Overview

BastionZero's no single point of compromise keysplitting technology enables advanced use cases that were often challenging to deploy securely or lacked visibility and control.


One of our favorites is what we call BYoC, bring our own client, to enable your developers, cloud operators, and SRE teams to tunnel into any environments using the tools they are familiar with. 


This is done using our ZLI proxy capability and we'll review how to accomplish that using DBeaver, a free universal database tool which can be found here: DBeaver.


Use Case

Consider the following simplified use case diagram:



In this particular example we have a user, running DBeaver on their endpoint.  We will assume it is a MAC but this is also applicable to Linux and Windows on Linux.  The user will make a connection to a postgres Database running inside their cloud.  The BastionZero SSM agent has been configured on the server along with the database instance in this example.  However, the BastionZero agent could have also been configured on any host that can terminate the tunnel and reach the database.


In this example we have already set up the following:

  • PostgresSQL has been installed on an ubuntu instance.  This is the target.
  • The target has been registered to BastionZero using the b() Agent.
  • A policy for allowing a user to tunnel into the target which is also running the database in this example. 
  • The ZLI has been installed on our MAC using our brew tap,  brew install bastionzero/tap/zli


Additional knowledge base articles introducing the core concepts of BastionZero can be found here: Getting started


Step 1 : Configure SSH Proxy 


The user will need to configure Dbeaver to tunnel to the target through BastionZero.  To get started doing so the user must first execute the zli proxy configuration command to retrieve the information necessary for setting this up.  After you have installed the ZLI, at a terminal window type:

zli ssh-proxy-config

You should see an output similar to what is below:


DBeaver $ zli ssh-proxy-config
Logged in as: testuser@bastionzero.com, bzero-id:2abb9f7b-9b5d-40aa-a770-64713ec56ffe, session-id:08cd61d6-e0f8-4d2e-bda8-06c3d7de8e47


Add the following lines to your ssh config (~/.ssh/config) file:
host bzero-*
IdentityFile /Users/testuser/Library/Preferences/bastionzero-zli-nodejs/bzero-temp-key
ProxyCommand /usr/local/Cellar/zli/4.12.0/bin/zli ssh-proxy  -s %h %r %p /Users/testuser/Library/Preferences/bastionzero-zli-nodejs/bzero-temp-key

Then you can use native ssh to connect to any of your ssm targets using the following syntax:

ssh <user>@bzero-<ssm-target-id-or-name>

DBeaver $


Go ahead and edit your ~/.ssh/config file to add the lines highlighted above.   This configuration means that any time SSH is invoked with the host prefix 'bzero-' SSH will run the proxy command and use the identity file as specified.  In our case above the ssh config file looks like:

host bzero-*
IdentityFile /home/testuser/.config/bastionzero-zli-nodejs/bzero-temp-key
ProxyCommand /home/testuser/zli ssh-proxy --debug --configName=stage -s %h %r %p /home/testuser/.config/bastionzero-zli-nodejs/bzero-temp-key


Step 2: Test your SSH Tunnel configuration


Now that your SSH config file has been updated we can test your configuration.  Using the target name that is part of the tunnel policy you can connect via SSH by typing:

ssh targetUser@bzero-targetName

In the specific example for this document we will use the ssm-user to connect to a target called db-postgress by entering: 

ssh ssm-user@bzero-db-postgres


If this is the first ssh connection to the host you will be prompted to accept the connection.  There is a policy check and access event generated for this action in the bastionZero logs.  The output should look similar to: 


DBeaver $ ssh ssm-user@stage-bzero-db-postgres
ECDSA key fingerprint is SHA256:3w4joIEt9wbCOTuMqknYt8cnXYYJAZIj/LhizT6BN98.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'stage-bzero-db-postgres' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-51-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Mar 31 10:34:08 UTC 2021


  System load:  0.08               Users logged in:       0
  Usage of /:   14.5% of 24.06GB   IPv4 address for eth0: 143.198.9.90
  Memory usage: 40%                IPv4 address for eth0: 10.17.0.7
  Swap usage:   0%                 IPv4 address for eth1: 10.108.0.4
  Processes:    122
Last login: Tue Mar 30 20:53:50 2021 from 127.0.0.1
$ 


Now that we've demonstrated we can set up a tunnel to a linux host let's go ahead and do the same but this time redirect through local port 6100.  You'll notice below that the tunnel is preparing us for using DBeaver.  Replace the targetName and targetUser with your specifics.   Again, for our example we enter: 

ssh -L 6100:127.0.0.1:5432 ssm-user@bzero-db-postgres

You will be greeted by the system prompt of the targetName host:


DBeaver $ ssh -L 6100:127.0.0.1:5432 ssm-user@bzero-db-postgres
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-51-generic x86_64)


 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


  System information as of Wed Mar 31 10:38:38 UTC 2021


  System load:  0.01               Users logged in:       0
  Usage of /:   14.5% of 24.06GB   IPv4 address for eth0: 143.198.9.90
  Memory usage: 41%                IPv4 address for eth0: 10.17.0.7
  Swap usage:   0%                 IPv4 address for eth1: 10.108.0.4
  Processes:    123


Last login: Wed Mar 31 10:34:11 2021 from 127.0.0.1
$ 

Summary

By completing steps 1 and 2 the SSH Tunneling configuration is now complete.  Your local device has been configured to support SSH Tunnels using SSH with the prefix 'bzero-'.   You must have a BastionZero policy in place for the tunnel to connect.  A policy check and a connection event will be generated and viewable in the BastionZero logs.

Step 3: Configure DBeaver & Test


With the SSH tunnel configuration now complete we can set up DBeaver to connect to the postgres DB.  If you have not already download and install DBeaver for your applicable endpoint.  DBeaver can be found here: DBeaver.


Open DBeaver.  In our example we will create a connection to a PostgreSQL database.  On the connection settings we will enter localhost for the host, 6100 for the port, and the postgres username and password as illustrated here:


Go back to your terminal window and enter the ssh command we used from step 2 to test our tunnel.  Once connected leave the terminal session active:

ssh -L 6100:127.0.0.1:5432 ssm-user@bzero-db-postgres


Now that you are connected via the SSH tunnel, click 'Test Connection' on your DBeaver connection settings window.  You should see the following result:



Congratulations!  Let's review what we just accomplished:

  • We set up our user to utilize SSH tunneling to a target behind our permiter
  • We set up a SSH Tunnel to redirect local port 6100 to a remote host port 5432.
  • Using DBeaver, we made a connection to that remote host's postgres instance