https://github.com/bastillion-io/bastillion
Bastillion is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys.
https://github.com/bastillion-io/bastillion
bastion-host java javascript ssh ssh-client ssh-key ssh-server web-app web-based
Last synced: 21 days ago
JSON representation
Bastillion is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys.
- Host: GitHub
- URL: https://github.com/bastillion-io/bastillion
- Owner: bastillion-io
- License: other
- Created: 2013-02-07T23:11:49.000Z (almost 13 years ago)
- Default Branch: master
- Last Pushed: 2024-05-20T02:59:37.000Z (over 1 year ago)
- Last Synced: 2025-05-14T19:09:09.852Z (8 months ago)
- Topics: bastion-host, java, javascript, ssh, ssh-client, ssh-key, ssh-server, web-app, web-based
- Language: Java
- Homepage: https://www.bastillion.io
- Size: 3.79 MB
- Stars: 3,242
- Watchers: 122
- Forks: 391
- Open Issues: 150
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# Bastillion
**A modern, web-based SSH console and key management tool.**
Bastillion gives you a clean, browser-based way to manage SSH access across all your systems—like a bastion host with a friendly dashboard.
You can:
- Log in with **2-factor authentication** (Authy or Google Authenticator)
- Manage and distribute **SSH public keys**
- Launch secure web shells and **share commands** across sessions
- Stack **TLS/SSL over SSH** for extra protection
Read more: [Implementing a Trusted Third-Party System for Secure Shell](https://www.bastillion.io/docs/using/whitepaper).
---
## 🚀 What’s New
- Upgraded to **Java 21** and **Jakarta EE 11**
- Full support for **Ed25519** (default) and **Ed448** SSH keys
- New **daemon mode** for Jetty startup (`--daemon`)
- Updated dependencies for improved security and performance
---
## Installation Options
**Free:** https://github.com/bastillion-io/Bastillion/releases
**AWS Marketplace:** https://aws.amazon.com/marketplace/pp/prodview-x2imjupuydrj6
---
## Prerequisites
### Java 21 (OpenJDK or Oracle JDK)
```bash
apt-get install openjdk-21-jdk
```
> Oracle JDK download: http://www.oracle.com/technetwork/java/javase/downloads/index.html
### Authenticator (for 2FA)
| Application | Android | iOS |
|--------------|----------|-----|
| **Authy** | [Google Play](https://play.google.com/store/apps/details?id=com.authy.authy) | [iTunes](https://itunes.apple.com/us/app/authy/id494168017) |
| **Google Authenticator** | [Google Play](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) | [iTunes](https://itunes.apple.com/us/app/google-authenticator/id388497605) |
---
## Run with Jetty (Bundled)
Download: https://github.com/bastillion-io/Bastillion/releases
### Set Environment Variables
**Linux / macOS**
```bash
export JAVA_HOME=/path/to/jdk
export PATH=$JAVA_HOME/bin:$PATH
```
**Windows**
```cmd
set JAVA_HOME=C:\path\to\jdk
set PATH=%JAVA_HOME%\bin;%PATH%
```
### Start Bastillion
Foreground (interactive):
```bash
./startBastillion.sh
```
Daemon (background):
```bash
./startBastillion.sh --daemon
```
Logs are stored in `jetty/logs/YYYY_MM_DD.jetty.log`.
Enable debug output:
```bash
./startBastillion.sh -d
```
Stop:
```bash
./stopBastillion.sh
```
Access in browser:
`https://:8443` (or for AMI instances: `https://:443`)
Default credentials:
```
username: admin
password: changeme
```
---
## Build from Source
Install Maven 3+:
```bash
apt-get install maven
```
Build and run:
```bash
mvn package jetty:run
```
> ⚠️ `mvn clean` will remove the H2 database and user data.
---
## SSH Key Management
Settings live in `BastillionConfig.properties`:
```properties
# Disable key management (append instead of overwrite)
keyManagementEnabled=false
# authorized_keys refresh interval in minutes (no refresh for <=0)
authKeysRefreshInterval=120
# Force user key generation and strong passphrases
forceUserKeyGeneration=false
```
---
## Custom SSH Key Pair
Specify a custom SSH key pair or let Bastillion generate its own on startup:
```properties
# Regenerate and import SSH keys
resetApplicationSSHKey=true
# SSH key type ('rsa', 'ecdsa', 'ed25519', or 'ed448')
# Supported options:
# rsa - Classic, widely compatible (configurable length, default 4096)
# ecdsa - Faster, smaller keys (P-256/384/521 curves)
# ed25519 - Default and recommended (≈ RSA-4096, secure and fast)
# ed448 - Extra-strong (≈ RSA-8192, slower and less supported)
sshKeyType=ed25519
# Private key
privateKey=/Users/you/.ssh/id_rsa
# Public key
publicKey=/Users/you/.ssh/id_rsa.pub
# Passphrase (leave blank if none)
defaultSSHPassphrase=myPa$$w0rd
```
Once registered, you can remove the key files and passphrase from the configuration.
---
## Database Settings
Embedded H2 example:
```properties
dbUser=bastillion
dbPassword=p@$$w0rd!!
dbDriver=org.h2.Driver
dbConnectionURL=jdbc:h2:keydb/bastillion;CIPHER=AES;
```
Remote H2 example:
```properties
dbConnectionURL=jdbc:h2:tcp://:/~/bastillion;CIPHER=AES;
```
---
## External Authentication (LDAP)
Enable external auth in `BastillionConfig.properties`:
```properties
jaasModule=ldap-ol
```
Configure `jaas.conf`:
```
ldap-ol {
com.sun.security.auth.module.LdapLoginModule SUFFICIENT
userProvider="ldap://hostname:389/ou=example,dc=bastillion,dc=com"
userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
authzIdentity="{cn}"
useSSL=false
debug=false;
};
```
To map LDAP roles to Bastillion profiles:
```
ldap-ol-with-roles {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="false"
useLdaps="false"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname=""
port="389"
bindDn=""
bindPassword=""
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="ou=users,dc=bastillion,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=groups,dc=bastillion,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="groupOfNames";
};
```
Admins are added upon first login and can be assigned system profiles.
Users are synced with profiles when their LDAP role names match Bastillion profiles.
---
## Auditing
Auditing is disabled by default.
Enable it in **log4j2.xml** by uncommenting:
- `io.bastillion.manage.util.SystemAudit`
- `audit-appender`
> https://github.com/bastillion-io/Bastillion/blob/master/src/main/resources/log4j2.xml#L19-L22
Also enable in `BastillionConfig.properties`:
```properties
enableInternalAudit=true
```
---
## Screenshots
---
## Thanks to
- [JSch](http://www.jcraft.com/jsch)
- [term.js](https://github.com/chjj/term.js)
See full dependencies in [_3rdPartyLicenses.md_](3rdPartyLicenses.md).
---
## License
Bastillion is available under the **Prosperity Public License**.
---
## Author
**Loophole, LLC — Sean Kavanagh**
Email: [sean.p.kavanagh6@gmail.com](mailto:sean.p.kavanagh6@gmail.com)
Instagram: [@spkavanagh6](https://www.instagram.com/spkavanagh6/)