How to grant enough permission for developer on Bastion Host

In production environment, the access is private by default, developers usually have not permission to access to the database, search engine, or the running application. In case to debug application, running specific query on database, DevOps need to provide access for developer to able to access to this resource.

So for each use-case, DevOps need to grant enough permission. Let go through some use-case.

Use Case 1: Developers need to access to the database.


For this use-case we can provider access to the bastion host and allow user to use ssh port-forwarding only. Let’s do it. Assume you have a virtual machine which has ip 192.168.1.115 and an openssh-server which is listening on port 2222.

First login to this instance with sudo priviledge.

$ ssh root@192.168.1.115 -p 2222

Create user credential for developer.

$ useradd -m -d /home/alice -s /usr/bin/bash alice

Configure openssh server to allow only port-forwarding

$ cd /etc/ssh
$ vi sshd_config

add this block to this file

Match User alice
        X11Forwarding no
        AllowTcpForwarding yes
        PermitTTY no
        ForceCommand exit
        PubkeyAuthentication yes
        PasswordAuthentication no

For this configuration, developer only has permission to use port-forwarding, each time use try to login to this server, the user session will be forced to exit. We only support authenticate using public key instead of password to prevent brute force attack.

Let generate a ssh keypair for alice user.

❯ ssh-keygen -t ed25519 -f alice -C "alice-user"                     
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in alice
Your public key has been saved in alice.pub
The key fingerprint is:
SHA256:xeJwT6biReIIn+2GNXp8pveKbLyfP2R58zT5S99xVGM alice-user
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|         .       |
|  .   o + =    E.|
|   o = * B    . o|
|    + * S ..   ..|
|     B +  + o +. |
|    o.* oo . + =.|
|     +o=...   o *|
|     .=+++o.   .+|
+----[SHA256]-----+

~/Desktop/alice-keys on ☁️  (ap-southeast-1) 
❯ ll
total 8.0K
-rw------- 1 dong dong 399 Nov 13 11:44 alice
-rw-r--r-- 1 dong dong  92 Nov 13 11:44 alice.pub

~/Desktop/alice-keys on ☁️  (ap-southeast-1) 
❯ 

Now add alice public key to /home/alice/.ssh/authorized_keys

[root@localhost ~]# mkdir -p /home/alice/.ssh
[root@localhost ~]# vi /home/alice/.ssh/authorized_keys

Now, alice is able to use ssh port-forwarding but login to this vm, if alice try to login and get a PTY session, the session will be terminated.

~/Desktop/alice-keys on ☁️  (ap-southeast-1) 
❯ ssh -i alice alice@192.168.1.115 -p 2222
PTY allocation request failed on channel 0
Connection to 192.168.1.115 closed.

Now, let test it. On alice machine run this command

$ ssh -i alice -N -L 8080:google.com:80 alice@192.168.1.115 -p 2222

Send a request to port 8080

$ curl localhost:8080          
<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{b
  <p>The requested URL <code>/</code> was not found on this server.  <ins>That’s all we know.</ins>

It works, you can see that we can able to forward port 8080 on local machine to port 80 on host google.com , you can try with Amazon RDS.