Create a authorized_keys file with all public keys that can connect to this bastion. Make the file publicly readable or the user in the docker will not have the permission to read it.
chmod a+r authorized_keys
Then run the following command to start the bastion.
docker run --name bastion -d --restart=always -v $(pwd)/authorized_keys:/home/dev/.ssh/authorized_keys:ro -p 9022:9022 chentm/bastion
To connect through the bastion, first add your key to forward agent: ssh-add and use ssh-add -L to
ssh -A -t -p 9022 [email protected] ssh -t [email protected]
The bastion itself do not have firewalls to limit the source connections. You can use the firewall at the host machine or the security group from AWS to limit the connecitons to port 9022.
Users can do pretty much nothing with the bastion. Only ssh/sshd commands are available.
Run the following commands to build the docker image before running docker run
git clone https://github.com/chentmin/bastion.git
docker build -t chentm/bastion bastion
It only needs to download ~2MB from Github, although it could be slow to download from China.
This bastion is based on Alpine Version 3.2.
Security harden script is modified based on this