examples/mysql | ||
vendor | ||
.dockerignore | ||
.gitignore | ||
acl.go | ||
acl_test.go | ||
crypto.go | ||
db.go | ||
Dockerfile | ||
main.go | ||
Makefile | ||
proxy.go | ||
README.md | ||
shell.go | ||
util.go |
sshportal
Jump host/Jump server without the jump, a.k.a Transparent SSH bastion
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
DMZ │
┌────────┐ │ ┌────────┐
│ homer │───▶╔═════════════════╗───▶│ host1 │ │
└────────┘ ║ ║ └────────┘
┌────────┐ ║ ║ ┌────────┐ │
│ bart │───▶║ sshportal ║───▶│ host2 │
└────────┘ ║ ║ └────────┘ │
┌────────┐ ║ ║ ┌────────┐
│ lisa │───▶╚═════════════════╝───▶│ host3 │ │
└────────┘ │ └────────┘
┌────────┐ ┌────────┐ │
│ ... │ │ │ ... │
└────────┘ └────────┘ │
└ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
Features
- Host management
- User management
- User Group management
- Host Group management
- Host Key management
- User Key management
- ACL management
- Connect to host using key or password
- Admin commands can be run directly or in an interactive shell
Usage
Start the server
$ sshportal
2017/11/13 10:58:35 Admin user created, use the user 'invite:BpLnfgDsc2WD8F2q' to associate a public key with this account
2017/11/13 10:58:35 SSH Server accepting connections on :2222
Link your SSH key with the admin account
$ ssh localhost -p 2222 -l invite:BpLnfgDsc2WD8F2q
Welcome Administrator!
Your key is now associated with the user "admin@sshportal".
Shared connection to localhost closed.
$
Drop an interactive administrator shell
ssh localhost -p 2222 -l admin
__________ _____ __ __
/ __/ __/ // / _ \___ ____/ /____ _/ /
_\ \_\ \/ _ / ___/ _ \/ __/ __/ _ '/ /
/___/___/_//_/_/ \___/_/ \__/\_,_/_/
config>
Create your first host
config> host create bart@foo.example.org
1
config>
List hosts
config> host ls
ID | NAME | URL | KEY | PASS | GROUPS | COMMENT
+----+------+-------------------------+---------+------+--------+---------+
1 | foo | bart@foo.example.org:22 | default | | 1 |
Total: 1 hosts.
config>
Get the default key in authorized_keys format
config> key inspect default
[...]
"PubKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvUP/8FedyIe+a+RWU4KvJ1+iZwtWmY9czJubLwN4RcjKHQMzLqWC7pKZHAABCZjLJjVD/3Zb53jZwbh7mysAkocundMpvUL5+Yb4a8lDiflXkdXT9fZCx+ibJBk4jRnKLGIneSzVtFEerEwQKKnKQoCgPkZwCDaL/jHhDlOmAvxqAJrjiy42HXwppX2UuF8zujs6OKHRYJ/Q1vo0caa6/o1eoyXE9OrOwIk+IcAN3YIQi/B1BOlZOQBzHIZz83AFlD2TcPhyYcbxPyKGih84Zr3rQaaP1WiaiPqxzp3s5OhTLthc5XtCSLzmRSLvgC2eFdNhBDB5KLtO2khBkz5ID",
[...]
config>
Add this key to the server
$ ssh bart@foo.example.org
> umask 077; mkdir -p .ssh; echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvUP/8FedyIe+a+RWU4KvJ1+iZwtWmY9czJubLwN4RcjKHQMzLqWC7pKZHAABCZjLJjVD/3Zb53jZwbh7mysAkocundMpvUL5+Yb4a8lDiflXkdXT9fZCx+ibJBk4jRnKLGIneSzVtFEerEwQKKnKQoCgPkZwCDaL/jHhDlOmAvxqAJrjiy42HXwppX2UuF8zujs6OKHRYJ/Q1vo0caa6/o1eoyXE9OrOwIk+IcAN3YIQi/B1BOlZOQBzHIZz83AFlD2TcPhyYcbxPyKGih84Zr3rQaaP1WiaiPqxzp3s5OhTLthc5XtCSLzmRSLvgC2eFdNhBDB5KLtO2khBkz5ID >> .ssh/authorized_keys
Profit
ssh localhost -p 2222 -l foo
bart@foo>
Invite friends
config> user invite bob@example.com
User 2 created.
To associate this account with a key, use the following SSH user: 'invite-NfHK5a84jjJkwzDk'.
config>
CLI
sshportal embeds a configuration CLI.
By default, the configuration user is admin
, (can be changed using --config-user=<value>
when starting the server.
Each commands can be run directly by using this syntax: ssh admin@portal.example.org <command> [args]
:
ssh admin@portal.example.org host inspect toto
You can enter in interactive mode using this syntax: ssh admin@portal.example.org
Synopsis
# acl management
acl help
acl create [-h] [--hostgroup=<value>...] [--usergroup=<value>...] [--pattern=<value>] [--comment=<value>] [--action=<value>] [--weight=value]
acl inspect [-h] <id> [<id> [<id>...]]
acl ls [-h]
acl rm [-h] <id> [<id> [<id>...]]
# config management
config help
config backup [-h] [--indent]
config restore [-h] [--confirm]
# host management
host help
host create [-h] [--name=<value>] [--password=<value>] [--fingerprint=<value>] [--comment=<value>] [--key=<value>] [--group=<value>] <user>[:<password>]@<host>[:<port>]
host inspect [-h] <id or name> [<id or name> [<id or name>...]]
host ls [-h]
host rm [-h] <id or name> [<id or name> [<id or name>...]]
# hostgroup management
hostgroup help
hostgroup create [-h] [--name=<value>] [--comment=<value>]
hostgroup inspect [-h] <id or name> [<id or name> [<id or name>...]]
hostgroup ls [-h]
hostgroup rm [-h] <id or name> [<id or name> [<id or name>...]]
# key management
key help
key create [-h] [--name=<value>] [--type=<value>] [--length=<value>] [--comment=<value>]
key inspect [-h] <id or name> [<id or name> [<id or name>...]]
key ls [-h]
key rm [-h] <id or name> [<id or name> [<id or name>...]]
# user management
user help
user invite [-h] [--name=<value>] [--comment=<value>] [--group=<value>] <email>
user inspect [-h] <id or email> [<id or email> [<id or email>...]]
user ls [-h]
user rm [-h] <id or email> [<id or email> [<id or email>...]]
# usergroup management
usergroup help
hostgroup create [-h] [--name=<value>] [--comment=<value>]
usergroup inspect [-h] <id or name> [<id or name> [<id or name>...]]
usergroup ls [-h]
usergroup rm [-h] <id or name> [<id or name> [<id or name>...]]
# other
exit [-h]
help, h
info [-h]
version [-h]
Docker
An automated build is setup on the Docker Hub.
# Start a server in background
# mount `pwd` to persist the sqlite database file
docker run -v "$(pwd):$(pwd)" -w "$(pwd)" moul/sshportal:v1.0.0
Manual Install
Get the latest version using GO.
go get -u github.com/moul/sshportal
Backup / Restore
sshportal embeds built-in backup/restore methods which basically import/export JSON objects:
# Backup
ssh admin@sshportal config backup > sshportal.bkp
# Restore
ssh admin@sshportal config restore < sshporta.bkp
This method is particularly useful as it should be resistant against future DB schema changes (expected during development phase).
I suggest you to be careful during this development phase, and use an additional backup method, for example:
# sqlite dump
sqlite3 sshportal.db .dump > sshportal.sql.bkp
# or just the immortal cp
cp sshportal.db sshportal.db.bkp