Skip to content
This repository has been archived by the owner on Apr 17, 2018. It is now read-only.

Terraform code to build an example BLESS enabled bastion

License

Notifications You must be signed in to change notification settings

alphagov/bless-terraform-prototype

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Example infrastructure for BLESS

Terraform to bootstrap a bastion (sometimes called a jump box) and application server configured to use Bless an SSH certificate authority.

This is extremely experimental and was developed in order to see how BLESS could fit into some of our existing architecture.

BLESS

Configuration and deployment of the bless lambda function and Public Key Infrastructure should be managed separately.

Bastion

Basic setup here uses PAM to exec a script to request a certificate from BLESS upon successful login.

App-server

Setup to trust the Lambda Certificate Authority for SSH access. Sets up a `bless_user` to be the principal of the SSH certificates issued by bless.

Using this infrastructure

One way to keep the usability of ssh user@app-server with bless is by using a ProxyCommand in .ssh/config such as in this example:

Host bastion
    Hostname <ip/hostname of bastion>

Host app-server
    Hostname 10.0.1.5
    ProxyCommand bash -c "scp bastion:id_rsa-cert.pub ~/.ssh/id_rsa-cert.pub && ssh bastion -W %h:%p"

This works by copying the SSH certificate off the bastion and proxying through an SSH connection to the bastion to reach the app-server.

About

Terraform code to build an example BLESS enabled bastion

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages