# BastionXP as SSHd Server
BastionXP is a single-binary that can be configured to perform multiple functions. BastionXP can be configured to function in 3 different modes:
- "Proxy" Mode - Functions as PKI/CA + SSH Bastion Host
- "Auth" Mode - Functions as PKI/CA only
- "Host" Mode - Functions as SSHd Server only
You can configure BastionXP to run as an SSHd server in your host machines instead of the OpenSSH SSHd server. Following are the advantages of running BastionXP as SSHd instead of OpenSSH SSHd:
# Advantages
- Simple, lightweight and easy to use. Pre-configured SSHd server that comes out-of-the-box.
- Automates SSH host certificate renewal and rotation.
- SSH session recording and replay function is possible only when BastionXP is used as the SSHd in host machines.
- Connect to hosts/IoT devices in any private network behind NAT router and Firewall (using BastionXP's built-in SSL/mTLS reverse proxy tunnels).
- BastionXP SSHd can run along with any existing OpenSSH SSHd server. BastionXP SSHd listens on port 4022 by default.
# Prerequisites
- A host VM
- Open up TCP port 4022 in the host VM. By default, BastionXP SSHd listens on port 4022. It can be configured to listen on port 22.
Here are the steps to download, install, configure and setup BastionXP as an SSHd server in host machines:
# BastionXP Host Mode Setup and Configuration
# Step 1.1 - Download and Install
On the Host Server or VM, follow the instructions here to download and install (opens new window) the appropriate BastionXP binary package for your Linux distro as RPM or Debian package.
BastionXP CA will be installed and running as a Linux Systemd Daemon in the background.
# Step 1.2 - Configuration
You need to setup the following configurations.
# Setup 1.2.1 - Configuration File
Create a config.json
file in the /etc/bastionxp
directory with the following contents. Create the directory /etc/bastionxp
before you begin.
{
"mode": "host",
"gateway_domain": "bastionxp.example.com",
"host": "host1.example.com",
"authtoken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX..."
}
Note:
Please don't forget to update the gateway_domain
to your domain name. The host name can be any locally unique domain name within your organization.
Login to the BastionXP web portal as a primary user using GitHub SSO. Go to the Authtoken
page and create a new token with the purpose selected as HOST_CERTIFICATE
. Once a new HOST_CERTIFICATE token is created, expand the row and copy the authtoken. Paste the authtoken into the config.json
file created above.
Note:
For security reasons, the HOST_CERTIFICATE
type authtoken is valid only for 10 minutes. If you failed to configure BastionXP as SSHd in the host machine before the token expires, you need to get a new authtoken from BastionXP web portal again.
You can find the BastionXP SSHd logs in the log file located at: /var/lib/bastionxp/bastionxp-host.log
# Step 1.3 - Restart
Now restart the BastionXP service already running in the background, to pickup the above configuration changes.
sudo systemctl restart bastionxp
You can check the bastionxp logs as shown below:
tail -f /var/lib/bastionxp/bastionxp-host.log
The newly downloaded host SSH and TLS certificate keys can be found here:
$ ls ~/.bsh
ssh_host-cert.pub ssh_host ssh_user_ca.pub
tls_ca-cert.pem tls_server-cert.pem