SSH Tunneling
With BastionZero SSH tunneling, there is no need to set up SSH keys; instead, BastionZero automatically sets up a one-time-use SSH key for each tunnel. You can then use your native SSH clients and scripts to connect to targets that are autodiscovered to BastionZero.
Diagram of ssh tunneling in BastionZero
The figure shows the architecture for the SSH tunnel. The connection from your SSH client is routed through BastionZero's CLI. The CLI then creates an SSH tunnel directly to the target. The SSH tunnel is passed over a websocket from the CLI to BastionZero. From there, it is passed over a different websocket from BastionZero to the target.
If a user wants to access a target via an SSH tunnel, there must a policy in BastionZero that allows her to do so.
At this time, BastionZero does not have the ability to read the contents of the SSH tunnel so command logging is not possible with SSH tunneling. However, BastionZero logs do capture the establishment of the SSH tunnel and its duration.

Setting It Up

Run zli ssh-proxy-config and configure your .ssh/config file with two lines:
host bzero-\*
IdentityFile /home/user/.config/bastionzero-zli-nodejs/bzero-temp-key
ProxyCommand /home/user/zli ssh-proxy -s %h %r %p /home/user/.config/bastionzero-zli-nodejs/bzero-temp-key
For simple access, just prefix the host with bzero:
You can tunnel to a remote server application using the below.
$ ssh -L 6100: [email protected]
You can also tunnel using a client browser to reach an HTTP application on your local network.
$ ssh -L 8080: [email protected]
For more information on SSH tunnels, check out the SSH tunneling man page.
Last modified 21d ago
Copy link