bastrd builds on top of the ideas behind keymaker and toolbox to build a secure shared bastion server for restricted environments.
⚠ bastrd is in early development stage
How does it work?
bastrd has 3 components:
bastrd sync, an agent to sync AWS IAM groups and users to Linux
bastrd authorized-keys, SSH authorized keys command to authenticate the user login against AWS IAM registered SSH Public Keys and groups
bastrd toolbox, a session wrapper for a customizable toolbox container, the user must provide an AWS IAM account MFA token for authentication and setup of the session scoped credentials.
Toolbox features
The toolbox container has the following features:
Validates MFA against user's AWS IAM MFA device
Create temporary user session AWS credentials
Write temporary credentials as /home/<username>/.aws/ for easy of use
Customizable session container image for advanced tools, check Dockerfile.toolbox for the default settings
Session resuming, for easier recovery of connections issues
SSH-agent forwarding (note: doesn't work on session resuming)
Firewall rule to block containers from hijacking the AWS EC2 instance profile used by bastrd itself
Reduced container capabilities for improved security, e.g., no socket binding
Installing on AWS with Terraform
This repository was configured to be used as a quick way to create a bastrd instance on your AWS environment, fork it and customize as necessary.
Clone this repo
Configure main.tf with your state and terrraform.tfvars for your desired settings and run terraform init
Run terraform apply to bootstrap the CoreOS instance and setup required AWS IAM groups
Now wait a few minutes while your instance starts and connect to it via ssh -A my-iam-username@$(terraform output)
Uninstall
terraform destroy to remove instance and related resources