Secure-Shell-Bastion (SSB) is a fully automated tool for generating jailed chroot enviroments for ssh users. This is most commonly refered to as a "SSH Bastion", which acts a secure singular endpoint for external users to verify themselvs and safely reach unexposed infustructure (typically behind a firewall). SSB leverages the extreamly lightweight and powerful features of Alpine Linux and MUSL to generate entire chroot in less than 10MB. This means a single SSB can service hundereds of users safely on exreamly small VM's (1 core - 512MB Ram - 10GB disk).

To create an isolated enviroment for each user, SSB uses chroot and the ChrootDirectory option in OpenSSH to isolate users to there own File System Tree. Rather than soft or hard linking each binary, binaries are copied into each chroot preventing user tampering and potenial escape from the isolated file system tree. On a typical linux system this can result with a fairly messy enviroment, but with the power of MUSL each chroot can be kept extreamly small.

SSB also uses a "double-key" model. This means that a user uses their private key to connect to the bastion, then another interal private key, generated by the bastion, to access the unexposed infustructure. This results in extreamly granular control over access to each vm while simultaneously removing the need for password authentication anywhere in the network.

Another critcal feature of SSB is its ability to prevent unwanted tampering and access to unneeded binaries. Since a Bastion by defenition needs broad access to your network to serve users, it is critcal to limit access to binaries that could be used to attack the infustructure behind the bastion. For this reason, SSB only links the following binaries to each chroot:

• ash
• ls
• date
• cp
• rm
• mv
• pwd
• cat
• echo
• mkdir
• touch
• grep
• sed
• vi
• ssh
• ssh-add
• ssh-keygen

1. Setup a Alpine Linux VM with access to your protected internal network.
2. Ensure that all machines within the internal network, INCULDING THE BASTION, are using key only authentication for SSH!
3. Install SSB with:

 curl https://raw.githubusercontent.com/JustinTimperio/secure-shell-bastion/master/bin/ssb_install.sh | sudo sh

4. Port forward your SSH Port to an external port on your public IP
5. Setup your bastion users using the guide below.

• -l, --list List all jailed SSB user accounts

sudo ssb --list

• -n, --new_user Create a new jailed SSB user account

sudo ssb --new_user USERNAME

• -r, --remove_user Remove a existing jailed SSB user account

sudo ssb --remove_user USERNAME

• -ak, --add_key Open a users authorized_keys file to add a new key

sudo ssb --add_key USERNAME

• -rk, --remove_key Removes all authorized_keys for a user, locking the account

sudo ssb --remove_key USERNAME

• -sp, --show_pub Show the internal pubkey for a SSB user

sudo ssb --show_pub USERNAME

1. First list all your SSB users and remove each account with sudo ssb --remove_user USERNAME
2. Run sudo ./opt/secure-shell-bastion/bin/ssb_remove.sh