Bastion Host Integration
Bastion Host Integration
Section titled “Bastion Host Integration”Configure SSH-KLM to work with traditional bastion hosts and jump servers.
Prerequisites
Section titled “Prerequisites”- Bastion host with SSH access
- SSH-KLM agent installed on bastion
- Network connectivity from bastion to target hosts
Configuration
Section titled “Configuration”Step 1: Install Agent on Bastion
Section titled “Step 1: Install Agent on Bastion”curl -fsSL https://get.qcecuring.com/ssh-agent | sudo bash -s -- \ --server https://ssh-klm.example.com \ --token YOUR_TOKEN \ --mode bastionStep 2: Configure Bastion Mode
Section titled “Step 2: Configure Bastion Mode”agent: mode: bastion
bastion: enabled: true discoverTargets: true targetNetworks: - 10.0.0.0/8 - 172.16.0.0/12
# SSH config for reaching targets ssh: user: sshklm-scanner keyFile: /etc/ssh-klm-agent/scanner_key timeout: 30sStep 3: Add Target Hosts
Section titled “Step 3: Add Target Hosts”// Register hosts behind bastionawait client.ssh.addHost({ hostname: 'internal-server-01', port: 22, bastion: 'bastion.example.com', labels: { environment: 'production' }});Discovery Through Bastion
Section titled “Discovery Through Bastion”// Discovery uses bastion as proxyconst scan = await client.ssh.startDiscovery({ hosts: ['internal-*'], viaBastion: 'bastion.example.com'});Rotation Through Bastion
Section titled “Rotation Through Bastion”Key rotation automatically uses the bastion:
await client.ssh.rotateKey({ keyId: 'KEY-internal-123', // Automatically routes through configured bastion});Troubleshooting
Section titled “Troubleshooting”Cannot Reach Target Hosts
Section titled “Cannot Reach Target Hosts”# Test from bastionssh -v internal-server-01
# Check agent logssudo journalctl -u ssh-klm-agent | grep bastionDiscovery Timeout
Section titled “Discovery Timeout”Increase timeout for large networks:
bastion: ssh: timeout: 60s discovery: parallelHosts: 5