SSH for The Bastion with fancy autocompletion and OTP callback support.
# to build the project:
go build .
# to install with go directly:
go install .
# Arch (btw):
yay -S bssh-bin
# Other linux distros might find a more suitable solution in the release tab of this repositorybssh [flags] -- <command>
bssh looks for a config.yml file in the following locations (in order):
- Current directory (
.) $XDG_CONFIG_HOME/bssh//etc/bssh/
All config values can be overridden with environment variables using the BSSH_ prefix (e.g. BSSH_USERNAME).
OTP and OpenBao certificate signing are independent, opt-in features. Enable either, both, or neither.
username: myuser
hostname: bastion.example.com
otp_enabled: true
otp_callback_command: ykman oath accounts code "Bastion" | cut -d" " -f3When openbao.enabled is set, bssh asks the OpenBao SSH secrets engine to sign
the configured public key and logs in to the bastion with the resulting
short-lived certificate (passed to ssh via CertificateFile/IdentityFile).
The OpenBao token is taken from BAO_TOKEN/VAULT_TOKEN or, failing that, the
standard token file (~/.bao-token or ~/.vault-token, e.g. created by
bao login). The server address can also be provided via the BAO_ADDR
environment variable instead of openbao.address.
username: myuser
hostname: bastion.example.com
openbao:
enabled: true
address: https://bao.example.com:8200
mount_path: ssh
role: bastion
public_key: ~/.ssh/id_ed25519.pub