Bastion Integration
Bastion Integration
Section titled “Bastion Integration”SSH-KLM integrates with bastion hosts and jump servers for secure access patterns.
Overview
Section titled “Overview”Bastion hosts (jump servers) provide a secure entry point to your infrastructure. SSH-KLM can discover and manage keys on both bastion hosts and the servers behind them.
Architecture
Section titled “Architecture”┌──────────┐ ┌──────────┐ ┌──────────┐│ User │─────▶│ Bastion │─────▶│ Target ││ │ SSH │ Host │ SSH │ Server │└──────────┘ └──────────┘ └──────────┘ │ │ Agent ▼ ┌──────────────┐ │ SSH-KLM │ │ Platform │ └──────────────┘Key Management Patterns
Section titled “Key Management Patterns”Pattern 1: Agent on Bastion
Section titled “Pattern 1: Agent on Bastion”Install agent on bastion to manage all keys:
# Bastion agent configagent: mode: bastion discoverTargets: true proxyCommand: "ssh -W %h:%p bastion.example.com"Pattern 2: Agent on All Hosts
Section titled “Pattern 2: Agent on All Hosts”Full visibility with agents everywhere:
# Each host has agentagent: mode: standard reportTo: https://ssh-klm.example.comEphemeral Access via Bastion
Section titled “Ephemeral Access via Bastion”// Request access through bastionconst access = await client.ssh.requestEphemeral({ bastion: 'bastion.example.com', target: 'internal-server.local', username: 'admin', ttl: 300});
// Returns ProxyCommand configurationconsole.log(access.proxyCommand);// ssh -o ProxyCommand="ssh -W %h:%p bastion" internal-serverCertificate-Based Access
Section titled “Certificate-Based Access”SSH-KLM can issue short-lived SSH certificates:
const cert = await client.ssh.issueCertificate({ publicKey: userPublicKey, principals: ['admin', 'deploy'], validFor: '1h', extensions: { 'permit-pty': '', 'permit-port-forwarding': '' }});