https://github.com/justintimperio/secure-shell-bastion

Secure-Shell-Bastion (SSB) is an automated chroot jail gateway system for OpenSSH using Alpine Linux and MUSL
https://github.com/justintimperio/secure-shell-bastion

alpine-linux bastion gateway jailed openssh openssh-server opsec ssh

Last synced: 17 days ago
JSON representation

Secure-Shell-Bastion (SSB) is an automated chroot jail gateway system for OpenSSH using Alpine Linux and MUSL

• Host: GitHub
• URL: https://github.com/justintimperio/secure-shell-bastion
• Owner: JustinTimperio
• License: mit
• Created: 2021-05-12T14:55:34.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2021-08-07T05:49:15.000Z (almost 5 years ago)
• Last Synced: 2026-03-31T19:54:29.755Z (2 months ago)
• Topics: alpine-linux, bastion, gateway, jailed, openssh, openssh-server, opsec, ssh
• Language: Shell
• Homepage:
• Size: 27.3 KB
• Stars: 3
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Secure Shell Bastion (SSB)

![GitHub](https://img.shields.io/github/license/JustinTimperio/secure-shell-bastion)

[![Codacy Badge](https://app.codacy.com/project/badge/Grade/c78415ffa2664e1294dc470d1d5c226d)](https://www.codacy.com/gh/JustinTimperio/secure-shell-bastion/dashboard?utm_source=github.com&utm_medium=referral&utm_content=JustinTimperio/secure-shell-bastion&utm_campaign=Badge_Grade)

Secure-Shell-Bastion (SSB) is a fully automated tool for generating jailed chroot enviroments for ssh users. This is most commonly refered to as a "SSH Bastion", which acts a secure singular endpoint for external users to verify themselvs and safely reach unexposed infustructure (typically behind a firewall). SSB leverages the extreamly lightweight and powerful features of Alpine Linux and MUSL to generate entire chroot in less than 10MB. This means a single SSB can service hundereds of users safely on exreamly small VM's (1 core - 512MB Ram - 10GB disk). 

# How SSB Works

To create an isolated enviroment for each user, SSB uses [chroot](https://www.debian.org/doc/manuals/securing-debian-manual/chroot-ssh-env.en.html) and the `ChrootDirectory` option in OpenSSH to isolate users to there own File System Tree. Rather than soft or hard linking each binary, binaries are copied into each chroot preventing user tampering and potenial escape from the isolated file system tree. On a typical linux system this can result with a fairly messy enviroment, but with the power of MUSL each chroot can be kept extreamly small. 

SSB also uses a "double-key" model. This means that a user uses their private key to connect to the bastion, then another interal private key, generated by the bastion, to access the unexposed infustructure. This results in extreamly granular control over access to each vm while simultaneously removing the need for password authentication anywhere in the network.

![SSH Bastion](https://docs.google.com/drawings/d/e/2PACX-1vTrPM9zFsFK-hfR39zoVAi4ttWG25wgNthdPylpAP9Df-fBNZ7Ru3ss10WFillwqA92BMW6PZe24ACK/pub?w=960&h=720)

Another critcal feature of SSB is its ability to prevent unwanted tampering and access to unneeded binaries. Since a Bastion by defenition needs broad access to your network to serve users, it is critcal to limit access to binaries that could be used to attack the infustructure behind the bastion. For this reason, SSB only links the following binaries to each chroot:

- ash

- ls 

- date

- cp 

- rm 

- mv

- pwd

- cat 

- echo 

- mkdir 

- touch

- grep

- sed

- vi

- ssh

- ssh-add

- ssh-keygen

# Install SSB

1. Setup a Alpine Linux VM with access to your protected internal network.

2. Ensure that all machines within the internal network, INCULDING THE BASTION, are using key only authentication for SSH!

3. Install SSB with: 

```

 curl https://raw.githubusercontent.com/JustinTimperio/secure-shell-bastion/master/bin/ssb_install.sh | sudo sh

``` 

4. Port forward your SSH Port to an external port on your public IP

5. Setup your bastion users using the guide below.

# Using SSB

- `-l`, `--list`          List all jailed SSB user accounts

```

sudo ssb --list

```

- `-n`, `--new_user`      Create a new jailed SSB user account

```

sudo ssb --new_user USERNAME

```

- `-r`, `--remove_user`   Remove a existing jailed SSB user account

```

sudo ssb --remove_user USERNAME

```

- `-ak`, `--add_key`       Open a users authorized_keys file to add a new key

```

sudo ssb --add_key USERNAME

```

- `-rk`, `--remove_key`    Removes all authorized_keys for a user, locking the account

```

sudo ssb --remove_key USERNAME

```

- `-sp`, `--show_pub`      Show the internal pubkey for a SSB user

```

sudo ssb --show_pub USERNAME

```

# Uninstall SSB

1. First list all your SSB users and remove each account with `sudo ssb --remove_user USERNAME`

2. Run `sudo ./opt/secure-shell-bastion/bin/ssb_remove.sh`