How to grant enough permission for developer on Bastion Host

Use Case 1: Developer need to access to the database.

For this use-case we can provider access to the bastion host and allow user to use ssh port-forwarding only. Let’s do it. Assume you have a virtual machine which has ip 192.168.1.115 and an openssh-server which is listening on port 2222.

ssh root@192.168.1.115 -p 2222
$ useradd -m -d /home/alice -s /usr/bin/bash alice
cd /etc/ssh
vi sshd_config
Match User alice
X11Forwarding no
AllowTcpForwarding yes
PermitTTY no
ForceCommand exit
PubkeyAuthentication yes
PasswordAuthentication no
❯ ssh-keygen -t ed25519 -f alice -C "alice-user"                     
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in alice
Your public key has been saved in alice.pub
The key fingerprint is:
SHA256:xeJwT6biReIIn+2GNXp8pveKbLyfP2R58zT5S99xVGM alice-user
The key's randomart image is:
+--[ED25519 256]--+
| |
| . |
| . o + = E.|
| o = * B . o|
| + * S .. ..|
| B + + o +. |
| o.* oo . + =.|
| +o=... o *|
| .=+++o. .+|
+----[SHA256]-----+

~/Desktop/alice-keys on ☁️ (ap-southeast-1)
❯ ll
total 8.0K
-rw------- 1 dong dong 399 Nov 13 11:44 alice
-rw-r--r-- 1 dong dong 92 Nov 13 11:44 alice.pub

~/Desktop/alice-keys on ☁️ (ap-southeast-1)
[root@localhost ~]# mkdir -p /home/alice/.ssh
[root@localhost ~]# vi /home/alice/.ssh/authorized_keys
~/Desktop/alice-keys on ☁️  (ap-southeast-1) 
❯ ssh -i alice alice@192.168.1.115 -p 2222
PTY allocation request failed on channel 0
Connection to 192.168.1.115 closed.
$ ssh -i alice -N -L 8080:google.com:80 alice@192.168.1.115 -p 2222
$ curl localhost:8080          
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 404 (Not Found)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>404.</b> <ins>That’s an error.</ins>
<p>The requested URL <code>/</code> was not found on this server. <ins>That’s all we know.</ins>

[Security Bug Found, please ignore this ] Use Case 2: Developer need to execute some command to interact with the infrastructure.

This use case is very common, some specific examples like

  • Use aws-cli to interact with S3 bucket, copy, move, download, etc…
  • Use kubectl to interact with Kubernetes cluster.
Match User alice
X11Forwarding no
AllowTcpForwarding yes
PermitTTY yes
PubkeyAuthentication yes
PasswordAuthentication no
$ systemctl restart sshd
$ cd /home/alice
$ mkdir bin
$ chown -R alice: /home/alice
$ echo "export PATH=/home/alice/bin" > .bash_profile
$ chown root:root .bash_profile
# this chmod allow alice can read but modified this file.
# this prevent alice change the PATH
$ chmod 664 .bash_profile
❯ ssh -i alice alice@192.168.1.115 -p 2222 
Last login: Sun Nov 13 12:26:43 2022 from 10.0.2.2
[alice@localhost ~]$ uname -a
bash: uname: command not found...
Packages providing this file are:
'coreutils'
'coreutils-single'
[alice@localhost ~]$
[root@localhost ~]# ln -s /usr/local/bin/aws /home/alice/bin/aws
[root@localhost ~]# stat /home/alice/bin/aws
File: /home/alice/bin/aws -> /usr/local/bin/aws
Size: 18 Blocks: 0 IO Block: 4096 symbolic link
Device: fd00h/64768d Inode: 37228668 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:home_bin_t:s0
Access: 2022-11-13 12:32:06.894444010 +0700
Modify: 2022-11-13 12:32:06.894444010 +0700
Change: 2022-11-13 12:32:06.894444010 +0700
Birth: 2022-11-13 12:32:06.894444010 +0700
[root@localhost ~]#
~/Desktop/alice-keys on ☁️  (ap-southeast-1) took 6m58s 
❯ ssh -i alice alice@192.168.1.115 -p 2222
Last login: Sun Nov 13 12:26:52 2022 from 10.0.2.2
[alice@localhost ~]$ aws --version
aws-cli/2.8.12 Python/3.9.11 Linux/5.14.0-183.el9.x86_64 exe/x86_64.centos.9 prompt/off
[alice@localhost ~]$

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store