SSH bastion via Docker container

Usage

Create an authorized_keys file and add the public keys you wish to use for this bastion. Make the file publicly readable or the user in the bastion container will not be able to read it.

chmod a+r authorized_keys

Put the options you want in an sshd_config file. Suggested options are in the sshd_config.bastion file in this repo.

Change the port to match the one specified in your sshd_config then run the following command to start the bastion.

docker run --name bastion -d \
   --restart=unless-stopped \
   -v /some/path/you/like/authorized_keys:/home/dev/.ssh/authorized_keys:ro \
   -v /some/path/you/like/sshd_config:/etc/ssh/sshd_config:ro \
   -p 9022:9022 \
 ghcr.io/nfugal/bastion

Or you can deploy the bastion using docker-compose:

---
version: "3.7"

services:
  bastion:
    container_name: bastion
    image: ghcr.io/nfugal/bastion:latest
    restart: unless-stopped
    logging:
      driver: "json-file"
      options:
        max-size: "200k"
        max-file: "10"
    ports:
      - 9022:9022
    volumes:
      - /some/path/you/like/authorized_keys:/home/dev/.ssh/authorized_keys:ro
      - /some/path/you/like/sshd_config:/etc/ssh/sshd_config:ro

I prefer to use the bastion with the ProxyJump directive in a client's ~/.ssh/config file. Much less typing than specifying things every single time you connect to a target host.

For example, placing the following in a client's ~/.ssh/config would allow accessing targetmachine1 through the bastion with a simple ssh targetmachine1, rather than the longer and more tedious to type ssh -J [email protected]:9022 user@targetmachine1. You can specify multiple target hosts, and many other things, in a client's ~/.ssh/config

### bastion host definition
Host bastion
  HostName bastion.local.lan
  Port 9022
  User dev
  AddressFamily inet

### endpoint definitions
Host targetmachine1
  HostName target1
  ProxyJump bastion

Host targetmachine2
  HostName target2
  ProxyJump bastion

Security

The bastion does not utilize a firewall itself. Take care of that another way, on the Docker host, at the edge, etc.

Build the image yourself

You can build the image yourself with the following commands:

git clone https://github.com/nfugal/bastion.git
docker build -t <fork-name-of-your-choice>/bastion bastion

With that done, you can essentially use the docker run command or docker-compose file above by simply replacing the image name with your newly built image.

Credits

Thanks to chentmin for the original work. My version relies heavily on their's.

This bastion is based on Alpine Linux v3.

Security harden script is based on and modified from this