Skip to main content
  1. Posts/

Setup an OpenBSD Bastion Host

·559 words·3 mins·
Servers Technology Openbsd Productivity
Joshua Blais
Author
Joshua Blais
Table of Contents

Introduction
#

We are going to be setting up a Bastion Host (or colloquially a ‘Jumpbox’) for our cloud infrastructure.

This should be the entry point for all future server, database, and load balancing systems.

The purpose of Bastion Hosts is simple and for one reason: to only allow the ability to SSH into your cloud infrastructure from ONE secure location. No other computers in the world will be allowed to access the rest of your machines, only this one.

Classically, you would SSH into each part of your infrastructure (DB, web server, load balancers etc.) and work on them. Most guides are set up so that you directly connect to your production server from your desktop. However, this adds a secure step in the process, stopping the greater internet from even really seeing these important parts of your setup.

How are we going to do this?

Via the most secure OS in the world - OpenBSD

Let’s begin!

OpenBSD Setup:
#

Go into Vultr - use my promo code to save some money (and give me a little kickback, thank you!) and create an OpenBSD instance. From here, you will ssh into it from your main computer and begin the process of a basic setup

1. Setup SSH keys
#

Setup your ssh keys on your local computer by:

ssh-keygen -t rsa 4096 -f ~/ssh/whateverKeyNameYouWant.key -C "Jumpbox key"

This will give you two files in your .ssh directory: whateverKeyNameYouWant.key AND whateverKeyNameYouWant.key.pub

You will add that .pub key to your OpenBSD installation

2. Change root password
#

Get into your bastion host via:

ssh root@yourserverIP

using the password on your Vultr server details page

You’re in!

Now, first thing first is we will change that root password:

passwd

And enter whatever root password you want.

3. Add packages
#

We can add packages to our new OpenBSD installation via the following:

pkg_add packageName
pkg_add neovim

I generally add neovim to all my servers, and this is no exception.

4. Create a new user
#

Enter as the root user:

useradd

and you will get an interactive script allowing you to name and create a new user

4.1 Add that user to wheel group
#

Edit /etc/group file as the root user:

and add the following:

wheel:*:0:root,john_doe

or in the terminal:

sudo useradd -G wheel john_doe

4.2 Enable doas:
#

nvim /etc/doas.conf as the root user And put the following in the file:

permit :wheel

4.3 Make sure your private key is in that USER’s .ssh/authorizedkeys
#

As the user you created:

cat .ssh/authorized_keys

or as root:

cat /home/user/.ssh/authorized_keys

The file should look like the following:

ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAACAQC2SPcjFIXET7ij8LqkmuxF87HbMmnHRBlajbLPBjjIeHp7A/i8B8KY2F8ze5iZUM
kpdrObuZ+zeKymuKixeb//K1zBHGercYJYhl9UJ9r03haFuYGj033BTut9m6qFO/ytyW5njTQDIfVWyXjm5988RMAdTZR+QZugFYx/
8v4VE83DX53wNdiQlpsp+hWwPj6FgA8QT9xdsEYABywqO08+MfLVP3xOaCxtpN3PnCin6N1ZEC
t+S35h61TOiujRYRvIIJOh896AtjWTJrKd+W4WcQFj0SbWcMD3+V7Wn0pMNLJBHZT9mJLLl1r7WU5Kbnlk3l7VRqkY5F8UBtTQ2dNxAY8nICtXXkcGY
FpcvcSYoOpphGiAYvBapLiLmlW7cLyKgxS5wyDnN3NT1baYOlDcNJkvkf3X4CQTVbDx2Pxk1B
9+I7PFhZHIoqyRi+qF58ZhmRSvjaAgrvhMJmgo60Iw5inqcSGY3rqQpFip6dXxiCgqX72ON++7Gyi7TWPp0LkVeGMiRz3i+iuu3bb5OvBlS5zK2dvBgLv4Ot
meGrZm74GsOIWr+Tjojw7ksMGzpdcussYdOwjIzRKHctLeBU18nH9zroqcC0hQnHeTBoDyjyPY0Z
n/iXFKYpnm1v8K6Kme9LcKE7H9bbPHBlNFnq3G+RNVxLY1dldKXkS2IA86FQ== throwaway

5. Security and remove ability to ssh into root user:
#

inside /etc/ssh/sshdconfig from root:

Change the following lines and UNCOMMENT them:

PermitRootLogin -> no
AuthorizedKeysFile -> .ssh/authorized_keys
PasswordAuthentication -> no

Then run:

/etc/rc.d/sshd restart

Now to get into remote server you must run:

ssh -i .ssh/private_key.key user@33.33.333.33

Congratulations! You now have a tremendously secure Jump-in point for your cloud infrastructure that only you can access via your ssh private key.

Next, we will configure a load balancing machine.

I hope you liked this first technical post I’ve made, and I plan on doing many more in the future for the sake of documenting the journey of developing applications that are portable and scalable.