Skip to content
/ aws_bastion Public

A service that runs on amazon and manages shared ssh keys

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

codeguard/aws_bastion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

aws_bastion

A service that runs on amazon and manages shared ssh keys

The goal of this project is to create a system that permits login to amazon EC2 instances for teams without sharing the keys generated by amazon keypairs. It lets users add new users and new keys, rotate their own keys, and provides auditability based on those keys.

Flowgoals:

  1. Have the service create it's own aws keypair(s). Questions: Have multiple keypairs? Should it create its own IAM role somehow?

  2. Have a simple set of configs that can be put in an ssh config file to enable this for a lot of hosts (for example, if we are creating a lot of spot instances). Questions: How do we handle host resolution (internal/external ips, etc)?

  3. Be able to log into a host started with the bastion keypair.

  4. Be able to add additional authorized keys to the agent.

Each user must have a key

MVP User flow: The program is started on an ec2 instance. The user can use the keypair from that ec2 instance to ssh to port 2222 as one of two user-types, either "manage" or "login". If the user ssh's with a known keypair to "login", the user is forwarded (via a special ssh config they have set up) to the remote host and logged in with the bastion key. The user can manage the daemon by sshing to the bastion with a known keypair as the "manage" user. The user can send commands via cat/echo to the management process. Initially the commands will look like the following:

  • user <ssh pubkey> will create a new user
  • addkey <ssh pubkey> will add a pubkey to the user
  • audit user will list the authentication sessions for the user.

Antigoals:

  • Don't reimplement/modify anything ssh. The goal is to leverage openssh for all real ssh-protocl-related work.

Mechanism:

  • The whole thing will compile into a multicall go binary. The multicall go binary will have three modes, and will launch docker instances from a purpose-built docker image. The only thing that the docker image will do is launch an openssh daemon with a custom config for a single connection, and that openssh instance will then call the multicall go binary.
  • This project will depend on docker, and two specific docker containers, one with an openssh server, and one with redis.

About

A service that runs on amazon and manages shared ssh keys

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published