A simple ssh bastion using public keys and google authenticator to keep things safe.
SSH host keys will be generated on demand upon launch. You might want to
store them in a separate data container to have them persist when upgrading
or similar. For this purpose the volume /etc/ssh
is defined and may used like:
$ docker volume create bastion-keys
$ docker run -v "bastion-keys:/etc/ssh" -p 2222:22 neochrome/bastion:latest
The user bastion
is used for connection:
$ ssh bastion@hostname
When connecting to the bastion, google-authenticator
will be run in order to
setup two-factor authentication unless existing settings are present.
If you want to share the generated authentication settings between multiple bastions or have them persisted when upgrading or similar, use a volume like this:
$ docker volume create bastion-ga
$ docker run -v "bastion-ga:/bastion" -p 2222:22 neochrome/bastion:latest
If you have existing authentication settings that you want to use, you may
mount those as /.google_authenticator
and they will be copied in place
upon launch.
You may also use a data container to handle both volumes (/etc/ssh
and /bastion
)
together. E.g:
$ docker create --name bastion-data neochrome/bastion:latest
$ docker run --volumes-from bastion-data -p 2222:22 neochrome/bastion:latest
In order to authenticate, public keys need to be made available to the bastion. This may be done in a couple of different ways:
- Bind mount your public key file or existing
authorized_keys
file as/authorized_keys
, the container will then copy theauthorized_keys
file in place and set correct permissions upon launch. - Create a derived image (
FROM neochrome/bastion:latest
) and add the key(s) to/bastion/authorized_keys
, don't forget to set owner tobastion:users
. - Use volume populated with a
/bastion/authorized_keys
file with correct ownership set and mounted as/bastion
. - Like 2, but managed in a data container.
The image comes without a /etc/motd
file. If you want one, you may either:
- Add one to a derived image.
- Mount one at
/motd
and then the container will copy it in place upon launch. - Mount one at
/etc/motd
.
- Fork it (https://github.com/neochrome/docker-bastion/fork)
- Create your feature branch (
git switch -c my-new-feature
) - Commit your changes (
git commit -am 'feat: some new feature'
), make sure to use https://www.conventionalcommits.org/. - Push to the branch (
git push origin my-new-feature
) - Create a new Pull Request
Releases are automated using Release Please.