Docker image for Bastillion.io
Bastillion is an open-source web-based SSH console that centrally manages administrative access to systems.
A bastion host for administrators with features that promote infrastructure security, including key management and auditing.
For more information visit the Bastillion website or the GitHub page
Create a directory where you want to store the Bastillion data:
mkdir keydb/
Docker-Bastillion runs as user 1001. Not as root. You must change ownership of the keydb directory to 1001. Chown the directory to 1001:
chown -R 1001:1001 keydb/
Run the docker image. The below example runs the image detached. Update the path to the keydb directory as required:
sudo docker run -d -p 8080:8080 -p 8443:8443 -v /PATH/TO/keydb:/opt/bastillion/jetty/bastillion/WEB-INF/classes/keydb ecosi/bastillion
From a web browser, navigate to https://<Instance IP>:8080
and login with:
username:admin
password:changeme
Currently not configurable using environment (need confirmation)
This means that any volume must be mounted to the following path in the container: /opt/bastillion/jetty/bastillion/WEB-INF/classes/keydb
Dockerize is used to generate a configuration file for the application
-
set to true to regenerate and import SSH keys
RESET_APPLICATION_SSH_KEY
Default: "false"
-
SSH key type 'dsa', 'rsa', or 'ecdsa' for generated keys
SSH_KEY_TYPE
Default: "rsa"
-
SSH key length for generated keys
2048 => 'rsa','dsa'; 521 => 'ecdsa'
SSH_KEY_LENGTH
Default: "2048"
-
private ssh key Provide path to private keyfile
leave blank to generate key pair
SSH_PRIVATE_KEY
Default: ""
-
public ssh key Provide path to public keyfile
leave blank to generate key pair
SSH_PUBLIC_KEY
Default: ""
-
default passphrase
leave blank for key without passphrase
defaultSSHPassphrase=${randomPassphrase}
-
enable audit
ENABLE_INTERNAL_AUDIT
Default: "false"
-
keep audit logs for in days
DELETE_AUDIT_LOG_AFTER
Default: "90"
-
The number of seconds that the client will wait before sending a null packet to the server to keep the connection alive
SERVER_ALIVE_INTERVAL
Default: "60"
-
enable SSH agent forwarding
AGENT_FORWARDING
Default: "false"
-
enable two-factor authentication with a one-time password
'required', 'optional', or 'disabled'
ONE_TIME_PASSWORD
Default: "optional"
-
set to false to disable key management
If false, the Bastillion public key will be appended to the authorized_keys file (instead of it being overwritten completely).
KEY_MANAGEMENT_ENABLED
Default: "true"
-
set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key
FORCE_USER_KEY_GENERATION
Default: "true"
-
authorized_keys refresh interval in minutes
(no refresh for <=0)
AUTH_KEYS_REFRESH_INTERVAL
Default: "120"
-
HTTP header to identify client IP Address
('X-FORWARDED-FOR')
CLIENT_IP_HEADER
-
The session time out value of application in minutes
SESSION_TIMEOUT
Default: "15"
-
Database user
DB_USER
Default: "bastillion"
-
Database password
DB_PASSWORD
-
Connection URL to the DB
DB_CONNECTION_URL
Default: "jdbc:h2:keydb/bastillion;CIPHER=AES"