With BastionZero SSH tunnelling, there is no need to set up SSH keys; instead, BastionZero automatically sets up a one-time-use SSH key for each tunnel.   You can then use your native SSH clients and scripts to connect to targets that are autodiscovered to BastionZero.  


The figure shows the architecture for the SSH tunnel.  The connection from your SSH client is routed through BastionZero's CLI.  The CLI then creates an SSH tunnel directly to the target.  The SSH tunnel is passed over a websocket from the CLI to BastionZero. From there, it is passed over a different websocket from BastionZero to the target.


If a user wants to access  a target via an SSH tunnel, there must a policy in BastionZero that allows her to do so.


At this time, BastionZero does not have the ability to read the contents of the SSH tunnel, so command logging is not possible with SSH tunneling.  However, BastionZero logs do capture the establishment of the SSH tunnel and its duration.


Setting it up


Run ‘zli ssh-proxy-config’ & configure your .ssh/config file with two lines:


host bzero-*

    IdentityFile /home/user/.config/bastionzero-zli-nodejs/bzero-temp-key

    ProxyCommand /home/user/zli ssh-proxy  -s %h %r %p /home/user/.config/bastionzero-zli-nodejs/bzero-temp-key


For simple access, just prefix the host with bzero


$ ssh ssm-user@bzero-centos-machine1


You can tunnel to a remote server application


$ ssh -L 6100:127.0.0.1:5432 ssm-user@bzero-postgresDB


You can tunnel using a client browser to reach an HTTP application on your local network


$ ssh -L  8080:10.0.0.1:80 ssm-user@bzero-httpRedirectServer


Resources


SSH tunneling man page: https://linux.die.net/man/1/ssh