sb

command module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 1, 2024 License: MIT Imports: 10 Imported by: 0

README

SB logo

S(sh) B(astion)

Test status Go report License Release

Intro

As a junior DevOps, you probably learned that you don't mess with security, and that publicly exposing a host (server, vm, cloud instance, ...) to the internet is messing with security.

But you (and your teams) still need to access these distant hosts, and setting firewall rules for every employee of your company is just not manageable.

This is usually where SSH ProxyJump comes in play: having a central point from where you will connect to your infrastructure. You can firewall every distant host to the IP address of your jump host, and all you have to do is to ensure that this central point is secured!

This is cool, but now that you still have two main issues:

  • you need to provision every employee's SSH keys to every distant host
  • you need to revoke these keys on every distant host when the employee leaves
  • you just added a single point of failure in your infrastructure

sb enters the place

In a nutshell, sb fixes these three issues and then more!

As an SSH bastion, it works by piping two SSH connections together (employee -> sb -> distant host).

Since you now have two separate SSH connections, the user is authenticated on the bastion by the bastion, and this is where (and only where) their public SSH key sits... revoking just became easy!

But that's not it!

Without compromising the security, sb brings groups with shared SSH keys that stay on the bastion. You don't have to provision keys anymore, and you just have to grant access to distant hosts to your users.

But that's not it!

sb supports multi-primary replication between instances: you create users on one instance, they can use another geo-replicated instance in seconds!

Cherry on the cake

On top of security and high-availability, sb brings auditability and traceability for free to your infrastructure!

By only granting accesses to users and groups through sb, you can easily know who can (and did) access what at all time. This is, for example, required for ISO 27001.

Plus for higher norms (SOC1, SOC2, PCI-DSS, ...), every SSH session is recorded via TTYRec, so you can replay it!

And because you have the session recording, why not allow the users to replay their sessions with TTYPlay or even convert these recordings as GIF?

recording.gif

Documentation

Quick demo with Docker images:

  1. Demo

General and features documentation:

  1. Genesis and core ideology
  2. Permissions
  3. High Availability
  4. Usage examples
  5. Features

Administration documentation:

  1. Installation
  2. Setup first account
  3. Configuration
  4. Backup and restore
  5. Production deployment

License

Released under the MIT License

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
commands
config
helpers
models
replicationqueue
replicationqueue/googlepubsub
storage
storage/gcs
storage/s3
types

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.