• Stars
    star
    1,477
  • Rank 31,730 (Top 0.7 %)
  • Language
    Perl
  • License
    Other
  • Created about 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Authentication, authorization, traceability and auditability for SSH accesses.

The Bastion Logo

๐Ÿ”’ The Bastion

Bastions are a cluster of machines used as the unique entry point by operational teams (such as sysadmins, developers, database admins, ...) to securely connect to devices (servers, virtual machines, cloud instances, network equipment, ...), usually using ssh.

Bastions provides mechanisms for authentication, authorization, traceability and auditability for the whole infrastructure.

Learn more by reading the blog post series that announced the release:

๐ŸŽฅ Quick connection and replay example

asciicast

๐Ÿ”ง Installing, upgrading, using The Bastion

Please see the online documentation, or the corresponding text-based version found in the doc/ folder.

โšก TL;DR: disposable sandbox using Docker

This is a good way to test The Bastion within seconds, but read the FAQ if you're serious about using containerization in production.

The sandbox image is available for the following architectures: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/ppc64le, linux/s390x.

Let's run the docker image:

docker run -d -p 22 --name bastiontest ovhcom/the-bastion:sandbox

Get your public SSH key at hand, then configure the first administrator account:

docker exec -it bastiontest /opt/bastion/bin/admin/setup-first-admin-account.sh poweruser auto

We're now up and running with the default configuration! Let's setup a handy bastion alias, and test the info command:

PORT=$(docker port bastiontest | cut -d: -f2)
alias bastion="ssh [email protected] -tp $PORT -- "
bastion --osh info

It should greet you as being a bastion admin, which means you have access to all commands. Let's enter interactive mode:

bastion -i

This is useful to call several --osh plugins in a row. Now we can ask for help to see all plugins:

$> help

If you have a remote machine you want to try to connect to through the bastion, fetch your egress key:

$> selfListEgressKeys

Copy this public key to the remote machine's authorized_keys under the .ssh/ folder of the account you want to connect to, then:

$> selfAddPersonalAccess --host <remote_host> --user <remote_account_name> --port-any
$> ssh <remote_account_name>@<remote_host>

Note that you can connect directly without using interactive mode, with:

bastion <remote_account_name>@<remote_machine_host_or_ip>

That's it! Of course, there is a lot more to it, documentation is available under the doc/ folder and online. Be sure to check the help of the bastion (bastion --help) and the help of each osh plugin (bastion --osh command --help). Also don't forget to customize your bastion.conf file, which can be found in /etc/bastion/bastion.conf (for Linux).

๐Ÿ”€ Compatibility

Supported OS for installation

Linux distros below are tested with each release, but as this is a security product, you are warmly advised to run it on the latest up-to-date stable version of your favorite OS:

  • Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
  • CentOS 7.x
  • RockyLinux 8.x, 9.x
  • Ubuntu LTS 22.04, 20.04, 18.04, 16.04
  • OpenSUSE Leap 15.5*

*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of pamtester, pam-google-authenticator, or both. Of course, you may compile those yourself. Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments.

The following OS are also tested with each release:

  • FreeBSD/HardenedBSD 13.0**

**: Note that these have partial MFA support, due to their reduced set of available pam plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0.

Other BSD variants, such as OpenBSD and NetBSD, are unsupported as they have a severe limitation over the maximum number of supplementary groups, causing problems for group membership and restricted commands checks, as well as no filesystem-level ACL support and missing PAM support (hence no MFA).

Zero assumption on your environment

Nothing fancy is needed either on the ingress or the egress side of The Bastion to make it work.

In other words, only your good old ssh client is needed to connect through it, and on the other side, any standard sshd server will do the trick. This includes, for example, network devices on which you may not have the possibility to install any custom software.

โžฐ Reliability

  • The KISS principle is used where possible for design and code: less complicated code means more auditability and less bugs
  • Only a few well-known libraries are used, less third party code means a tinier attack surface
  • The bastion is engineered to be self-sufficient: no dependencies such as databases, other daemons, other machines, or third-party cloud services, statistically means less downtime
  • High availability can be setup so that multiple bastion instances form a cluster of several instances, with any instance usable at all times (active/active scheme)

๐Ÿ†— Code quality

  • The code is ran under perltidy
  • The code is also ran under perlcritic
  • Functional tests are used before every release

๐Ÿ›‚ Security at the core

Even with the most conservative, precautionous and paranoid coding process, code has bugs, so it shouldn't be trusted blindly. Hence the bastion doesn't trust its own code. It leverages the operating system security primitives to get additional security, as seen below.

  • Uses the well-known and trusted UNIX Discretionary Access Control:

    • Bastion users are mapped to actual system users
    • Bastion groups are mapped to actual system groups
    • All the code is constantly checking rights before allowing any action
    • UNIX DAC is used as a safety belt to prevent an action from succeeding even if the code is tricked into allowing it
  • The bastion main script is declared as the bastion user's system shell:

    • No user has real (bash-like) shell access on the system
    • All code is ran under the unprivileged user's system account rights
    • Even if a user could escape to a real shell, they wouldn't be able to connect to machines they don't have access to, because they don't have filesystem-level read access to the SSH keys
  • The code is modular

    • The main code mainly checks rights, logs actions, and enable ssh access to other machines
    • All side commands, called plugins, are in modules separated from the main code
    • The modules can either be open or restricted
      • Only accounts that have been specifically granted on a need-to-use basis can run a specific restricted plugin
      • This is checked by the code, and also enforced by UNIX DAC (the plugin is only readable and executable by the system group specific to the plugin)
  • All the code needing extended system privileges is separated from the main code, in modules called helpers

    • Helpers are run exclusively under sudo
    • The sudoers configuration is attached to a system group specific to the command, which is granted to accounts on a need-to-use basis
    • The helpers are only readable and executable by the system group specific to the command
    • The helpers path and some of their immutable parameters are hardcoded in the sudoers configuration
    • Perl tainted mode (-T) is used for all code running under sudo, preventing any user-input to interfere with the logic, by halting execution immediately
    • Code running under sudo doesn't trust its caller and re-checks every input
    • Communication between unprivileged and privileged-code are done using JSON
  • A protocol break is operated between the ingress and the egress side, rendering most protocol-based vulnerabilities ineffective

๐Ÿ” Auditability

  • Bastion administrators must use the bastion's logic to connect to itself to administer it (or better, use another bastion to do so), this ensures auditability in all cases
  • Every access and action (whether allowed or denied) is logged with:
    • syslog, which should also be sent to a remote syslog server to ensure even bastion administrators can't tamper their tracks, and/or
    • local sqlite3 databases for easy searching
  • Every session is recorded with ttyrec, helper scripts are provided to encrypt and push these records on a remote escrow filer
  • This code is used in production in several PCI-DSS, ISO 27001, SOC1 and SOC2 certified environments

๐Ÿ”— Related

Dependencies

  • ovh-ttyrec - an enhanced but compatible version of ttyrec, a terminal (tty) recorder

Optional tools

  • yubico-piv-checker - a self-contained go binary to check the validity of PIV keys and certificates. Optional, to enable The Bastion PIV-aware functionalities
  • puppet-thebastion (GitHub) - a Puppet module to automate and maintain the configuration of The Bastion machines
  • the-bastion-ansible-wrapper - a wrapper to make it possible to run Ansible playbooks through The Bastion
  • debian-cis - a script to apply and monitor the hardening of Debian hosts as per the CIS recommendations

๐Ÿ“ License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

cds

Enterprise-Grade Continuous Delivery & DevOps Automation Open Source Platform
Go
4,557
star
2

utask

ยตTask is an automation engine that models and executes business processes declared in yaml. โœ๏ธ๐Ÿ“‹
Go
1,136
star
3

venom

๐Ÿ Manage and run your integration tests with efficiency - Venom run executors (script, HTTP Request, web, imap, etc... ) and assertions
Go
1,031
star
4

debian-cis

PCI-DSS compliant Debian 10/11/12 hardening
Shell
695
star
5

celery-director

Simple and rapid framework to build workflows with Celery
Python
528
star
6

svfs

The Swift Virtual File System
Go
374
star
7

php-ovh

Lightweight PHP wrapper for OVH APIs. That's the easiest way to use OVH.com APIs in your PHP applications.
PHP
287
star
8

python-ovh

Thin wrapper around OVH's APIs. Handles all the hard work including credential creation and requests signing.
Python
270
star
9

docs

Official repository containing all docs & guides of OVH Group
HTML
219
star
10

manager

OVHcloud Control Panel
JavaScript
209
star
11

overthebox

OverTheBox - Aggregate and encrypt your multiple internet connections.
Shell
197
star
12

public-cloud-roadmap

Agile roadmap for OVHcloud Public Cloud services. Discover the features our product teams are working on, comment and influence our backlog.
185
star
13

terraform-provider-ovh

Terraform OVH provider
Go
182
star
14

ai-training-examples

Jupyter Notebook
136
star
15

metronome

Metronome is a distributed and fault-tolerant event scheduler
Go
134
star
16

go-ovh

Simple go wrapper for the OVH API
Go
127
star
17

node-ovh

Node.js wrapper for the OVH APIs
JavaScript
125
star
18

symmecrypt

Golang symmetric encryption library
Go
111
star
19

ovh-ttyrec

Enhanced (but compatible) version of the classic ttyrec
C
107
star
20

overthebox-feeds

OverTheBox - LEDE/OpenWrt feed
JavaScript
106
star
21

sv2chisel

(System)Verilog to Chisel translator
Scala
103
star
22

celery-dyrygent

Celery extension which allows to orchestrate 100/1000/10000 tasks combined into a complex workflow
Python
98
star
23

overthebox-openwrt

OverTheBox - OpenWrt fork
C
98
star
24

tat

Tat Engine - Text And Tags
Go
89
star
25

beamium

Prometheus to Warp10 metrics forwarder
Rust
84
star
26

ip-reputation-monitoring

Monitor the reputation of your IP ranges
Python
83
star
27

depc

QoS Measurement & Dependency Graph Platform
Python
80
star
28

configstore

Golang configuration management library
Go
63
star
29

erlenmeyer

Erlenmeyer is a proxy used to parse common Open Source TimeSeries DataBase query endpoints like OpenTSDB, Prometheus/PromQL, InfluxQL or Graphite. Parsed queries are translated into WarpScript to produce native Warp 10 queries.
Go
60
star
30

tsl

TSL is a HTTP proxy which generate WarpScript or a PromQl script based on a TSL query.
Go
56
star
31

noderig

Export OS stats as Sensision Metrics
Go
55
star
32

ovh-ui-kit

OVHcloud UI Kit - Master UI Framework
JavaScript
54
star
33

terraform-ovh-commons

This repo contains commons resources to interact with OVH Public Cloud using Terraform.
HTML
53
star
34

php-ovh-sms

PHP for ovh sms API
PHP
49
star
35

ovh-cli

OVH Command Line Interface
Python
40
star
36

infrastructure-roadmap

36
star
37

summit2016-RankingPredict

Deprecated, No more maintained - Deprecated, no longer maintained
R
34
star
38

ovh-warp10-datasource

Grafana datasource for Warp10 platform
TypeScript
33
star
39

the-bastion-ansible-wrapper

Using Ansible through The Bastion
Python
33
star
40

csharp-ovh

Thin wrapper around OVH's APIs. Handles all the hard work including credential creation and requests signing
C#
28
star
41

order-cart-examples

Example code snippets demonstrating how to use new order with cart on api.ovh.com
PHP
25
star
42

ldp-tail

OVH Logs Data Platform - Tail CLI tooling
Go
24
star
43

public-cloud-examples

Jupyter Notebook
22
star
44

haproxy-exporter

Export HAProxy stats as Sensision Metrics
Go
21
star
45

fossil

Fossil is a proxy for securing unencrypted Graphite metrics collection
Go
20
star
46

python-apispec-fromfile

APISpec plugin to import OpenAPI specifications from a file
Python
19
star
47

terraform-ovh-publiccloud-network

HCL
19
star
48

design-system

A collection of assets, guidelines and UI components for building consistent user experiences across OVHcloud products.
SCSS
19
star
49

tatwebui

Tat Web UI - Text And Tags
JavaScript
19
star
50

java-ovh

Thin wrapper around OVH's APIs. Handles all the hard work including credential creation and requests signing
Java
19
star
51

cerberus-ux

HTML
16
star
52

lxd-puppet-module

Ruby
14
star
53

osarchiver

OpenStack databases archiver
Python
14
star
54

jerem

Jerem is a golang bot that scrap JIRA project to extract Metrics. Those Metrics can then be send to a Warp 10 Backend.
Go
14
star
55

cerberus-core

Cerberus is a toolkit to receive, parse, process and automate abuse reports handling received by ISP or hosting providers.
Python
14
star
56

website-evidence-collector-batch

A tool to launch website-evidence-collector on several URLs or Sitemaps and generate a full report.
JavaScript
13
star
57

distronaut

Find distribution installers all across the web !
Go
13
star
58

rtm

RTM (OVH Real Time Monitoring)
Perl
13
star
59

ovh-ui-kit-bs

A bootstrap theme for the OVH managers, based on ovh-ui-kit
Less
13
star
60

prescience-client

Desktop python client for using OVH Prescience service
Jupyter Notebook
13
star
61

gulp-drupal-stack

OVH Gulp tasks for Drupal themes and modules
JavaScript
12
star
62

public-cloud-databases-examples

OVHcloud Public Cloud Databases Training examples
HCL
12
star
63

serving-runtime

Exposes a serialized machine learning model through a HTTP API.
Java
12
star
64

metronome-ui

User interface for Metronome
JavaScript
11
star
65

swift-ovh

This Swift package is a lightweight wrapper for OVH APIs. That's the easiest way to use OVH.com APIs in your Swift applications. Apple platforms supported: iOS, OSX, tvOS, watchOS.
Swift
11
star
66

private-cloud-roadmap

11
star
67

pulumi-ovh

Pulumi provider for OVHcloud
Python
11
star
68

telephony-example-cti-dashboard

Shows signaling events provided by OVH France telephony services CTI
CSS
11
star
69

drucker

Drucker is a lightweight Drupal Developer Environment.
Shell
10
star
70

phishing-mitigation

Tilera-based phishing mitigation layer
JavaScript
10
star
71

lhasa

List and map micro-services-based information system and observe how they interact. Track their activities, then gamify their continuous improvement.
Go
10
star
72

overthebox-lede

OverTheBox - LEDE fork
C
8
star
73

owstats-ui

JavaScript
8
star
74

python-logging-gelf

A python logging bundle to send logs using GELF
Python
8
star
75

webpaas-cli

PHP
7
star
76

terraform-provider-mimirtool

Terraform provider for Grafana Mimir
Go
7
star
77

vbridge

X11 cloud desktop software
C
7
star
78

djehouty

Djehouty intends to be a set of logging formatters and handlers to easily send log entries.
Python
7
star
79

crystal-ovh

Lightweight Crystal wrapper around OVH's APIs.
Crystal
7
star
80

ovhdata-cli

Rust
7
star
81

python-warp10client

Python
7
star
82

data-processing-spark-submit

Spark CLI wrapper to run your jobs on OVHcloud Data Processing
Go
7
star
83

docs-rendering

[DEPRECATED] Official rendering engine for static generation of OVH Docs platform
HTML
7
star
84

interpretability-engine

Interpret Machine Learning black-box models deployed on Serving Engine
Python
6
star
85

webhosting-ssh-bashrc

Shell
6
star
86

puppet-thebastion

Puppet module for Thebastion management.
Ruby
6
star
87

public-cloud-databases-operator

This operator allow you to automaticaly authorize your Kubernetes cluster IP on your OVHcloud cloud databases service.
Go
6
star
88

docs-developer-env

Easy to deploy developer environment, for writing/testing guides & documentations for docs.ovh.com
Shell
6
star
89

tat-contrib

Go
6
star
90

bringyourownlinux

Shell
6
star
91

terraform-ovh-publiccloud-docker-swarm

HCL
5
star
92

yubico-piv-checker

Go
5
star
93

terraform-ovh-publiccloud-spark

HCL
5
star
94

summit2016-webhosting-example-rondcoin

PHP
5
star
95

collectd-write-warp10

Python
5
star
96

fiowebviewer

Python
5
star
97

puppet-mimir

Ruby
4
star
98

pingdom-to-graphite

A tool for copying metrics from Pingdom to Graphite.
JavaScript
4
star
99

ovh-winston-ldp

A graylog2 TCP/TLS transport for winston library
JavaScript
4
star
100

.github

Community health files for the @ovh organization
3
star