Skip to content

Latest commit

 

History

History
59 lines (39 loc) · 1.66 KB

README.md

File metadata and controls

59 lines (39 loc) · 1.66 KB

bastion

This furnace project provides code to create a configurable Bastion which gets user data from AWS IAM.

Prereq

After everything is installed a new user must be configured to use the AWS services. This should preferrably be a user who has no other access.

Also, the default region must be exported like AWS_REGION=eu-central-1.

This Bastion should not be accessible from the outside.

The CloudFormation stack is creating a Role which will include temporary credentials for this operation alone.

The role is an AssumeRole which includes a Policy that has access to user's configured public keys.

Those credentials can be accessed via this link:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/Bastion-AssumeRole-1U8WD180GKEU0 >> creds.json

This should result in something like this:

{
  "Code" : "Success",
  "LastUpdated" : "2018-10-09T20:40:12Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "asdf",
  "SecretAccessKey" : "asdf",
  "Token" : "asdf=",
  "Expiration" : "2018-10-10T03:14:51Z"
}

We can extract this with jq and put it into our aws credentials file.

cat creds.json | jq .SecretAccessKey
cat creds.json | jq .AccessKeyId

Usage

Edit the sshd_config file to look like this:

AuthorizedKeysCommand /etc/ssh/authorized_keys.rb %u %t %k
AuthorizedKeysCommandUser root

The script must have root permissions like 0555.

The script compares the offered keys public key with the public key gathered for the user.

If either the username or the offered key type or the public key that is derived from the private key the user is using does not match with the record in AWS IAM user record, then SSH is refused.