The Bastion: Open-source access control for complex infrastructure

Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go.

A single place to authenticate

At its core, The Bastion places a cluster of machines between users and the servers they work on. Each team member has an account on the bastion. They can belong to one or more groups. Devices on the other side only need to know and trust these groups, which simplifies identity work and reduces the number of accounts that must be stored on individual servers. Users connect through the bastion, and it checks who they are and what they can reach and the device sees only what the group is allowed to do.

The project supports public key authentication and adds options like TOTP and Yubico PIV key checks. This gives organizations more control over how login flows work without pushing changes to every system in their fleet.

The project’s maintainers built the system so that common ssh clients work on the ingress side and standard sshd servers work on the egress side. That helps teams that run a mix of old and new equipment. Ancient devices can stay behind firewalls with weak protocols disabled for outside users. The Bastion handles the stronger connection at the front and keeps the weaker one inside the network.

Delegation without expanding risk

The Bastion includes fine-grained RBAC that lets teams delegate tasks to accounts or groups. This can tie into HR tools or directory services to manage account lifecycles. A group admin can keep ACLs in sync with a CMDB. Automated processes can run through a JSON API over ssh. This keeps team workflows predictable and keeps authorization rules in one place. Developers and admins can work with their usual tools because the project handles scp, sftp, rsync and other common workflows. It also supports interactive and non-interactive session recording. These recordings use ttyrec files, which many teams already know how to handle. Logging runs through syslog which makes it easier to feed SIEM tools.

The Bastion does not rely on databases or other external services during authentication or authorization. Fewer outside components mean fewer moving parts that can cause downtime. Clusters can run in an active active scheme so each instance stays ready for use.

Helping teams connect across organizations

Some teams work across companies. The Bastion supports realms that create trust between two bastions. Authentication and authorization can be split while each organization keeps its own policies in place. The project also supports HTTPS proxying with man in the middle inspection for devices that use network APIs. Passwords for ingress and egress can be decoupled which matters in environments with old network gear.

The idea behind The Bastion is not new, but the project shows how much control and oversight can be added without changing how people work day to day. For developers and sysadmins who deal with scattered systems and identity drift, it offers a way to bring access paths back into one predictable flow.

The Bastion is available for free on GitHub.

Must read:

• 35 open-source security tools to power your red team, SOC, and cloud security
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!