Stop Managing SSH Keys Manually! OVH's The Bastion Exposed
What if I told you that every SSH key your team has scattered across hundreds of servers is a ticking time bomb? That the "simple" practice of copying authorized_keys files is actually one of the biggest security blind spots in modern infrastructure? Here's the uncomfortable truth: most companies have no idea who can access what, when they accessed it, or what they did once inside.
Sound familiar? You're not alone. Thousands of DevOps teams, SREs, and security engineers wake up to this nightmare daily. The sprawl of SSH keys. The orphaned accounts of departed employees still lurking in production. The compliance auditor asking for session recordings you don't have. The frantic 3 AM page because someone deleted the wrong database—with no trace of who did it.
What if there was a battle-tested solution that didn't require ripping out your existing infrastructure? No agents to install on every server. No proprietary protocols. No expensive commercial bastion appliances. Enter The Bastion by OVH—a deceptively simple yet insanely powerful open-source SSH bastion that transforms how teams manage infrastructure access. Born from OVHcloud's massive-scale operations and hardened in PCI-DSS, ISO 27001, SOC1, and SOC2 certified environments, this isn't another toy project. This is the real deal, and it's about to change everything you thought you knew about SSH security.
What is The Bastion?
The Bastion is OVHcloud's open-source SSH bastion host designed as the single, auditable entry point for all infrastructure access. Created by the engineering teams managing one of Europe's largest cloud providers, it addresses a fundamental problem: how do you grant secure access to thousands of servers across hundreds of team members without creating an unmanageable security nightmare?
At its core, The Bastion operates as a protocol-breaking gateway between your users and your infrastructure. Your operational teams—sysadmins, developers, database admins, network engineers—never connect directly to target servers. Instead, they authenticate to The Bastion, which then enforces granular authorization policies before proxying connections onward. The infrastructure itself only needs to trust The Bastion's group keys, not individual user keys.
What makes this approach revolutionary is its zero-assumption philosophy. Unlike commercial solutions demanding agents, custom protocols, or cloud dependencies, The Bastion works with standard SSH everywhere. Your users connect with any ssh client. Your servers run any standard sshd. Even ancient network devices speaking telnet or weak cryptography can be protected behind The Bastion's modern, hardened ingress.
The project has gained serious traction because it solves real problems without creating new ones. No database dependencies that could fail. No external services for authentication. No vendor lock-in. Just pure, auditable, granular access control that scales from a single server to multinational infrastructure spanning multiple organizations through its innovative realms feature.
Key Features That Make The Bastion Insane
The Bastion's feature set reads like a security engineer's wish list, but every capability serves a practical purpose in production environments.
Protocol Break Architecture sits at the heart of its security model. By terminating the ingress SSH connection and establishing a separate egress connection, The Bastion renders most protocol-level attacks ineffective. An attacker exploiting a vulnerability in the client-to-bastion stream gains nothing—they're isolated from the actual infrastructure connection.
Comprehensive Session Recording captures everything. Interactive sessions are recorded as standard ttyrec files—playable, searchable, and archivable. But The Bastion goes further: even non-interactive sessions (scripts, automation, scp transfers) have their stdout and stderr captured. Nothing slips through unnoticed.
Multi-Factor Authentication isn't bolted on—it's foundational. Beyond standard public key authentication, The Bastion enforces additional factors including TOTP and passwords. For high-security environments, Yubico PIV key attestation verifies that connections originate from approved hardware tokens, not stolen key files.
Granular RBAC with Delegation transforms how teams operate. Access can be scoped to individual accounts (personal accesses) or managed through groups with delegated administration. A team lead can manage their group's membership and access rights without bastion-wide admin privileges. This isn't just convenient—it's essential for scaling security without creating bottlenecks.
Protocol Flexibility surprises many users. Beyond standard SSH, The Bastion supports mosh for mobile connections, scp, sftp, and rsync for file transfers, netconf for network device management, and even HTTPS proxying with authentication decoupling for API access. Legacy telnet and password-authenticated SSH devices are supported on the egress side while maintaining strong authentication on ingress.
JSON API over SSH enables full automation. Every administrative function is scriptable through a structured API, making integration with HR systems, CMDBs, and infrastructure-as-code workflows straightforward. Provision accounts automatically. Sync group memberships. Audit access patterns programmatically.
Real-World Use Cases Where The Bastion Dominates
Compliance-Driven Organizations
Financial services, healthcare, and any PCI-DSS or SOC2-regulated environment faces a brutal reality: auditors demand proof of who accessed what, when, and what they did. The Bastion delivers this natively. Every session recorded. Every action logged to syslog for SIEM ingestion. SQLite databases for fast querying. The Bastion runs in production in multiple certified environments—not as a hopeful experiment, but as proven infrastructure.
Multi-Team Platform Engineering
Platform teams serving dozens of engineering groups struggle with the "keys everywhere" problem. With The Bastion's group-based access and delegated administration, each team manages their own access policies. The platform team maintains the bastion infrastructure; individual teams control their own destiny. No more ticket-driven access requests bottlenecking through a single overworked admin.
Hybrid and Legacy Infrastructure
That ancient Cisco switch only speaking telnet? The Solaris box from 2010 with weak SSH ciphers? The industrial controller you can't touch? The Bastion wraps modern security around these liabilities. Firewall them off completely, expose only to The Bastion, and maintain strong authentication and audit trails without touching the legacy devices themselves.
Cross-Organizational Collaboration
Two companies need shared infrastructure access for a joint project, but neither wants to manage the other's users. The Bastion's realms create cryptographic trust between independent bastion instances, splitting authentication and authorization while enforcing local policies. Company A authenticates its users; Company B authorizes access to its infrastructure. Clean separation, seamless collaboration.
Automated Infrastructure Management
CI/CD pipelines, configuration management, and automated remediation need secure access too. The Bastion's JSON API enables service accounts with precisely scoped permissions—automated processes that can rotate credentials, sync group memberships from LDAP, or provision ephemeral access for incident response, all through version-controlled automation rather than manual intervention.
Step-by-Step Installation & Setup Guide
Ready to escape SSH key hell? Let's deploy The Bastion and get your first secure connection flowing.
Quick Docker Sandbox (Testing Only)
The fastest way to experience The Bastion is the disposable sandbox. Note: Read the production Docker FAQ before considering containers for real deployments.
# Pull and run the sandbox image (supports linux/amd64, linux/arm64, and more)
docker run -d -p 22 --name bastiontest ovhcom/the-bastion:sandbox
# Configure the first administrator account
# 'auto' generates a key pair automatically
docker exec -it bastiontest /opt/bastion/bin/admin/setup-first-admin-account.sh poweruser auto
Extract the dynamically assigned SSH port and create a convenient alias:
# Capture the exposed port
PORT=$(docker port bastiontest | cut -d: -f2)
# Create alias for easy bastion access
alias bastion="ssh poweruser@127.0.0.1 -tp $PORT -- "
Verify your admin status:
# Check bastion info and confirm admin privileges
bastion --osh info
You should see confirmation that you're a bastion administrator with full plugin access.
Interactive Mode and First Connection
For multiple operations, enter interactive mode:
# Enter interactive shell for consecutive plugin calls
bastion -i
Inside interactive mode, explore available commands:
# List all available osh plugins
$> help
To connect through The Bastion to a remote server, first establish your egress identity:
# Display your bastion's public key for remote server authorization
$> selfListEgressKeys
Copy this public key to your target server's ~/.ssh/authorized_keys. Then grant yourself access through The Bastion:
# Add personal access to remote host (any port)
$> selfAddPersonalAccess --host <remote_host> --user <remote_account_name> --port-any
# Connect through the bastion
$> ssh <remote_account_name>@<remote_host>
For direct non-interactive connections:
# Single-shot connection without entering interactive mode
bastion <remote_account_name>@<remote_machine_host_or_ip>
Production Installation
For production deployments, consult the online documentation or the doc/ folder in the repository. Supported platforms include:
- Debian: 13 (Trixie), 12 (Bookworm), 11 (Bullseye)
- Rocky Linux: 9.x, 8.x
- Ubuntu LTS: 24.04, 22.04, 20.04
- OpenSUSE Leap: 15.5* (limited MFA support)
- FreeBSD/HardenedBSD: 14.3** (partial MFA support)
After installation, customize /etc/bastion/bastion.conf for your environment's specific requirements.
REAL Code Examples from The Bastion
Let's dissect actual patterns from The Bastion's implementation and usage, revealing why this architecture is so robust.
Example 1: Docker Sandbox Deployment
The README provides this exact quick-start sequence:
# Run the official sandbox container in detached mode, exposing SSH on dynamic port
docker run -d -p 22 --name bastiontest ovhcom/the-bastion:sandbox
# Bootstrap first admin: 'poweruser' with auto-generated SSH keypair
docker exec -it bastiontest /opt/bastion/bin/admin/setup-first-admin-account.sh poweruser auto
What's happening here? The sandbox image contains a fully configured bastion with default security policies. The setup-first-admin-account.sh helper performs privileged operations: creating the system user, generating cryptographic credentials, and establishing initial authorization. The auto parameter delegates key generation to the script rather than requiring you to provide one—convenient for testing, but in production you'd supply your own carefully controlled key.
Example 2: Dynamic Port Extraction and Alias Creation
# Extract the host-side port Docker assigned to container port 22
PORT=$(docker port bastiontest | cut -d: -f2)
# Build alias: forces SSH to use specific port, passes remaining args to bastion
alias bastion="ssh poweruser@127.0.0.1 -tp $PORT -- "
The critical detail: The -- (double dash) separates SSH client options from commands passed to The Bastion itself. This alias pattern lets you use bastion --osh info rather than remembering the full SSH incantation. The -t forces pseudo-terminal allocation, essential for interactive bastion plugins.
Example 3: Interactive Mode Session
# Enter interactive mode: maintains persistent session for multiple commands
bastion -i
# Inside interactive shell, list all available plugins
$> help
# Display public keys this bastion will use when connecting outward
$> selfListEgressKeys
Why interactive mode matters: Each --osh plugin invocation normally requires a fresh SSH connection. For bulk operations—auditing access, adding multiple group members, reviewing logs—the connection overhead becomes painful. Interactive mode maintains your authenticated session, dramatically speeding up administrative workflows.
Example 4: Granting and Using Personal Access
# Register personal access rights to specific remote server
$> selfAddPersonalAccess --host <remote_host> --user <remote_account_name> --port-any
# Connect using the granted access
$> ssh <remote_account_name>@<remote_host>
The security architecture revealed: Notice you don't specify which key to use—The Bastion selects from your egress keys based on its authorization database. The --port-any flag grants access across all ports rather than restricting to SSH's default 22. This fine-grained control extends to per-port, per-user, per-host combinations, enabling policies like "database team can access port 5432 on db-* hosts as postgres user."
Example 5: Direct Connection Syntax
# Bypass interactive mode for single connections
bastion <remote_account_name>@<remote_machine_host_or_ip>
Production automation pattern: This syntax enables seamless integration with existing tools. Your ~/.ssh/config can proxy through The Bastion transparently. Ansible, rsync, scp, and mosh all work with appropriate wrapper configurations. The the-bastion-ansible-wrapper project automates this integration.
Advanced Usage & Best Practices
Segregate Administrative Realms: For highest security, administer The Bastion itself through... another bastion. This recursive auditability ensures even superuser actions are captured. The Bastion's own design enforces this—administrators must use bastion logic to connect to itself.
Implement Remote Log Escrow: Session recordings in ttyrec format should be encrypted and pushed to remote storage immediately. The Bastion provides helper scripts for this. Local logs can be tampered; remote escrow cannot (assuming separate administrative control).
Leverage Group Delegation Aggressively: Resist centralizing all access decisions. Create bastion groups aligned with your organizational structure. Delegate group-gatekeeper and group-owner roles to team leads. This scales security governance without creating admin bottlenecks.
Automate Lifecycle Management: Integrate the JSON API with your HR systems. When someone joins, their bastion account provisions automatically. When they depart, access revocation is immediate and complete—no hunting for orphaned authorized_keys entries across hundreds of servers.
Enforce PIV for High-Risk Access: For production database or critical infrastructure access, require Yubico PIV key attestation. This cryptographically proves the connection originates from approved hardware, not a stolen key file on an attacker's machine.
Comparison with Alternatives
| Feature | The Bastion | Teleport | AWS Session Manager | Traditional Jump Hosts |
|---|---|---|---|---|
| Open Source | ✅ Apache 2.0 | ✅ Core open, enterprise paid | ❌ Proprietary | Varies |
| Zero Server Changes | ✅ Standard SSH only | ❌ Agent required | ❌ SSM agent required | ✅ |
| No External Dependencies | ✅ Self-contained | ❌ Requires backend storage | ❌ AWS dependency | Usually ✅ |
| Session Recording | ✅ ttyrec (standard format) | ✅ Proprietary | ✅ Limited | ❌ Manual setup |
| Protocol Break | ✅ Core architecture | ❌ Proxy mode | ❌ Passthrough | ❌ |
| Legacy Protocol Support | ✅ telnet, weak SSH, HTTPS | ❌ Modern only | ❌ AWS only | Manual tunneling |
| Cross-Organization Realms | ✅ Native trust | ❌ Complex federation | ❌ AWS orgs only | ❌ |
| MFA/PIV Support | ✅ Native TOTP, password, PIV | ✅ Enterprise | ✅ IAM-based | Manual PAM |
| Operational Cost | Low (UNIX primitives) | Medium (infrastructure) | Low (if AWS-native) | High (maintenance) |
The verdict: Commercial solutions like Teleport offer slick UIs and enterprise features but introduce complexity and vendor dependency. AWS Session Manager locks you into their ecosystem. Traditional jump hosts lack auditability and granular control. The Bastion hits a sweet spot: enterprise-grade security with minimal complexity, zero vendor lock-in, and battle-tested scale.
FAQ
Is The Bastion suitable for small teams or only enterprise scale? Absolutely suitable for teams of any size. A single Docker container gets you started in minutes. The complexity scales with your needs—you don't pay an "enterprise tax" for basic functionality.
Can I run The Bastion in Kubernetes or other container orchestration? The sandbox Docker image is explicitly for testing. Production containerization requires careful consideration of security primitives that The Bastion relies on—UNIX DAC, PAM, specific kernel capabilities. Review the FAQ before attempting.
How does The Bastion handle key rotation?
Egress keys are managed through The Bastion's plugin system. Rotate group keys centrally, and all members automatically use new credentials. No more chasing authorized_keys files across your infrastructure.
What happens if The Bastion itself is compromised?
The defense-in-depth design assumes code cannot be trusted. UNIX DAC provides a safety belt—even tricked code cannot exceed filesystem permissions. Privileged operations are isolated in sudo-protected helpers with tainted mode checking. And comprehensive logging to remote systems means attacks leave evidence.
Can I integrate with my existing LDAP/Active Directory? Yes, through automation. The JSON API enables scripts that sync bastion accounts and group memberships with your identity provider. While not a direct LDAP integration, this approach is more flexible and auditable.
Does session recording impact performance?
ttyrec recording adds minimal overhead—it's been used for decades in production environments. For extremely latency-sensitive operations, non-interactive recording (stdout/stderr only) provides auditability with even lower impact.
Is there commercial support available? The Bastion is developed and operated by OVHcloud for their massive infrastructure. Community support through GitHub issues is active. For enterprise support needs, engage with OVHcloud directly or leverage the extensive documentation.
Conclusion
Here's what it boils down to: every day you spend managing SSH keys manually is a day you're one disgruntled departure, one stolen laptop, one compliance audit away from serious pain. The Bastion by OVH offers an escape hatch that doesn't require ripping out your infrastructure or signing up for expensive proprietary platforms.
It's not perfect—container production deployments need care, the learning curve for advanced delegation exists, and you'll need to invest in understanding its security model. But the alternative? Continuing to pretend that authorized_keys sprawl across hundreds of servers is "good enough"? That's not a strategy. That's a liability.
The Bastion delivers what matters: authentication that scales, authorization that's granular, traceability that's complete, and auditability that satisfies the strictest regulators. Born from operating one of Europe's largest cloud platforms, hardened in certified environments, and completely open source.
Your move. Start with the Docker sandbox today. Read the comprehensive documentation. Join the community of teams who've already escaped SSH key hell. The repository awaits at github.com/ovh/the-bastion—star it, fork it, deploy it, and never look back at manual key management again.
The infrastructure you save may be your own.