25 lines
1.5 KiB
Markdown
25 lines
1.5 KiB
Markdown
A Bastion host is a gateway to accessing other hosts. It is a safeguard against admin error.
|
|
|
|
# Etymology
|
|
Bastion hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes.
|
|
|
|
# Capacity and Components
|
|
A Bastion host needs minimal CPU or memory.
|
|
|
|
# Hosted Services and Entities
|
|
Nothing is hosted by a Bastion.
|
|
|
|
# Connections
|
|
See [[:Category:Entity|the entity list]] -- any host should be able to connect to a Bastion with [[SSH]] and X11, and it should be able to dial to any service provider.
|
|
|
|
# Additional Reference
|
|
Bastion hosts should be deployed alongside any Hypervisor and set to start on boot. The encrypted credentials volume should be encrypted per [[ShadowArch]]'s recommendations, and it should not be added to /etc/fstab or /etc/crypttab.
|
|
|
|
To create a Bastion:
|
|
1. Create a new VM in the Hypervisor and mark it to start on boot. For an example Hypervisor, see [[Forge2]].
|
|
1. Install ShadowArch with the Spartacus layout and without encryption or GUI -- encryption complicates boot and GUI is unnecessary. Applications with GUI will be X11-forwarded.
|
|
1. Log in as root and convert the exfat partition from the Spartacus layout to an encrypted ext4 or xfs one.
|
|
1. "make -C /usr/local/src/ConfigPackages/Bastion install"
|
|
1. Log in as the bastion user on the new VM and run new-ssh-key for each [[SSH]]-capable host.
|
|
1. Set a NAT rule in the router to allow access to the Bastion host on a non-22 port.
|
|
}} |