Today I’m releasing a new project I’ve been working on to help bolster our adoption of more secure connectivity of cloud resources from remote locations. Bastion Prime is a containerized jump host meant to run anywhere (i.e. Kubernetes) as a more secure and ephemeral point of accessibility for bouncing through to internal systems.
While a lot of people have successfully utilized things like OpenVPN or Pritunl (which just orchestrates OpenVPN), it can be much easier to deploy a simple container with an already populated
authorized_keys file. This can be done through PR’s straight to the repository housing the Dockerfile and other assets. Hence, it’s recommended you source Bastion Prime in your own Dockerfile, copy in public (and host) keys, setup CI/CD, and securely deploy in your cloud environment!
In addition to being a really small (yay alpine) ssh only container, I’ve taken the liberty of implementing some of the most common hardening practices. In addition, its highly recommended you tighten up runtime parameters such as seccomp policies, dropping capabilities, and setting a read-only filesystem.
Something like this would work brilliantly in your local ssh config file:
Host jumphost User jump HostName jumphost.public.example.io Port 8889 Host privatebox User mario HostName privatebox.hax.kk ProxyJump jumphost