certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Simple Bastion script/webhook

Open unreality opened this issue 3 years ago • 1 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

It would be nice to be able to define an executable or webhook to access that will return bastion data for a host.

This could easily hook into the .WithSSHBastionFunc() and provide a func that attempts a webhook or executes a local script to return a config.Bastion in json.

Why is this needed?

For environments that have network segmentation it would be convenient to be able to ssh host.example.com and have step fill in all bastion data so jump hosts etc do not need to be defined by hand.

unreality avatar Nov 08 '22 23:11 unreality

Right now, one option that might be useful would be to configure custom ssh templates.

When you initialize a test CA with step ca init --ssh a new templates/ssh directory will be created with custom templates that you can modify:

$ ls -1 templates/ssh
ca.tpl
config.tpl
known_hosts.tpl
sshd_config.tpl
step_config.tpl
step_includes.tpl

They are also configured in the ca.json, by default, with an empty configuration, the defaults would be used, those generated ones are the defaults.

If you look at the step_config.tpl you can edit the ProxyCommand and use a script that grabs the right config and then executes ssh/nc or anything to use the bastion, you can even distribute this script with the templates:

Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h"
{{- if .User.User }}
	User {{.User.User}}
{{- end }}
{{- if or .User.GOOS "none" | eq "windows" }}
	UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts"
	ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %r %h %p
{{- else }}
	UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts"
	ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %r %h %p
{{- end }}

On the other side, adding a webhook for this would also be nice.

maraino avatar Nov 09 '22 02:11 maraino