A simple ssh bastion using public keys and google authenticator to keep things safe.
SSH host keys will be generated on demand upon launch. You might want to
store them in a separate data container to have them persist when upgrading
or similar. For this purpose the volume /etc/ssh is defined and may used like:
$ docker volume create bastion-keys
$ docker run -v "bastion-keys:/etc/ssh" -p 2222:22 neochrome/bastion:latest
The user bastion is used for connection:
$ ssh bastion@hostname
When connecting to the bastion, google-authenticator will be run in order to
setup two-factor authentication unless existing settings are present.
If you want to share the generated authentication settings between multiple bastions or have them persisted when upgrading or similar, use a volume like this:
$ docker volume create bastion-ga
$ docker run -v "bastion-ga:/bastion" -p 2222:22 neochrome/bastion:latest
If you have existing authentication settings that you want to use, you may
mount those as /.google_authenticator and they will be copied in place
upon launch.
You may also use a data container to handle both volumes (/etc/ssh and /bastion)
together. E.g:
$ docker create --name bastion-data neochrome/bastion:latest
$ docker run --volumes-from bastion-data -p 2222:22 neochrome/bastion:latest
In order to authenticate, public keys need to be made available to the bastion. This may be done in a couple of different ways:
- Bind mount your public key file or existing authorized_keysfile as/authorized_keys, the container will then copy theauthorized_keysfile in place and set correct permissions upon launch.
- Create a derived image (FROM neochrome/bastion:latest) and add the key(s) to/bastion/authorized_keys, don't forget to set owner tobastion:users.
- Use volume populated with a /bastion/authorized_keysfile with correct ownership set and mounted as/bastion.
- Like 2, but managed in a data container.
The image comes without a /etc/motd file. If you want one, you may either:
- Add one to a derived image.
- Mount one at /motdand then the container will copy it in place upon launch.
- Mount one at /etc/motd.
- Fork it (https://github.com/neochrome/docker-bastion/fork)
- Create your feature branch (git switch -c my-new-feature)
- Commit your changes (git commit -am 'feat: some new feature'), make sure to use https://www.conventionalcommits.org/.
- Push to the branch (git push origin my-new-feature)
- Create a new Pull Request
Releases are automated using Release Please.