1.5 KiB
1.5 KiB
A Bastion host is a gateway to accessing other hosts. It is a safeguard against admin error.
Etymology
Bastion hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes.
Capacity and Components
A Bastion host needs minimal CPU or memory.
Hosted Services and Entities
Nothing is hosted by a Bastion.
Connections
See :Category:Entity -- any host should be able to connect to a Bastion with SSH and X11, and it should be able to dial to any service provider.
Additional Reference
Bastion hosts should be deployed alongside any Hypervisor and set to start on boot. The encrypted credentials volume should be encrypted per ShadowArch's recommendations, and it should not be added to /etc/fstab or /etc/crypttab.
To create a Bastion:
- Create a new VM in the Hypervisor and mark it to start on boot. For an example Hypervisor, see Forge2.
- Install ShadowArch with the Spartacus layout and without encryption or GUI -- encryption complicates boot and GUI is unnecessary. Applications with GUI will be X11-forwarded.
- Log in as root and convert the exfat partition from the Spartacus layout to an encrypted ext4 or xfs one.
- "make -C /usr/local/src/ConfigPackages/Bastion install"
- Log in as the bastion user on the new VM and run new-ssh-key for each SSH-capable host.
- Set a NAT rule in the router to allow access to the Bastion host on a non-22 port. }}