{"id":49875943,"url":"https://github.com/rishav2404/setup-bastion-ssh","last_synced_at":"2026-05-20T17:01:18.474Z","repository":{"id":357674508,"uuid":"1238056942","full_name":"rishav2404/setup-bastion-ssh","owner":"rishav2404","description":"Reusable GitHub Action for configuring SSH access to private servers through a bastion/jump host.","archived":false,"fork":false,"pushed_at":"2026-05-13T20:40:39.000Z","size":11,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-18T15:37:33.870Z","etag":null,"topics":["automation","bastion","ci-cd","deployment","devops","github-actions","infrastructure","jump-host","linux","proxyjump","remote-deployment","ssh","ssh-tunnel"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rishav2404.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-13T19:14:56.000Z","updated_at":"2026-05-14T10:06:41.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rishav2404/setup-bastion-ssh","commit_stats":null,"previous_names":["rishav2404/setup-bastion-ssh"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/rishav2404/setup-bastion-ssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rishav2404%2Fsetup-bastion-ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rishav2404%2Fsetup-bastion-ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rishav2404%2Fsetup-bastion-ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rishav2404%2Fsetup-bastion-ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rishav2404","download_url":"https://codeload.github.com/rishav2404/setup-bastion-ssh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rishav2404%2Fsetup-bastion-ssh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33268261,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-20T15:12:43.734Z","status":"ssl_error","status_checked_at":"2026-05-20T15:12:42.300Z","response_time":356,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","bastion","ci-cd","deployment","devops","github-actions","infrastructure","jump-host","linux","proxyjump","remote-deployment","ssh","ssh-tunnel"],"created_at":"2026-05-15T12:15:51.300Z","updated_at":"2026-05-20T17:01:18.438Z","avatar_url":"https://github.com/rishav2404.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Setup Bastion SSH\n\n[![GitHub Marketplace](https://img.shields.io/badge/GitHub%20Marketplace-Setup%20Bastion%20SSH-blue?logo=github)](https://github.com/marketplace/actions/setup-bastion-ssh)\n[![License](https://img.shields.io/badge/license-Apache%202.0-green)](LICENSE)\n\nConfigure SSH access to private servers through a bastion/jump host inside GitHub Actions workflows.\n\nThis action creates an SSH configuration with `ProxyJump` support and allows secure access to internal/private infrastructure from GitHub-hosted runners.\n\n---\n\n## Features\n\n - Supports bastion/jump host SSH access\n - Supports custom SSH ports\n - Works with private/internal servers\n - Supports configurable strict host checking\n - Supports secure known-host verification mode\n - Simple reusable composite GitHub Action\n - Compatible with GitHub-hosted runners\n\n---\n\n# Quick Start\n\n## Simple mode\n\nUse this mode when convenience is preferred and strict SSH host verification is not required.\n\n```yaml\nname: Deploy Application\n\non:\n push:\n branches: [main]\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n\n steps:\n - name: Checkout your code\n uses: actions/checkout@v6\n\n - name: Setup SSH\n uses: rishav2404/setup-bastion-ssh@v1\n with:\n ssh-private-key: ${{ secrets.SSH_KEY }}\n\n bastion-host: ${{ secrets.BASTION_HOST }}\n bastion-user: ${{ secrets.BASTION_USER }}\n bastion-port: \"9222\"\n\n server-host: ${{ secrets.SERVER_HOST }}\n server-user: ${{ secrets.SERVER_USER }}\n\n - name: Perform SSH action\n run: |\n ssh target 'cd /xyz \u0026\u0026 ./deploy.sh'\n```\n\n---\n\n# Inputs\n\n| Name | Required | Default | Description |\n| ---------------------- | -------: | ------: | ---------------------------------------------------------- |\n| `ssh-private-key` | Yes | - | SSH private key used for authentication |\n| `bastion-host` | Yes | - | Bastion/jump host IP or hostname |\n| `bastion-user` | Yes | - | SSH username for bastion host |\n| `bastion-port` | No | `22` | SSH port for bastion host |\n| `bastion-known-host` | No | - | Known-host line for bastion host, required in secure mode |\n| `server-host` | Yes | - | Target/internal server IP or hostname |\n| `server-user` | Yes | - | SSH username for target server |\n| `server-port` | No | `22` | SSH port for target server |\n| `server-known-host` | No | - | Known-host line for target server, required in secure mode |\n| `strict-host-checking` | No | `no` | SSH `StrictHostKeyChecking` option |\n\n---\n\n# SSH Key Setup\n\nGenerate an SSH key pair:\n\n```bash\nssh-keygen -t ed25519\n```\n\nAdd the public key to:\n\n```text\n~/.ssh/authorized_keys\n```\n\non:\n\n- bastion host\n- target server\n\nStore the private key inside GitHub Secrets:\n\n```text\nSSH_KEY\n```\n\n---\n\n# Secure Mode\n\nIf you set:\n\n```yaml\nstrict-host-checking: \"yes\"\n```\n\nthen you must also provide:\n\n- `bastion-known-host`\n- `server-known-host`\n\nThese values are written into `known_hosts` before the SSH connection is attempted.\n\nThis enables proper SSH host verification and protects against man-in-the-middle attacks.\n\n---\n\n# Generating Known Hosts\n\n## Bastion host\n\nRun this from your local machine:\n\n```bash\nssh-keyscan -p \u003cBASTION_PORT\u003e \u003cBASTION_HOST\u003e\n```\n\n```bash\nExample:\nssh-keyscan -p 9222 bastion.example.com\nOR\nssh-keyscan -p 4222 15.xx.xx.xx\n```\n\nOutput:\n\n```text\n[14.139.240.89]:9222 ssh-ed25519 ABZZC8NlmC4jHJL1NTE5BBBA...\n```\n\nStore this line as GitHub Secret:\n\n```text\nBASTION_KNOWN_HOST\n```\n\n---\n\n## Target server\n\nRun this from the bastion host or from a machine that can access the target server:\n\n```bash\nssh-keyscan -p \u003cSERVER_PORT\u003e \u003cSERVER_HOST\u003e\n```\n\nExample:\n\n```bash\nssh-keyscan -p 22 172.xx.xx.108\n```\n\nOutput:\n\n```text\n172.xx.xx.108 ssh-ed25519 ABZZC8NlmC4jHJL1NTE5BBBA...\n```\n\nStore this line as GitHub Secret:\n\n```text\nSERVER_KNOWN_HOST\n```\n\n---\n\n# Secure Mode Example\n\n```yaml\nname: Deploy Application\n\non:\n push:\n branches: [main]\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n\n steps:\n - name: Checkout your code\n uses: actions/checkout@v6\n\n - name: Setup SSH\n uses: rishav2404/setup-bastion-ssh@v1\n with:\n ssh-private-key: ${{ secrets.SSH_KEY }}\n\n bastion-host: ${{ secrets.BASTION_HOST }}\n bastion-user: ${{ secrets.BASTION_USER }}\n bastion-port: \"9222\"\n bastion-known-host: ${{ secrets.BASTION_KNOWN_HOST }}\n\n server-host: ${{ secrets.SERVER_HOST }}\n server-user: ${{ secrets.SERVER_USER }}\n server-known-host: ${{ secrets.SERVER_KNOWN_HOST }}\n\n strict-host-checking: \"yes\"\n\n - name: Perform SSH action\n run: |\n ssh target 'cd /xyz \u0026\u0026 ./deploy.sh'\n```\n\n---\n\n# Example Infrastructure\n\n```text\nGitHub Actions Runner\n |\n v\n Bastion Host\n |\n v\n Private Server\n```\n\n---\n\n# Security Notes\n\nBy default:\n\n```text\nStrictHostKeyChecking=no\n```\n\nis used for convenience and compatibility with ephemeral CI runners.\n\nFor production environments, enable:\n\n```yaml\nstrict-host-checking: \"yes\"\n```\n\nand provide:\n\n- `bastion-known-host`\n- `server-known-host`\n\nThis enables proper SSH host verification.\n\n---\n\n# Troubleshooting\n\n## Permission denied (publickey)\n\nEnsure:\n\n- the correct SSH private key is stored in `SSH_KEY`\n- the corresponding public key exists in:\n\n ```text\n ~/.ssh/authorized_keys\n ```\n\n on:\n - bastion host\n - target server\n\n---\n\n## Host key verification failed\n\nIf using:\n\n```yaml\nstrict-host-checking: \"yes\"\n```\n\nensure:\n\n- `bastion-known-host` is provided\n- `server-known-host` is provided\n- fingerprints are correct\n\n---\n\n## Connection timeout\n\nEnsure:\n\n- bastion host is reachable from the internet\n- SSH port is open\n- target server is reachable from bastion\n\n---\n\n# Requirements\n\n- SSH access enabled on bastion and target hosts\n- Bastion host reachable from the internet\n- Target server reachable from the bastion\n- OpenSSH installed on target systems\n\n---\n\n# License\n\nApache 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frishav2404%2Fsetup-bastion-ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frishav2404%2Fsetup-bastion-ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frishav2404%2Fsetup-bastion-ssh/lists"}