Bastion Setup
-
Create an instance. I have used Ubuntu 20.04 for the following steps
-
Connect to your instance
-
Disable short module
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli`
-
Configure
/etc/ssh/sshd_config
and add the following lines:# Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_rsa_key # Password based logins are disabled - only public key based logins are allowed. AuthenticationMethods publickey # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. LogLevel VERBOSE PermitRootLogin no # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
-
Additionally, since we’re not allowing shell access, we also want to prohibit all forwarding except TCP forwarding, which ssh -J uses to support bastions. Carefully add these lines at the end of the configuration
AllowAgentForwarding no AllowStreamLocalForwarding no X11Forwarding no Match User *,!ubuntu ForceCommand /bin/echo 'This bastion does not support interactive commands.' # This will limit the port that can be forwarded by bastion PermitOpen *:22
-
Verify your SSHD configuration and correct warnings by running
sshd -t
-
Restart the SSHD service with
service sshd restart
Firewall / Security Group
- Allow only SSH connection from external going to the bastion host
- Allow SSH connection from bastion to your internal servers
- Note: For AWS, you can create a security group that allows inbound to itself (allows connection to hosts in SG)
Client Setup
-
Edit your SSH configuration in
~/.ssh/config
-
Add
UpdateHostKeys yes
- this will always accept key offered by known hosts -
Add SSH configuration going to Bastion host
Host my-bastion-server HostName 123.123.123.123 IdentityFile /home/ubuntu/.ssh/my-ssh-key
-
Add SSH configuration for your internal server
Host *.internal ProxyJump jumper@my-bastion-server
Adding SSH new keys If you don't want to use a single SSH key for all your users, you may need to add each of the user's key
- Generate a new ssh key
ssh-keygen -t rsa -b 4096
- Copy the contents of your new SSH public key
cat ~/.ssh/my-new-key.pub
- Add the public key inside the
~/.ssh/authorized_keys
of your bastion user and in your internal server