All Projects → bastillion-io → Bastillion

bastillion-io / Bastillion

Licence: agpl-3.0
Bastillion is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys.

Programming Languages

javascript
167536 projects - #8 most used programming language
java
62665 projects - #9 most used programming language
HTML
64947 projects
CSS
48971 projects

Projects that are alternatives of or similar to Bastillion

Wolfssh
wolfSSH is a small, fast, portable SSH implementation, including support for SCP and SFTP.
Stars: ✭ 142 (-94.8%)
Mutual labels:  ssh, ssh-client, ssh-server
Ssh Mitm
ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation
Stars: ✭ 335 (-87.73%)
Mutual labels:  ssh, ssh-client, ssh-server
lobbyboy
A lobby boy will create a VPS server when you need one, and destroy it after using it.
Stars: ✭ 212 (-92.23%)
Mutual labels:  ssh, ssh-server, bastion-host
Bastillion Ec2
A web-based SSH console to execute commands and manage multiple EC2 instances simultaneously running on Amazon Web Services (AWS).
Stars: ✭ 410 (-84.98%)
Mutual labels:  ssh, ssh-client, ssh-server
ansible-ssh-keys
Ansible role to manage ssh keys in Debian-like systems
Stars: ✭ 26 (-99.05%)
Mutual labels:  ssh-server, ssh-key, ssh-client
Ssb
Secure Shell Bruteforcer — A faster & simpler way to bruteforce SSH server
Stars: ✭ 832 (-69.52%)
Mutual labels:  ssh, ssh-client, ssh-server
Connectbot
ConnectBot is the first SSH client for Android.
Stars: ✭ 1,763 (-35.42%)
Mutual labels:  ssh, ssh-client
Coco
Jumpserver ssh/ws server
Stars: ✭ 139 (-94.91%)
Mutual labels:  ssh, ssh-server
Dos ssh
Use BIOS ram hacks to make a SSH server out of any INT 10 13h app (MS-DOS is one of those)
Stars: ✭ 139 (-94.91%)
Mutual labels:  ssh, ssh-server
Sshj
ssh, scp and sftp for java
Stars: ✭ 2,016 (-26.15%)
Mutual labels:  ssh, ssh-client
Superputty
The SuperPuTTY Window Manager for putty sessions
Stars: ✭ 1,572 (-42.42%)
Mutual labels:  ssh, ssh-client
Cedarkey
$2 hardware SSH keys storage
Stars: ✭ 148 (-94.58%)
Mutual labels:  ssh, ssh-key
Ssh2docker
🐳 standalone SSH server that connects you to your Docker containers
Stars: ✭ 159 (-94.18%)
Mutual labels:  ssh, ssh-server
Awesome Ssh
💻 A curated list of SSH resources.
Stars: ✭ 1,742 (-36.19%)
Mutual labels:  ssh, ssh-key
Sshserver
This is a tutorial on how to build a basic SSH Server in C#, but you are welcome to try following in any language.
Stars: ✭ 114 (-95.82%)
Mutual labels:  ssh, ssh-server
Addon Ssh
SSH & Web Terminal - Home Assistant Community Add-ons
Stars: ✭ 114 (-95.82%)
Mutual labels:  ssh, ssh-server
Sshfs Gui
SSHFS GUI Wrapper for Mac OS X
Stars: ✭ 154 (-94.36%)
Mutual labels:  ssh, ssh-client
Github Keygen
Easy creation of secure SSH configuration for your GitHub account(s)
Stars: ✭ 183 (-93.3%)
Mutual labels:  ssh, ssh-client
Ssh
Easy SSH servers in Golang
Stars: ✭ 2,254 (-17.44%)
Mutual labels:  ssh, ssh-server
Ssh Ldap Pubkey
Utility to manage SSH public keys stored in LDAP.
Stars: ✭ 185 (-93.22%)
Mutual labels:  ssh, ssh-key

Bastillion Bastillion

Bastillion is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with Authy or Google Authenticator. From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.

Bastillion layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: Implementing a Trusted Third-Party System for Secure Shell. Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.

Terminals

Bastillion Releases

Bastillion is available for free use under the Prosperity Public License

https://github.com/bastillion-io/Bastillion/releases

or purchase from the AWS marketplace

https://aws.amazon.com/marketplace/pp/Loophole-LLC-Bastillion/B076PNFPCL

Also, Bastillion can be installed on FreeBSD via the FreeBSD ports system. To install via the binary package, simply run:

pkg install security/bastillion

Prerequisites

Open-JDK / Oracle-JDK - 1.9 or greater

apt-get install openjdk-9-jdk

http://www.oracle.com/technetwork/java/javase/downloads/index.html

Install Authy or Google Authenticator to enable two-factor authentication with Android or iOS

Application Android iOS
Authy Google Play iTunes
Google Authenticator Google Play iTunes

To Run Bundled with Jetty

Download bastillion-jetty-vXX.XX.tar.gz

https://github.com/bastillion-io/Bastillion/releases

Export environment variables

for Linux/Unix/OSX

 export JAVA_HOME=/path/to/jdk
 export PATH=$JAVA_HOME/bin:$PATH

for Windows

 set JAVA_HOME=C:\path\to\jdk
 set PATH=%JAVA_HOME%\bin;%PATH%

Start Bastillion

for Linux/Unix/OSX

    ./startBastillion.sh

for Windows

    startBastillion.bat

More Documentation at: https://www.bastillion.io/docs/index.html

Build from Source

Install Maven 3 or greater

apt-get install maven

http://maven.apache.org

Install Loophole MVC

https://github.com/bastillion-io/lmvc

Export environment variables

export JAVA_HOME=/path/to/jdk
export M2_HOME=/path/to/maven
export PATH=$JAVA_HOME/bin:$M2_HOME/bin:$PATH

In the directory that contains the pom.xml run

mvn package jetty:run

Note: Doing a mvn clean will delete the H2 DB and wipe out all the data.

Using Bastillion

Open browser to https://<whatever ip>:8443

Login with

username:admin
password:changeme

Note: When using the AMI instance, the password is defaulted to the <Instance ID>. Also, the AMI uses port 443 as in https://<Instance IP>:443

Managing SSH Keys

By default Bastillion will overwrite all values in the specified authorized_keys file for a system. You can disable key management by editing BastillionConfig.properties file and use Bastillion only as a bastion host. This file is located in the jetty/bastillion/WEB-INF/classes directory. (or the src/main/resources directory if building from source)

#set to false to disable key management. If false, the Bastillion public key will be appended to the authorized_keys file (instead of it being overwritten completely).
keyManagementEnabled=false

Also, the authorized_keys file is updated/refreshed periodically based on the relationships defined in the application. If key management is enabled the refresh interval can be specified in the BastillionConfig.properties file.

#authorized_keys refresh interval in minutes (no refresh for <=0)
authKeysRefreshInterval=120

By default Bastillion will generated and distribute the SSH keys managed by administrators while having them download the generated private. This forces admins to use strong passphrases for keys that are set on systems. The private key is only available for download once and is not stored on the application side. To disable and allow administrators to set any public key edit the BastillionConfig.properties.

#set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key
forceUserKeyGeneration=false

Supplying a Custom SSH Key Pair

Bastillion generates its own public/private SSH key upon initial startup for use when registering systems. You can specify a custom SSH key pair in the BastillionConfig.properties file.

For example:

#set to true to regenerate and import SSH keys  --set to true
resetApplicationSSHKey=true

#SSH Key Type 'dsa' or 'rsa'
sshKeyType=rsa

#private key  --set pvt key
privateKey=/Users/kavanagh/.ssh/id_rsa

#public key  --set pub key
publicKey=/Users/kavanagh/.ssh/id_rsa.pub

#default passphrase  --leave blank if passphrase is empty
defaultSSHPassphrase=myPa$$w0rd

After startup and once the key has been registered it can then be removed from the system. The passphrase and the key paths will be removed from the configuration file.

Adjusting Database Settings

Database settings can be adjusted in the configuration properties.

#Database user
dbUser=bastillion
#Database password
[email protected]$$w0rd!!
#Database JDBC driver
dbDriver=org.h2.Driver
#Connection URL to the DB
dbConnectionURL=jdbc:h2:keydb/bastillion;CIPHER=AES;

By default the datastore is set as embedded, but a remote H2 database can supported through adjusting the connection URL.

#Connection URL to the DB
dbConnectionURL=jdbc:h2:tcp://<host>:<port>/~/bastillion;CIPHER=AES;

External Authentication

External Authentication can be enabled through the BastillionConfig.properties.

For example:

#specify a external authentication module (ex: ldap-ol, ldap-ad).  Edit the jaas.conf to set connection details
jaasModule=ldap-ol

Connection details need to be set in the jaas.conf file

ldap-ol {
	com.sun.security.auth.module.LdapLoginModule SUFFICIENT
	userProvider="ldap://hostname:389/ou=example,dc=bastillion,dc=com"
	userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
	authzIdentity="{cn}"
	useSSL=false
	debug=false;
};

Administrators will be added as they are authenticated and profiles of systems may be assigned by full-privileged users.

User LDAP roles can be mapped to profiles defined in Bastillion through the use of the org.eclipse.jetty.jaas.spi.LdapLoginModule.

ldap-ol-with-roles {
    //openldap auth with roles that can map to profiles
    org.eclipse.jetty.jaas.spi.LdapLoginModule required
    debug="false"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="<SERVER>"
    port="389"
    bindDn="<BIND-DN>"
    bindPassword="<BIND-DN PASSWORD>"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="ou=users,dc=bastillion,dc=com"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="ou=groups,dc=bastillion,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="groupOfNames";
};

Users will be added/removed from defined profiles as they login and when the role name matches the profile name.

Auditing

Auditing is disabled by default. Audit logs can be enabled through the log4j2.xml by uncommenting the io.bastillion.manage.util.SystemAudit and the audit-appender definitions.

https://github.com/bastillion-io/Bastillion/blob/master/src/main/resources/log4j2.xml#L19-L22

Auditing through the application is only a proof of concept. It can be enabled in the BastillionConfig.properties.

#enable audit  --set to true to enable
enableInternalAudit=true

Screenshots

Login

Two-Factor

More Terminals

Manage Systems

Manage Users

Define SSH Keys

Disable SSH Keys

Acknowledgments

Special thanks goes to these amazing projects which makes this (and other great projects) possible.

Third-party dependencies are mentioned in the 3rdPartyLicenses.md

The Prosperity Public License

Bastillion is available for use under the Prosperity Public License

Author

Loophole, LLC - Sean Kavanagh

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected]