SSH to a server via Bastion: Difference between revisions
| Line 74: | Line 74: | ||
# Show a help message, including available commands. | # Show a help message, including available commands. | ||
help | help | ||
# Basic info | # Basic info about your account. | ||
info | info | ||
# List accessible servers. | # List accessible servers. | ||
selfListAccess | selfListAccess | ||
# Generate scp passthrough script | # Generate scp passthrough script. | ||
scp | scp | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 89: | Line 89: | ||
BASTION_CMD="ssh davidbr@bastion-candig " | BASTION_CMD="ssh davidbr@bastion-candig " | ||
# Change to FQDN or IP address, if needed. | # Change to FQDN or IP address, if needed. | ||
BASTION_CMD="ssh davidbr@ | BASTION_CMD="ssh davidbr@198.168.188.147 " # Or @<DOMAIN NAME> | ||
</syntaxhighlight>The scp-via-bastion script may also be renamed (or aliased) and moved from $HOME to a directory within the user's $PATH (such as ~/.local/bin/). | </syntaxhighlight>The scp-via-bastion script may also be renamed (or aliased) and moved from $HOME to a directory within the user's $PATH (such as ~/.local/bin/). | ||
=== Access types === | === Access types === | ||
The Bastion provides both Group and Personal access methodologies. Which method you use depends on The Bastion configurations. Your connections will work the same no matter which method is used, so from a user perspective, the distinction is moot. | The Bastion provides both Group and Personal access methodologies. Which method you use depends on The Bastion configurations. Your connections will work the same no matter which method is used, so from a user perspective, the distinction is moot. | ||
Revision as of 15:52, 11 August 2025
Bastion in a nutshell
The Bastion is a single point of entry for SSH connections. Like an http reverse proxy for ssh, it is used to connect to other servers.
Some servers in SD4H may not be publicly accessible from the public internet for security reasons.
Bastion is used as an SSH proxy to connect users to servers.
User guide
Prerequisites
To use Bastion, an administrator must create an account for you.
Please include the public SSH key you will use to connect to Bastion in your request for an account.
After creating your account, the administrator will get back to you with your Bastion user name and a proposed alias.
Creating the Bastion alias
For your convenience, it is recommended to create an alias for the Bastion connection:
alias bssh='ssh -t <YOUR BASTION USERNAME>@bastion.sd4h.ca --'
After adding the alias, you can connect to (or through) Bastion!
Connection types
There are three types of connections you can make.
- Interactive mode
- Non-interactive mode
- Directly to an external, registered server.
In a direct connection, The Bastion acts as a transparent pass-through. This is the most convenient, likely and common way you will connect. See the "Connecting to a server" section below.
# Interactive mode (signs out when idle)
bssh # SSH into Bastion
help # runs the Bastion 'help' command
# Non-interactive mode equivalent with '--osh'
bssh --osh help
Permissions
Bastion uses the principle of least privileges, meaning that users must be granted explicit access to servers.
As such, a fresh Bastion user will not have access to anything at first, accesses must be granted by an administrator.
Listing your server accesses
The selfListAccesses command lists the servers you have access to in Bastion.
To view your accesses, simply run the command:
bssh --osh selfListAccesses
# Dear <USERNAME>, you have access to the following servers:
# IP PORT USER ACCESS-BY ADDED-BY ADDED-AT
# -------------- ---- -------------- ---------------------- ---------- ----------
# <SERVER 1 IP> 22 <SERVER 1 USER> <GROUP>(group-member) vrocheleau 2024-09-11
# <SERVER 2 IP> 22 <SERVER 2 USER> personal vrocheleau 2024-09-11
Connecting to a server
You can connect directly to any server that is listed by the selfListAccesses command.
Taking the example output from the previous section:
# connect to "SERVER 1"
bssh <SERVER 1 USER>@<SERVER 1 IP>
# connect to "SERVER 2"
bssh <SERVER 2 USER>@<SERVER 2 IP>
OpenStack provides name resolution for VMs on the same network. If the Bastion server is on the same OpenStack network as the destination servers, you may use the VM name rather than its IP address. This makes using bssh essentially identical to using ssh (though rather than a destination domain name, the VM name is used).
bssh <SERVER 1 USER>@<SERVER 1 NAME>
Typical Commands
The Bastion has a lot of commands available. Autocomplete is very helpful and removes the need to remember a whole new set of CLI commands. For a typical user, the [potentially] most relevant are:
# Show a help message, including available commands.
help
# Basic info about your account.
info
# List accessible servers.
selfListAccess
# Generate scp passthrough script.
scp
Using scp, sftp, rsync through The Bastion
It is possible to scp files in both directions through The Bastion using a special script that The Bastion will generate for you. Follow the scp setup directions found in The Bastion documentation.
Check the scp-via-bastion script The Bastion generates - it may need some minor tweaking.
# Check
BASTION_CMD="ssh davidbr@bastion-candig "
# Change to FQDN or IP address, if needed.
BASTION_CMD="ssh davidbr@198.168.188.147 " # Or @<DOMAIN NAME>
The scp-via-bastion script may also be renamed (or aliased) and moved from $HOME to a directory within the user's $PATH (such as ~/.local/bin/).
Access types
The Bastion provides both Group and Personal access methodologies. Which method you use depends on The Bastion configurations. Your connections will work the same no matter which method is used, so from a user perspective, the distinction is moot.