/docker-bastillion

Docker image for Bastillion.io

Primary LanguageSmartyGNU General Public License v3.0GPL-3.0

docker-bastillion

Docker image for Bastillion.io

What is Bastillion?

Bastillion is an open-source web-based SSH console that centrally manages administrative access to systems.

A bastion host for administrators with features that promote infrastructure security, including key management and auditing.

For more information visit the Bastillion website or the GitHub page

Quick start

Create a directory where you want to store the Bastillion data:

mkdir keydb/

Docker-Bastillion runs as user 1001. Not as root. You must change ownership of the keydb directory to 1001. Chown the directory to 1001:

chown -R 1001:1001 keydb/

Run the docker image. The below example runs the image detached. Update the path to the keydb directory as required:

sudo docker run -d -p 8080:8080 -p 8443:8443 -v /PATH/TO/keydb:/opt/bastillion/jetty/bastillion/WEB-INF/classes/keydb ecosi/bastillion

From a web browser, navigate to https://<Instance IP>:8080 and login with:

username:admin
password:changeme

Persistent storage

Currently not configurable using environment (need confirmation)

This means that any volume must be mounted to the following path in the container: /opt/bastillion/jetty/bastillion/WEB-INF/classes/keydb

Environment

Dockerize is used to generate a configuration file for the application

  • set to true to regenerate and import SSH keys

    RESET_APPLICATION_SSH_KEY

    Default: "false"

  • SSH key type 'dsa', 'rsa', or 'ecdsa' for generated keys

    SSH_KEY_TYPE

    Default: "rsa"

  • SSH key length for generated keys

    2048 => 'rsa','dsa'; 521 => 'ecdsa'

    SSH_KEY_LENGTH

    Default: "2048"

  • private ssh key Provide path to private keyfile

    leave blank to generate key pair

    SSH_PRIVATE_KEY

    Default: ""

  • public ssh key Provide path to public keyfile

    leave blank to generate key pair

    SSH_PUBLIC_KEY

    Default: ""

  • default passphrase

    leave blank for key without passphrase

    defaultSSHPassphrase=${randomPassphrase}

  • enable audit

    ENABLE_INTERNAL_AUDIT

    Default: "false"

  • keep audit logs for in days

    DELETE_AUDIT_LOG_AFTER

    Default: "90"

  • The number of seconds that the client will wait before sending a null packet to the server to keep the connection alive

    SERVER_ALIVE_INTERVAL

    Default: "60"

  • enable SSH agent forwarding

    AGENT_FORWARDING

    Default: "false"

  • enable two-factor authentication with a one-time password

    'required', 'optional', or 'disabled'

    ONE_TIME_PASSWORD

    Default: "optional"

  • set to false to disable key management

    If false, the Bastillion public key will be appended to the authorized_keys file (instead of it being overwritten completely).

    KEY_MANAGEMENT_ENABLED

    Default: "true"

  • set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key

    FORCE_USER_KEY_GENERATION

    Default: "true"

  • authorized_keys refresh interval in minutes

    (no refresh for <=0)

    AUTH_KEYS_REFRESH_INTERVAL

    Default: "120"

  • HTTP header to identify client IP Address

    ('X-FORWARDED-FOR')

    CLIENT_IP_HEADER

  • The session time out value of application in minutes

    SESSION_TIMEOUT

    Default: "15"

Database and connection pool settings

  • Database user

    DB_USER

    Default: "bastillion"

  • Database password

    DB_PASSWORD

  • Connection URL to the DB

    DB_CONNECTION_URL

    Default: "jdbc:h2:keydb/bastillion;CIPHER=AES"