- Notifications
You must be signed in to change notification settings - Fork387
A modern, web-based SSH console and key management tool. Bastillion gives you a clean, browser-based way to manage SSH access across all your systems. Think of it like a bastion host with a friendly dashboard.
License
bastillion-io/Bastillion
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A modern, web-based SSH console and key management tool.
Bastillion gives you a clean, browser-based way to manage SSH access across all your systems—like a bastion host with a friendly dashboard.
You can:
- Log in with2-factor authentication (Authy or Google Authenticator)
- Manage and distributeSSH public keys
- Launch secure web shells andshare commands across sessions
- StackTLS/SSL over SSH for extra protection
Read more:Implementing a Trusted Third-Party System for Secure Shell.
Get the latest release:
https://github.com/bastillion-io/Bastillion/releases
Or from AWS Marketplace:
https://aws.amazon.com/marketplace/pp/Loophole-LLC-Bastillion/B076PNFPCL
FreeBSD:
pkg install security/bastillion
Java (OpenJDK or Oracle JDK 21+) — Now built for Java 21 and Jakarta EE 11
apt-get install openjdk-21-jdk
(Oracle JDK downloads:http://www.oracle.com/technetwork/java/javase/downloads/index.html)
Install an authenticator for 2-factor authentication:
| Application | Android | iOS |
|---|---|---|
| Authy | Google Play | iTunes |
| Google Authenticator | Google Play | iTunes |
Download the latest bundle:
https://github.com/bastillion-io/Bastillion/releases
Set environment variables:
Linux / macOS
export JAVA_HOME=/path/to/jdkexport PATH=$JAVA_HOME/bin:$PATH
Windows
setJAVA_HOME=C:\path\to\jdksetPATH=%JAVA_HOME%\bin;%PATH%
Start inforeground (interactive) mode:
./startBastillion.sh
- Runs Bastillion directly in your terminal.
- Keeps
stdinactive (so database password prompts work). - Logs are shown only in the terminal — not written to file.
- Stop withCtrl + C.
Start indaemon (background) mode:
./startBastillion.sh --daemon
- Runs Bastillion as a background service.
- Enables Jetty’s built-inconsole-capture module — logs are written automatically to
jetty/logs/YYYY_MM_DD.jetty.log. - The app continues running after you close the terminal.
Enable debug output:
./startBastillion.sh -d
Combine options:
./startBastillion.sh --daemon -d
Stop Bastillion:
./stopBastillion.sh
Open:https://<server-ip>:8443
Default credentials:
username: adminpassword: changemeInstall Maven 3+:
apt-get install maven
Build and run:
mvn package jetty:run
⚠️ mvn cleanwill remove the H2 database and user data.
Settings live inBastillionConfig.properties:
# Disable key management (append instead of overwrite)keyManagementEnabled=false# authorized_keys refresh interval in minutes (no refresh for <=0)authKeysRefreshInterval=120# Force user key generation and strong passphrasesforceUserKeyGeneration=false
Specify a custom SSH key pair or let Bastillion generate its own on startup:
# Regenerate and import SSH keysresetApplicationSSHKey=true# SSH key type ('rsa', 'ecdsa', 'ed25519', or 'ed448')# Supported options:# rsa - Classic, widely compatible (configurable length, default 4096)# ecdsa - Faster, smaller keys (P-256/384/521 curves)# ed25519 - Default and recommended (≈ RSA-4096, secure and fast)# ed448 - Extra-strong (≈ RSA-8192, slower and less supported)sshKeyType=ed25519# Private keyprivateKey=/Users/you/.ssh/id_rsa# Public keypublicKey=/Users/you/.ssh/id_rsa.pub# Passphrase (leave blank if none)defaultSSHPassphrase=myPa$$w0rd
Once registered, you can remove the key files and passphrase from the configuration.
Embedded H2 example:
dbUser=bastilliondbPassword=p@$$w0rd!!dbDriver=org.h2.DriverdbConnectionURL=jdbc:h2:keydb/bastillion;CIPHER=AES;
Remote H2 example:
dbConnectionURL=jdbc:h2:tcp://<host>:<port>/~/bastillion;CIPHER=AES;
Enable external auth inBastillionConfig.properties:
jaasModule=ldap-olConfigurejaas.conf:
ldap-ol { com.sun.security.auth.module.LdapLoginModule SUFFICIENT userProvider="ldap://hostname:389/ou=example,dc=bastillion,dc=com" userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))" authzIdentity="{cn}" useSSL=false debug=false;};To map LDAP roles to Bastillion profiles:
ldap-ol-with-roles { org.eclipse.jetty.jaas.spi.LdapLoginModule required debug="false" useLdaps="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="<SERVER>" port="389" bindDn="<BIND-DN>" bindPassword="<BIND-DN PASSWORD>" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="ou=users,dc=bastillion,dc=com" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="inetOrgPerson" roleBaseDn="ou=groups,dc=bastillion,dc=com" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="groupOfNames";};Admins are added upon first login and can be assigned system profiles.
Users are synced with profiles when their LDAP role names match Bastillion profiles.
Auditing is disabled by default.
Enable it inlog4j2.xml by uncommenting:
io.bastillion.manage.util.SystemAuditaudit-appender
https://github.com/bastillion-io/Bastillion/blob/master/src/main/resources/log4j2.xml#L19-L22
Also enable inBastillionConfig.properties:
enableInternalAudit=true
See full dependencies in3rdPartyLicenses.md.
Bastillion is available under theProsperity Public License.
Loophole, LLC — Sean Kavanagh
Email:sean.p.kavanagh6@gmail.com
Instagram:@spkavanagh6
About
A modern, web-based SSH console and key management tool. Bastillion gives you a clean, browser-based way to manage SSH access across all your systems. Think of it like a bastion host with a friendly dashboard.
Topics
Resources
License
Security policy
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
Uh oh!
There was an error while loading.Please reload this page.