goBastion is a tool for managing SSH access, user roles, and keys on a bastion host. The project is currently under active development, and contributions are welcome!
π GitHub Repository: https://github.com/phd59fr/goBastion
π³ Docker Hub Image: https://hub.docker.com/r/phd59fr/gobastion
In goBastion, the database is the single source of truth for SSH keys and access management. This means that the system always reflects the state of the database. Any key or access added manually to the system without passing through the bastion will be automatically removed to maintain consistency.
-
Key Addition: When a user adds an SSH key, it is first validated and stored in the database. The bastion then automatically synchronizes the database with the system, adding the key to the appropriate location.
-
Automatic Synchronization (Not Implemented): The bastion periodically checks the system for any discrepancies. If it finds an SSH key not in the database, the key is immediately removed from the system to ensure security and consistency.
- Centralized Control: All modifications go through the bastion, ensuring tight access management.
- Enhanced Security: Unauthorized keys cannot remain on the system.
- State Consistency: The system always mirrors the database state.
- Audit and Traceability: Every change is recorded in the database.
- Fully Automated Management: No need for manual checks; synchronization handles everything.
- Easy Exportability: The system can be deployed on a new container effortlessly. Since the database is the source of truth, replicating it with synchronization scripts provides a functional bastion on a new instance.
| Command | Description |
|---|---|
π selfListIngressKeys |
List your ingress SSH keys (keys for connecting to the bastion). |
β selfAddIngressKey |
Add a new ingress SSH key. |
β selfDelIngressKey |
Delete an ingress SSH key. |
π selfListEgressKeys |
List your egress SSH keys (keys for connecting from the bastion to servers). |
π selfGenerateEgressKey |
Generate a new egress SSH key. |
π selfListAccesses |
List your personal server accesses. |
β selfAddAccess |
Add access to a personal server. |
β selfDelAccess |
Remove access to a personal server. |
π selfListAliases |
List your personal SSH aliases. |
β selfAddAlias |
Add a personal SSH alias. |
β selfDelAlias |
Delete a personal SSH alias. |
β selfRemoveHostFromKnownHosts |
Remove a host from your known_hosts file. |
| Command | Description |
|---|---|
π accountList |
List all user accounts. |
βΉοΈ accountInfo |
Show detailed information about a user account. |
β accountCreate |
Create a new user account. |
β accountDelete |
Delete a user account. |
βοΈ accountModify |
Modify a user account (promote/demote to admin/user). |
π accountListIngressKeys |
List the ingress SSH keys of a user. |
π accountListEgressKeys |
List the egress SSH keys of a user. |
π accountListAccess |
List all server accesses of a user. |
β accountAddAccess |
Grant a user access to a server. |
β accountDelAccess |
Remove a user's access to a server. |
π whoHasAccessTo |
Show all users with access to a specific server. |
| Command | Description |
|---|---|
βΉοΈ groupInfo |
Show detailed information about a group. |
π groupList |
List all groups. |
β groupCreate |
Create a new group. |
β groupDelete |
Delete a group. |
β groupAddMember |
Add a user to a group. |
β groupDelMember |
Remove a user from a group. |
π groupGenerateEgressKey |
Generate a new egress SSH key for the group. |
π groupListEgressKeys |
List all egress SSH keys associated with a group. |
π groupListAccesses |
List all accesses assigned to a group. |
β groupAddAccess |
Grant access to a group. |
β groupDelAccess |
Remove access from a group. |
β groupAddAlias |
Add a group SSH alias. |
β groupDelAlias |
Delete a group SSH alias. |
π groupListAliases |
List all group SSH aliases. |
| Command | Description |
|---|---|
π ttyList |
List available recorded SSH sessions (ttyrec). |
ttyPlay |
Replay a recorded SSH session. |
| Command | Description |
|---|---|
β help |
Display the help menu with available commands. |
βΉοΈ info |
Show application version and details. |
πͺ exit |
Exit the application. |
accountAddAccessaccountCreateaccountDelAccessaccountDeleteaccountInfoaccountListaccountListAccessaccountListIngressKeysaccountListEgressKeysaccountModifywhoHasAccessTogroupCreategroupDeletettyListttyPlay
| Permission | Owner | ACLKeeper | GateKeeper | Member |
|---|---|---|---|---|
groupAddAccess |
β | β | β | |
groupDelAccess |
β | β | β | |
groupAddMember |
β | β | ||
groupDelMember |
β | β | ||
groupGenerateEgressKey |
β | |||
groupInfo |
β | β | β | β |
groupList |
β | β | β | β |
groupListAccesses |
β | β | β | β |
groupListEgressKeys |
β | β | β | β |
selfAddAccessselfAddAliasselfAddIngressKeyselfDelAccessselfDelAliasselfDelIngressKeyselfGenerateEgressKeyselfListAccessesselfListAliasesselfListEgressKeysselfListIngressKeysselfRemoveHostFromKnownHosts
β Alias Priority Warning:
If an alias is defined by the user (selfAddAlias) and the group defines an alias with the same name (groupAddAlias), the user-defined alias always takes precedence
helpinfoexit
-
Clone the repository:
git clone https://github.com/phd59fr/goBastion.git cd goBastion -
Build the Docker container:
docker build -t gobastion . -
Run the Docker container:
docker run --name gobastion --hostname goBastion -d -p 2222:22 gobastion:latest
You can also use the official Docker Hub image:
docker run --name gobastion --hostname goBastion -d -p 2222:22 phd59fr/gobastion:latest
(optional) 3a. Launch the container with a volume to persist the database and ttyrec:
docker run --name gobastion --hostname goBastion -d -p 2222:22 \ -v /path/to/your/dbvolume:/var/lib/goBastion \ -v /path/to/your/ttyvolume:/app/ttyrec gobastion:latest
-
Create the first user:
docker exec -it gobastion /app/goBastion --firstInstall -
Simplified usage with an Alias (Optional):
alias gobastion='ssh -tp 2222 user@localhost --'
-
Connect to the bastion host (interactive mode):
ssh -tp 2222 user@localhost (or alias gobastion)(optional) 5a. Connect to the bastion host with a command (non-interactive mode):
ssh -tp 2222 user@localhost -- -osh selfListIngressKeys (or alias gobastion -osh selfListIngressKeys)(optional) 5b. Connect to the target host through the bastion:
ssh -tp 2222 user@localhost -- user@targethost (ssh options supported) (or alias gobastion user@targethost)
Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. Hereβs how you can help:
- Report bugs
- Suggest features
- Submit pull requests
To contribute:
- Fork the project
- Create a new branch (
git checkout -b feature/YourFeature) - Commit your changes (
git commit -m 'Add YourFeature') - Push to the branch (
git push origin feature/YourFeature) - Open a pull request
This project is licensed under the MIT License.
A simple star on this project repo is enough to keep me motivated for days. If youβre excited about this project, let me know with a tweet. If you have any questions, feel free to reach out to me on X.