Today I’m releasing a new project I’ve been working on to help bolster our adoption of more secure connectivity of cloud resources from remote locations. Bastion Prime is a containerized jump host meant to run anywhere (i.e. Kubernetes) as a more secure and ephemeral point of accessibility for bouncing through to internal systems.

While a lot of people have successfully utilized things like OpenVPN or Pritunl (which just orchestrates OpenVPN), it can be much easier to deploy a simple container with an already populated authorized_keys file. This can be done through PR’s straight to the repository housing the Dockerfile and other assets. Hence, it’s recommended you source Bastion Prime in your own Dockerfile, copy in public (and host) keys, setup CI/CD, and securely deploy in your cloud environment!

In addition to being a really small (yay alpine) ssh only container, I’ve taken the liberty of implementing some of the most common hardening practices. In addition, its highly recommended you tighten up runtime parameters such as seccomp policies, dropping capabilities, and setting a read-only filesystem.

Something like this would work brilliantly in your local ssh config file:

Host jumphost
  User jump
  HostName jumphost.public.example.io
  Port 8889
Host privatebox
  User mario
  HostName privatebox.hax.kk
  ProxyJump jumphost
Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.