Add Bastion User
Before a user can access private network resources, an admin must configure the bastion to allow that user. Before getting started, the admin needs:
- SSH Key with access to the Bastion
- Bastion IP address (Visit the Bastion Overview page and look for "Public URLs")
Follow these steps to enable user access:
Allow IP Address
Visit the Bastion in Nullstone and go to the Configuration tab. Add the user's IP address to the list of IP addresses and apply changes. Have the user visit https://www.whatismyip.com/ to view their public IP address.
WARNING
The Bastion configuration uses a CIDR which requires a network mask at the end of the IP address. To specify a single IPv4 address as a CIDR, add a /32
suffix (e.g. 1.2.3.4/32
). To specify a single IPv6 address as a CIDR, add a /128
suffix (e.g. 2601:00cb:4280:18a5:f1ed:129b:b2f9:53d2/128
).
Generate SSH Key
If the user doesn't have an SSH Key, they will need to generate one. GitHub has a great guide for generating a new SSH Key here.
Remember the filenames of the SSH Key you generated. If you followed the GitHub guide, you should have generated two files:
- Private Key:
~/.ssh/id_ed25519
- Public Key:
~/.ssh/id_ed25519.pub
Allow SSH Key
In the previous guide, we launched the Bastion with ssh_public_key
. This is the public key associated to the administrator and will be used to configure the user's SSH Key.
To enable user access, we need to add the user's SSH public key to a set of authorized keys on the Bastion. As the administrator, connect to the Bastion and add the user's public key.
ssh ubuntu@<bastion-ip>
cat <<EOF >> ~/.ssh/authorized_keys
<paste user's ssh key (filename ends with .pub)>
EOF
TIP
The Bastion IP address can be found in the Nullstone UI on the Bastion's "Overview" page listed as "Public URLs".
That's it! You can exit from the SSH Tunnel.
Test User Access
Using the SSH key generated in Step 2, the user can attempt to access the Bastion now. The -i
flag refers to the filename of the generated private key.
ssh -i ~/.ssh/id_ed25519 ubuntu@<bastion-ip>