v0.3.0: AWS IAM PAM integration and AWS IAM auth HTTP reverse proxy

This release introduces Linux PAM integration for extended SSH and sudo authentication and a basic AWS IAM authentication HTTP reverse proxy, to protect internal services behind AWS IAM auth.

PAM integration

Due to the PAM integration the recommend SSH configuration includes an additional step for authentication (pam). This step requires the user's first personal AWS IAM secret key + MFA code as the password. MFA is required and non-optional at this release.

AWS IAM authentication HTTP reverse proxy

The simple reverse proxy authenticates users against AWS IAM using the same procedure as the PAM integration. Session duration is hardcoded in 2 hours.

λ sha512sum bastrd*
f2c25f4cb7ba6abaab91433af39ec33a65b58102104e0ebbb694fcdf96bc89963b11f6ff0cd4f821088660d7b7488eccd70932e3719cf10b48ddc595a1d72334  bastrd-linux-amd64
d0666347eaef29594bb5657c06bdf928b79b297914a28aee29a470ef73d4a029c8b6fa3da0ebeda4eec6f95c1a1cdbc4a906a2ec7081058d8c11be819097d4a7  bastrd-linux-amd64.gz

v0.3.0-alpha.1: AWS IAM PAM integration and simple HTTP Proxy preview

This release adds AWS IAM PAM integration and a simple HTTP Proxy for protecting services with AWS IAM authentication.

λ sha512sum bastrd*
ada8c5f1e2c869379b15a6f2f3310996a9fec292301a5ccd2329cfa4907c7183dcebca9556592f1e2e1bb95938ec099d1458b62601c9b414c7532005c4d7a07e  bastrd-linux-amd64
197288eee1777cec97c9677993d32fd0bba28b52886f16e68ecaa4a5f62af728d9ffda78dbab866b621e28d281588cc7d85a51686e73f7b6b62871ae090d9423  bastrd-linux-amd64.gz

v0.2.1: set gid on container creation

Set GID on container creation for restricted fs permissions.

Verification signatures:

% sha512sum bastrd*
8805f00f3449012e3376592554931cd5da0e93dfbe5abb0f3fbb7cb32cc78b755df5044a56f887a57fd760cc57771c1c9db2a8b845ebc81e5b69499684d4474f  bastrd-linux-amd64
50e88eafe86f5ac17ef4e6f881c1a9e84e237524ee73bb5e8d63f3041a3f57e5d36cf076c3f2ea03e263b0baf8e35c49527909bf79c224dc516b510bf79543e9  bastrd-linux-amd64.gz

v0.2.0: Persistent storage directory and shared UIDs for system and sandbox container

This release introduces shared UIDs for the system and sandbox container and support for persistent storage.

v0.1.0: bastion server for secure environments

bastrd builds on top of the ideas behind keymaker and toolbox to build a secure shared bastion server for restricted environments.

How does it work?

bastrd has 3 components:

1. bastrd sync, an agent to sync AWS IAM groups and users to Linux
2. bastrd authorized-keys, SSH authorized keys command to authenticate the user login against AWS IAM registered SSH Public Keys and groups
3. bastrd toolbox, a session wrapper for a customizable toolbox container, the user must provide an AWS IAM account MFA token for authentication and setup of the session scoped credentials.

Toolbox features

The toolbox container has the following features:

• Validates MFA against user's AWS IAM MFA device
• Create temporary user session AWS credentials
• Mount temporary credentials as /home/<username>/.aws/ using a tmpfs mount
• Customizable session container image for advanced tools, check Dockerfile.toolbox for the default settings
• Session resuming, for easier recovery of connections issues
• SSH-agent forwarding (note: doesn't work on session resuming)
• Firewall rule to block containers from hijacking the AWS EC2 instance profile used by bastrd itself
• Reduced container capabilities for improved security, e.g., no socket binding