RobRoseKnows
commented
4 years ago I'm also interested in this. Want to use a Terraform provisioner with the Bastion, but that doesn't seem to be possible.
Closed ajhool closed 1 year ago
RobRoseKnows
commented
4 years ago I'm also interested in this. Want to use a Terraform provisioner with the Bastion, but that doesn't seem to be possible.
ogrodnek
commented
4 years ago It's currently disallowed in the bastion config AllowTcpForwarding is set to no which disallows this (https://github.com/cloudposse/bastion/blob/master/rootfs/etc/ssh/sshd_config#L51).
if you create your own image you can remove that line (which then defaults to yes), i.e. something like:
RUN sed -i '/^AllowTcpForwarding no/d' /etc/ssh/sshd_configthen forwarding should work.
jonmchan
commented
1 year ago This really depends on the level of security you want to grant. As stated above, you can easily turn on TcpForwarding by enabling it in the sshd_config file. It should be noted however, if logging the entire session via sudosh is a priority, one should not turn on TcpForwarding. Once you have TcpForwarding on, a user can forward any port including ssh ports to hosts on the internal network bypassing running commands on the bastion host. This will defeat the enforcement of logging all commands and the session on the Bastion host. Please keep this in mind when enabling TcpForwarding.
Hi, I'm relatively new to bastion servers so I'm not sure whether ssh tunneling is a standard feature or if it is just a common use-case, but I would like to spin up this bastion on ECS in a public subnet and simple forward some database traffic to the private subnet that the database lives in -- rather than executing the database client on the bastion host itself.
So the end system is: postgresql client on a laptop -> bastion host forwards port 1234 to private subnet port 5432 if MFA is satisfied -> postgresql database accepts connections on 5432.
Curious if this is possible as is or needs another container, thanks!