The Bastion is a secure SSH gateway providing authentication, authorization, traceability, and auditability for managing access to infrastructure.
Authentication, authorization, traceability and auditability for SSH accesses.
The Bastion is used by operational teams such as sysadmins, developers, and database admins to securely access servers, cloud instances, and network devices via SSH through a centralized entry point. It enables fine-grained role-based access control (RBAC) and audit logging, simplifying infrastructure access management and enhancing security by abstracting user identities from the infrastructure.
The Bastion requires no special software on target devices beyond a standard SSH server, making it suitable for legacy and network devices. Its minimal dependencies reduce attack surface and downtime risk. Best practices include integrating with existing identity management systems and configuring high availability for critical environments.
Clone the repository from GitHub (https://github.com/ovh/the-bastion)
Refer to the online documentation for detailed setup instructions (https://ovh.github.io/the-bastion/)
Configure The Bastion with your infrastructure and user groups
Set up SSH clients to connect through The Bastion as the unique entry point
Optionally configure high availability for production environmentsssh bastion-user@the-bastion-host
Connect to The Bastion as an individual user to access authorized infrastructure
curl -sS --key ~/.ssh/id_rsa --cert ~/.ssh/id_rsa.pub ssh://the-bastion-host/api
Interact with The Bastion's JSON API over SSH for automation and management