Skip to content

This furnace project provides code to create a configurable Bastion which gets user data from AWS IAM.

Notifications You must be signed in to change notification settings

go-furnace/bastion

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Repository files navigation

bastion

This furnace project provides code to create a configurable Bastion which gets user data from AWS IAM.

Prereq

After everything is installed a new user must be configured to use the AWS services. This should preferrably be a user who has no other access.

Also, the default region must be exported like AWS_REGION=eu-central-1.

This Bastion should not be accessible from the outside.

The CloudFormation stack is creating a Role which will include temporary credentials for this operation alone.

The role is an AssumeRole which includes a Policy that has access to user's configured public keys.

Those credentials can be accessed via this link:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/Bastion-AssumeRole-1U8WD180GKEU0 >> creds.json

This should result in something like this:

{
  "Code" : "Success",
  "LastUpdated" : "2018-10-09T20:40:12Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "asdf",
  "SecretAccessKey" : "asdf",
  "Token" : "asdf=",
  "Expiration" : "2018-10-10T03:14:51Z"
}

We can extract this with jq and put it into our aws credentials file.

cat creds.json | jq .SecretAccessKey
cat creds.json | jq .AccessKeyId

Usage

Edit the sshd_config file to look like this:

AuthorizedKeysCommand /etc/ssh/authorized_keys.rb %u %t %k
AuthorizedKeysCommandUser root

The script must have root permissions like 0555.

The script compares the offered keys public key with the public key gathered for the user.

If either the username or the offered key type or the public key that is derived from the private key the user is using does not match with the record in AWS IAM user record, then SSH is refused.

About

This furnace project provides code to create a configurable Bastion which gets user data from AWS IAM.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages