BastionXP Documentation

# BastionXP as SSHd Server

BastionXP is a single-binary that can be configured to perform multiple functions. BastionXP can be configured to function in 3 different modes:

  • "Proxy" Mode - Functions as PKI/CA + SSH Bastion Host
  • "Auth" Mode - Functions as PKI/CA only
  • "Host" Mode - Functions as SSHd Server only

You can configure BastionXP to run as an SSHd server in your host machines instead of the OpenSSH SSHd server. Following are the advantages of running BastionXP as SSHd instead of OpenSSH SSHd:

# Advantages

  1. Simple, lightweight and easy to use. Pre-configured SSHd server that comes out-of-the-box.
  2. Automates SSH host certificate renewal and rotation.
  3. SSH session recording and replay function is possible only when BastionXP is used as the SSHd in host machines.
  4. Connect to hosts/IoT devices in any private network behind NAT router and Firewall (using BastionXP's built-in SSL/mTLS reverse proxy tunnels).
  5. BastionXP SSHd can run along with any existing OpenSSH SSHd server. BastionXP SSHd listens on port 4022 by default.

# Prerequisites

  1. A host VM
  2. Open up TCP port 4022 in the host VM. By default, BastionXP SSHd listens on port 4022. It can be configured to listen on port 22.

Here are the steps to download, install, configure and setup BastionXP as an SSHd server in host machines:

# BastionXP Host Mode Setup and Configuration

# Step 1.1 - Download and Install

On the Host Server or VM, follow the instructions here to download and install (opens new window) the appropriate BastionXP binary package for your Linux distro as RPM or Debian package.

BastionXP CA will be installed and running as a Linux Systemd Daemon in the background.

# Step 1.2 - Configuration

You need to setup the following configurations.

# Setup 1.2.1 - Configuration File

Create a config.json file in the /etc/bastionxp directory with the following contents. Create the directory /etc/bastionxp before you begin.

{
"mode": "host",
"gateway_domain": "bastionxp.example.com",
"host": "host1.example.com",
"authtoken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX..."
}

Note:

Please don't forget to update the gateway_domain to your domain name. The host name can be any locally unique domain name within your organization.

Login to the BastionXP web portal as a primary user using GitHub SSO. Go to the Authtoken page and create a new token with the purpose selected as HOST_CERTIFICATE. Once a new HOST_CERTIFICATE token is created, expand the row and copy the authtoken. Paste the authtoken into the config.json file created above.

Note:

For security reasons, the HOST_CERTIFICATE type authtoken is valid only for 10 minutes. If you failed to configure BastionXP as SSHd in the host machine before the token expires, you need to get a new authtoken from BastionXP web portal again.

You can find the BastionXP SSHd logs in the log file located at: /var/lib/bastionxp/bastionxp-host.log

# Step 1.3 - Restart

Now restart the BastionXP service already running in the background, to pickup the above configuration changes.

sudo systemctl restart bastionxp

You can check the bastionxp logs as shown below:

tail -f /var/lib/bastionxp/bastionxp-host.log

The newly downloaded host SSH and TLS certificate keys can be found here:

$ ls ~/.bsh
ssh_host-cert.pub   ssh_host   ssh_user_ca.pub
tls_ca-cert.pem tls_server-cert.pem

Roles Based Access Control (RBAC)