Skip to content

Instantly share code, notes, and snippets.

@mbrownnycnyc

mbrownnycnyc/boundary.md

Last active June 8, 2022 02:12
Show Gist options
  • Save mbrownnycnyc/212ee9bc1d226695043327a9e886f314 to your computer and use it in GitHub Desktop.
Save mbrownnycnyc/212ee9bc1d226695043327a9e886f314 to your computer and use it in GitHub Desktop.
Download ZIP
hashicorp boundary testing
Raw
boundary.md

hashicorp boundary dev mode

  1. install and start openssh server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType 'Manual'
netstat -ano | findstr :22
ssh [win local account]@localhost
  1. download boundary
mkdir c:\boundary
[environment]::setenvironmentvariable("Path", $env:Path + ";C:\boundary", "Machine")
cd c:\boundary
invoke-webrequest -usebasicparsing https://releases.hashicorp.com/boundary/0.8.1/boundary_0.8.1_windows_amd64.zip
Expand-Archive .\boundary*_windows_amd64.zip -DestinationPath .
  1. WSL2 install + docker installation with WSL2 backend
  1. start boundary in dev mode (it will take a minute or so to start the first time as it populates keys in the local KMS, etc)
boundary dev

4, auth via admin UI:

http://127.0.0.1:9200
admin:password
  1. auth via CLI:
boundary authenticate password -auth-method-id ampw_1234567890 -login-name admin -password "password"

Authentication information:
  Account ID:      acctpw_1234567890
  Auth Method ID:  ampw_1234567890
  Expiration Time: Sat, 11 Jun 2022 08:18:08 EDT
  User ID:         u_1234567890

The token was successfully stored in the chosen keyring and is not displayed here
  • What is the default lifespan of the token? Can auth be dropped on machine states (such as sleep?)?
  • how is the cred stored securely locally?
  • can we auth with every cred usage?

  1. In the admin UI, you can review roles, then principals and grants. Many grant statements can affect many IDs/principals.

  2. go to the Org, then projects, then select a project. Review Host catalogs, Host set. These are hosts that can be accessed via the project.

  • In this case, the host set "Henerated host" contains a single host "hst_1234567890" which will be known from the target as that which is specified int he "address" (in this case it's localhost). Therefore, when you use the boundary client to connect to boundry running Target via the port specified
  1. within the project, select Target. The target is effectively a protocol filter that associates a host set, cred source with the protocol filter.
  • the default Target binds tcp port 22 access through to the host source "generated host set"
  1. auth to boundary:
$AUTH_ID="ampw_1234567890"
$TARGET_ID="ttcp_1234567890"

boundary authenticate password -auth-method-id="$AUTH_ID" -login-name="admin" -password="password"
  1. read metadata about the Target and then connect to the Target
boundary targets read -id $TARGET_ID
#the [win local account] in this case is a local principal on the target machine
boundary connect ssh -target-id $TARGET_ID -username [win local account]
  • the auth to the occurs via the auth to boundry and the lifespan of the key.
  • the auth to the host occurs transparently, this is where vault access logic can occur.

To be continued....... https://learn.hashicorp.com/tutorials/boundary/getting-started-connect?in=boundary/getting-started#manage-sessions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment