`, `stdout`, and `stderr`).
| ENV | Description | Default |
|-----------------------|:----------------------------------------------------|:------------:|
| `SSH_AUDIT_ENABLED` | Enable the SSH Audit facility | `true` |
This will require that users login with the `/usr/bin/sudosh` shell.
Update user's default shell by running the command: `usermod -s /usr/bin/sudosh $username`. By default, `root` will automatically be updated to use `sudosh`.
Use the `sudoreplay` command to audit/replay sessions.
#### User Accounts & SSH Keys
The `bastion` does not attempt to manage user accounts. We suggest using [GitHub Authorized Keys](https://github.com/cloudposse/github-authorized-keys) to provision user accounts and SSH keys. We provide a [chart](https://github.com/cloudposse/charts/tree/master/incubator/bastion) of how we recommend doing it.
### Extending
The `bastion` was written to be easily extensible.
You can extend the enforcement policies by adding shell scripts to `etc/enforce.d`. Any scripts that are `+x` (e.g. `chmod 755`) will be executed at runtime.
## Thanks
- [@neochrome](https://github.com/neochrome/docker-bastion), for providing a great basic bastion built on top of Alpine Linux
- [@aws](https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/), for providing detailed instructions on how to do SSH session logging.
- [@duo](https://duo.com/docs/duounix), for providing excellent documentation
- [@google](https://github.com/google/google-authenticator-libpam) for contributing Google Authenticator to the Open Source community
# Contributors to this project
contributors:
- name: "Erik Osterman"
github: "osterman"
- name: "Marji Cermak"
github: "marji"