Archived

SSH bastion that features transparent connection and session recording

This repository has been archived on 2025-03-10. You can view files and clone it, but cannot push or open issues or pull requests.

Find a file

Julien Dessaux 3b43c7aefe Added uthash as a git submodule		2019-03-27 15:21:02 +01:00
bastion	Made all settings customisable through a config file.	2019-03-18 11:33:03 +01:00
common	Added uthash as a git submodule	2019-03-27 15:21:02 +01:00
external	Added uthash as a git submodule	2019-03-27 15:21:02 +01:00
.gitignore	Switched from standard makefile to cmake	2019-02-14 20:48:20 +01:00
.gitmodules	Added uthash as a git submodule	2019-03-27 15:21:02 +01:00
CMakeLists.txt	Made all settings customisable through a config file.	2019-03-18 11:33:03 +01:00
LICENSE	Added README and LICENSE	2019-03-13 17:28:53 +01:00
README.md	Added uthash as a git submodule	2019-03-27 15:21:02 +01:00

README.md

Bastion

SSH bastion that features transparent connection and session recording.

This project is inspired by https://github.com/moul/sshportal. I wrote this implementation to work around the fact that I couldn't get the go ssh lib to work properly with non interactive sessions, the bug has been open for a long time and I tend to belive it cannot be fixed (https://github.com/moul/sshportal/issues/55).

This bastion project does work properly with non interactive sessions, which allows transparent ansible usage through the bastion.

Dependencies
Manual installation
Configuration
Usage
Docker
Monitoring
Backup
Scaling
Special thanks

Dependencies

This project has only two hard dependencies :

the libconfig from http://www.hyperrealm.com/libconfig/libconfig.html
the libssh from https://www.libssh.org/. You should be able to use your distro's packages if they are recent enough.

The following are optional dependencies :

the libtty from https://github.com/kilobyte/termrec which allows session recording.
compression libraries like libbz2, liblzma, libz allow on the fly compression of session records.
libmysql for now because it hosts the runtime config

Manual Installation

This project is built using cmake :

git submodule update --init
mkdir build
cd build
cmake ..
make
make install

You can customise the build with the following cmake flags :

CMAKE_BUILD_TYPE : Debug|Release|RelWithDebInfo|MinSizeRel, defaults to Release if using a tarball, and Debug if using the git tree
CMAKE_INSTALL_PREFIX : path, defaults to /usr/local
SESSION_RECORDING : ON|OFF, defaults to ON

For exemple this disables session recording for a debug build and installs the bastion for your current user :

cmake .. -DCMAKE_BUILD_TYPE=Debug -D CMAKE_INSTALL_PREFIX=$HOME/.local -DSESSION_RECORDING=OFF

Configuration

Here is the default configuration :

port = 2222;

keys:
{
    dsa = "/home/julien/.local/etc/bastion/ssh_host_dsa_key";
    rsa = "/home/julien/.local/etc/bastion/ssh_host_rsa_key";
    ecdsa = "/home/julien/.local/etc/bastion/ssh_host_ecdsa_key";
};

session_recording:
{
    path = "/home/julien/.local/var/log/bastion/$d/$h/$u/$i.gz";     # $d : date in iso format, $h : hostname, $u : username : $i session id
};

Usage

Docker

Monitoring

Backup

Scaling

Special thanks

I would like to thank the developers of the following projects, I am merely standing on the shoulders of giants :

libconfig from http://www.hyperrealm.com/libconfig/libconfig.html
libssh from https://www.libssh.org/
libtty from https://github.com/kilobyte/termrec
uthash from http://troydhanson.github.io/uthash/