First release of Bastion image

.gitlab-ci.yml

@@ -0,0 +1,41 @@
+image: docker:latest
+
+services:
+  - docker:dind
+
+stages:
+  - build
+
+build-dev:
+  stage: build
+  script:
+    - docker info
+    - docker build --pull -t "$CI_REGISTRY/$CI_PROJECT_NAME:dev" .
+    - docker push "$CI_REGISTRY/$CI_PROJECT_NAME:dev"
+  only:
+    - dev
+  tags:
+    - builder
+
+build-master:
+  stage: build
+  script:
+    - docker info
+    - docker build --pull -t "$CI_REGISTRY/$CI_PROJECT_NAME:latest" .
+    - docker push "$CI_REGISTRY/$CI_PROJECT_NAME:latest"
+  only:
+    - master
+  tags:
+    - builder
+
+build-tag:
+  stage: build
+  script:
+    - IMAGE_TAG=${CI_COMMIT_TAG#v}
+    - docker info
+    - docker build --pull -t "$CI_REGISTRY/$CI_PROJECT_NAME:$IMAGE_TAG" .
+    - docker push "$CI_REGISTRY/$CI_PROJECT_NAME:$IMAGE_TAG"
+  only:
+    - /^v(\d+\.)?(\d+\.)?(\*|\d+)$/
+  tags:
+    - builder

Dockerfile

@@ -0,0 +1,30 @@
+FROM alpine:3.8
+
+LABEL maintainer="Mark <mark.binlab@gmail.com>"
+
+ARG HOME=/var/lib/bastion
+
+ARG USER=bastion
+ARG GROUP=bastion
+ARG UID=4096
+ARG GID=4096
+
+RUN addgroup -S -g ${GID} ${GROUP} \
+    && adduser -D -h ${HOME} -s /bin/ash -g "${USER} service" \
+           -u ${UID} -G ${GROUP} ${USER} \
+    && sed -i "s/${USER}:!/${USER}:*/g" /etc/shadow \
+    && set -x \
+    && apk add --no-cache openssh-server
+
+EXPOSE 22/tcp
+
+VOLUME /etc/ssh
+
+CMD /usr/bin/ssh-keygen -A \
+    && /usr/sbin/sshd -D -e -4 \
+        -o AuthorizedKeysFile=authorized_keys \
+        -o PubkeyAuthentication=yes \
+        -o PasswordAuthentication=no \
+        -o PermitEmptyPasswords=no \
+        -o PermitRootLogin=no \
+        -o GatewayPorts=yes

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Mark
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,3 +1,170 @@
-# Bastion
+# Bastion — jump host (gate) based on OpenSSH Server (sshd)
 
-Bastion — jump host (gate) based on OpenSSH Server
+> A [bastion host](https://en.wikipedia.org/wiki/Bastion_host) is a
+special purpose computer on a network specifically designed and
+configured to withstand attacks. The computer generallyhosts a single
+application, for example a proxy server, and all otherservices are
+removed or limited to reduce the threat to the computer. It is hardened
+in this manner primarily due to its location and purpose,which is
+either on the outside of a firewall or in a demilitarized zone (`DMZ`)
+and usually involves access from untrusted networks orcomputers. 
+
+---
+
+![AWS Bastion](https://dmhnzl5mp9mj6.cloudfront.net/security_awsblog/images/NM_diagram_061316_a.png)
+
+## Useful cases
+
+[Bastion](https://hub.docker.com/r/binlab/bastion) is an isolated
+`Docker` image that can work as a link between `Public` and `Private`
+network. It can be also useful for reverse `SSH` tunneling for a host
+behind a `NAT`. This image based on `Alpine Linux` last version.
+
+## Usage
+
+###  Run Bastion and `expose` port `22222` to outside a host machine
+
+The container assumes your `authorized_keys` file with `644` permissions and mounted under `/var/lib/bastion/authorized_keys`.
+
+Docker example:
+
+```shell
+$ docker volume create bastion
+$ docker run -d \
+    --name bastion \
+    --hostname bastion \
+    --restart unless-stopped \
+    -v ./bastion_keys:/var/lib/bastion/authorized_keys:ro \
+    -v bastion:/etc/ssh:rw
+    --add-host dockerhost:172.17.0.1
+    -p 22222:22/tcp \
+    binlab/bastion
+```
+
+Docker-compose example:
+
+```yaml
+version: '3.3'
+services:
+  bastion:
+    image: binlab/bastion
+    container_name: bastion
+    hostname: bastion
+    restart: unless-stopped
+    expose:
+      - 22/tcp
+    ports:
+      - 22222:22/tcp
+    volumes:
+      - ./bastion_keys:/var/lib/bastion/authorized_keys:ro
+      - bastion:/etc/ssh:rw
+    extra_hosts:
+      - docker-host:172.17.0.1
+    networks:
+      - bastion
+
+networks:
+  bastion:
+    driver: bridge
+
+volumes:
+  bastion:
+```
+
+_* When you are run `Bastion` container first time it generates `dsa`, `ecdsa`, `ed25519` and `rsa` key pair and saves them in permanent volume `bastion`, When you need to regenerate key pair, you should remove volume `bastion`._
+
+### 1. Connect to  `Bastion`
+
+---
+
+* Add your user to group `docker` to have possibility run `docker-compose` and `docker` from your user without `sudo`. After you should re-login or open a new terminal window.
+
+```shell
+$ sudo usermod -aG docker <your_user>
+```
+
+* Create custom work dir e.g. `docker`, enter to it and clone repository
+
+```shell
+$ mkdir $HOME/docker 
+$ cd $HOME/docker
+$ git clone https://github.com/binlab/docker-bastion.git
+$ cd docker-bastion
+```
+
+* Generate `rsa` pair (if you have one, skip this)
+
+```shell
+$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f $HOME/.ssh/id_rsa
+```
+
+* Add `rsa` public key to `bastion_keys` file
+
+```shell
+$ cat $HOME/.ssh/id_rsa.pub > ./bastion_keys
+```
+
+* Run [`docker-compose.yml`](docker-compose.yml) configuration - `bastion` & `docker-ssh`
+
+```shell
+$ docker-compose up
+```
+
+* And then you are can connect to it (in another terminal window)
+
+```shell
+$ ssh -i $HOME/.ssh/id_rsa -p 22222 bastion@127.0.0.1
+```
+
+* You should see like this:
+
+```shell
+user@localhost:~$ ssh -p 22222 bastion@127.0.0.1
+The authenticity of host '[127.0.0.1]:22222 ([127.0.0.1]:22222)' can't be established.
+ECDSA key fingerprint is 
+SHA256:********************************************
+ECDSA key fingerprint is MD5:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '[127.0.0.1]:22222' (ECDSA) to the list of known hosts.
+Welcome to Alpine!
+
+The Alpine Wiki contains a large amount of how-to guides and general
+information about administrating Alpine systems.
+See <http://wiki.alpinelinux.org>.
+
+You can setup the system with the command: setup-alpine
+
+You may change this message by editing /etc/motd.
+
+bastion:~$ 
+```
+
+### 2. Connect to `Host` through `Bastion`. 
+
+---
+
+To achieve this you should add your private key to `SSH` agent and turn on `ForwardAgent` in `~/.ssh/config` or from a command line via flag `-A`
+
+> -A option enables forwarding of the authentication agent connection.
+>
+> It means that, it forwards your SSH auth schema to the remote host. > So you can use SSH over there as if you were on your local machine.
+
+* Add private key to `SSH` agent
+
+```shell
+$ ssh-add $HOME/.ssh/id_rsa
+```
+
+* Test `Bastion` bridge in action
+
+```shell
+$ ssh -A -J bastion@127.0.0.1:22222 <your_user>@docker-host
+```
+
+### 3. Connect to another container with `SSH` through `Bastion`. 
+
+---
+
+```shell
+$ ssh -A -J bastion@127.0.0.1:22222 bastion@docker-ssh
+```

docker-compose.yml

@@ -0,0 +1,39 @@
+version: '3.3'
+services:
+  bastion:
+    image: binlab/bastion
+    container_name: bastion
+    hostname: bastion
+    restart: unless-stopped
+    expose:
+      - 22/tcp
+    ports:
+      - 22222:22/tcp
+    volumes:
+      - ./bastion_keys:/var/lib/bastion/authorized_keys:ro
+      - bastion:/etc/ssh:rw
+    extra_hosts:
+      - docker-host:172.17.0.1
+    networks:
+      - bastion
+
+  docker-ssh:
+    image: binlab/bastion
+    container_name: docker-ssh
+    hostname: docker-ssh
+    restart: unless-stopped
+    expose:
+      - 22/tcp
+    volumes:
+      - ./bastion_keys:/var/lib/bastion/authorized_keys:ro
+      - docker-ssh:/etc/ssh:rw
+    networks:
+      - bastion
+
+networks:
+  bastion:
+    driver: bridge
+
+volumes:
+  bastion:
+  docker-ssh: