Deploying The Bastion with modern tools

[jacen05]

Hello,

I'm trying to find out how to integrate The Bastion with our stack based on Ansible/Packer/Terraform.
The installation part seems easy as your installation scripts are working very well.
However I see 2 problems:

• How can I provision users (bastion admin and regular ssh users) to the bastion with a script (or with another Ansible provider)? Running /opt/bastion/bin/plugin/restricted/accountCreate --account tester (with all other needed parameters) results in Invalid IP address (tester)
• How can I define myself the egress keys for the users? The goal is to provision the public key to the target servers when deploying them. It would preferable to be able to define the key instead of only fetching the generated public key, so there is no temporal dependency when building/deploying the bastion and target servers.

Thanks!

[speed47]

Hello,

Yes, this is important for the project to ensure that it's easy to deploy with these standard tools! About your remarks:

• To create admin accounts, you have the setup-first-admin-account.sh script. When fix: setup-first-admin-account.sh: support to add several admins #203 is tagged in a release (it's already merged, so it should be in a few days), the script will also be able to create more than one admin account

• For regular accounts, the nominal use case is to create them using the restricted accountCreate command. This command can be given to any preexisting account on the server. That's how we do it: we have a "robot" account that can only use the accountCreate and accountDelete commands. This account doesn't have access to any server behind the bastion (it has the "osh-only" flag set, so it can't use SSH), and this robot account is linked to our HRIS so create/delete accounts accordingly. This way, installation of a new bastion and provisioning are decoupled. However, if you still want to manually create those regular accounts during your installation, because you have a hard-coded list somewhere, you should be able to manually call the plugin as you tried, but you need to insert 4 empty parameters between the command and the actual parameters (these parameters contain plumbing information that you don't need in that case): HOME=/root USER=root /opt/bastion/bin/plugin/restricted/accountCreate '' '' '' '' --account tester. This is not a really supported way of doing it but it should work. The proper way would be to create an account that can use accountCreate, and use this account to create all the accounts.

• About the egress keys, what you need is probably using group accesses. When you create a group on the bastion, you have a public key, and then you can set this public key in your automation to deploy the remote infrastructure of the target servers. You don't need to have accounts on the bastion to do that. Then, when accounts are created, you may grant them to this/these groups.