High availability can be setup so that multiple bastion instances form a cluster of several instances, with any instance usable at all times (active/active scheme).The bastion is engineered to be self-sufficient: no dependencies such as databases, other daemons, other machines, or third-party cloud services, statistically means less downtime.Only a few well-known libraries are used, less third party code means a tinier attack surface.The KISS principle is used where possible for design and code: less complicated code means more auditability and less bugs.This includes, for example, network devices on which you may not have the possibility to install any custom software. In other words, only your good old ssh client is needed to connect through it, and on the other side, any standard sshd server will do the trick. Nothing fancy is needed either on the ingress or the egress side of The Bastion to make it work. Other BSD variants, such as OpenBSD and NetBSD, are unsupported as they have a severe limitation over the maximum number of supplementary groups, causing problems for group membership and restricted commands checks, as well as no filesystem-level ACL support and missing PAM support (hence no MFA). The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0. Support for either an additional password or TOTP factor can be configured, but not both at the same time. **: Note that these have partial MFA support, due to their reduced set of available pam plugins. The following OS are also tested with each release: Of course, you may compile those yourself.Īny other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments. *: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of pamtester, pam-google-authenticator, or both. Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster).Linux distros below are tested with each release, but as this is a security product, you are warmly advised to run it on the latest up-to-date stable version of your favorite OS: □ Compatibility Supported OS for installation The sandbox image is available for the following architectures: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/ppc64le, linux/s390x.īastion it! Of course, there is a lot more to it, documentation is available under the doc/ folder and online.īe sure to check the help of the bastion ( bastion -help) and the help of each osh plugin ( bastion -osh command -help).Īlso don't forget to customize your nf file, which can be found in /etc/bastion/nf (for Linux). This is a good way to test The Bastion within seconds, but read the FAQ if you're serious about using containerization in production. ![]() Please see the online documentation, or the corresponding text-based version found in the doc/ folder. □ Installing, upgrading, using The Bastion Learn more by reading the blog post series that announced the release: ![]() ), usually using ssh.īastions provides mechanisms for authentication, authorization, traceability and auditability for the whole infrastructure. ) to securely connect to devices (servers, virtual machines, cloud instances, network equipment. Bastions are a cluster of machines used as the unique entry point by operational teams (such as sysadmins, developers, database admins.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |