May 05 2021
Leave a comment
By spartan2194 DevOps, Network Security, System Administration, Tools

Connecting to my homelab remotely with Hashicorp Boundary v0.2.0 and Auth0

The purpose of this blog post is to provide multiple methods on how to install/setup Hashicorp Boundary. This blog post generated an Ansible playbook, Docker-compose for Swarm, and manual instructions for installing Boundary on Ubuntu 20.04. In addition, this blog post will demonstrate how to setup Auth0 OIDC authentication for single-sing on. Lastly, I will end this blog post with connecting to a remote machine in my homelab via SSH using the Boundary Desktop and CLI client.

Goals

  • Setup Auth0 OIDC authentication
  • Install/Setup Boundary single-node controller and worker with Ansible
  • Install/Setup Boundary single-node controller and worker with Docker
  • Install/Setup Boundary single-node controller and worker with manual instructions
  • Access homelab servers remotely using Boundary
  • Setup Boundary Desktop on macOS
  • Generate certificates with Vault for trusted communication between Boundary clients and server

DISCLAIMER

This blog post is a proof of concept (POC) for a homelab and does NOT implement best practices for an enterprise environment. Please review the Hashicorp Boundary documentation for best practices. In addition, this POC will be setting up a single Boundary controller and worker instance which does not provide high-availability.

DISCLAIMER

Background

What is Boundary?

What is Auth OIDC?

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. OIDC uses JSON web tokens (JWTs), which you can obtain using flows conforming to the OAuth 2.0 specifications. While OAuth 2.0 is about resource access and sharing, OIDC is about user authentication. Its purpose is to give you one login for multiple sites.

Each time you need to log in to a website using OIDC, you are redirected to your OpenID site where you log in, and then taken back to the website. For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google sends information back to Auth0 about the user and the authentication performed. This information is returned in a JWT.

Boundary keys

  • Root key – Only the Boundary controller uses this key. This key is used to encrypt the data stored in the Postgres database
  • Recovery key – This is a last resort key incase the admin password is forgotten/lost. This key can be used as an authentication key to login and manage the cluster.
  • Worker key – The key used for authentication between the Boundary workers and the controllers

Boundary/Vault config resources

Assumptions

  • The means to generate DNS A records for each service.
  • Pre-existing Vault infrastructure
  • Vault root CA has been distributed to all devices as a trusted certificate
  • Auth0 account and your an administrator

Network diagram

 

Setup Auth0 OIDC

  1. Log into a Auth0 account as an administrator
  2. Applications > Applications
  3. Select “+ Create Application” in the top right
    1. Enter a name for application
    2. Select “Regular web applications” for application type
    3. Select “Create”
    4. Select “Go” for technology
  4. Select “Settings” tab
  5. Keep this browser tab open because we will need

Setup Vault and generate certificates for Boundary

Create Boundary intermediate

  1. git clone https://github.com/CptOfEvilMinions/BlogProjects
  2. cd BlogProjects/HashicorpBoundary
  3. Login into Vault
  4. BASE_DOMAIN=<domain>
  5. vault secrets enable -path=boundary_pki_int pki
    1. Enable the pki secrets engine at the boundary_pki_int path
  6. vault secrets tune -max-lease-ttl=43800h boundary_pki_int
    1. Tune the boundary_pki_int secrets engine to issue certificates with a maximum time-to-live (TTL) of 43800 hours
    2. 43800 hours = 5 years
  7. vault write -format=json boundary_pki_int/intermediate/generate/internal common_name="boundary.${BASE_DOMAIN} Intermediate Authority" | jq -r '.data.csr' > conf/tls/boundary_$(tr . _ <<< ${BASE_DOMAIN})_pki_int.csr
    1.  Generate an intermediate certificate and save the certificate signing request (CSR) to disk
  8. vault write -format=json pki/root/sign-intermediate csr=@conf/tls/boundary_$(tr . _ <<< ${BASE_DOMAIN})_pki_int.csr format=pem_bundle ttl="43800h" | jq -r '.data.certificate' > conf/tls/boundary_$(tr . _ <<< ${BASE_DOMAIN})_pki_int.crt
    1. Sign the intermediate certificate with the root certificate and write the generated certificate to disk
  9. vault write boundary_pki_int/intermediate/set-signed certificate=@conf/tls/boundary_$(tr . _ <<< ${BASE_DOMAIN})_pki_int.crt
    1. Upload the signed certificate
  10. vault write boundary_pki_int/roles/$(tr . _ <<< ${BASE_DOMAIN}) allowed_domains="boundary.${BASE_DOMAIN}" allow_subdomains=true allow_bare_domains=true max_ttl="8760h"
    1. Create a role that allows certificates for subdomains to be generated
  11. rm conf/tls/boundary_$(tr . _ <<< ${BASE_DOMAIN})_pki_int.csr

Create Boundary controller leaf certificate

  1. vault write -format=json boundary_pki_int/issue/$(tr . _ <<< ${BASE_DOMAIN}) common_name="controller01.boundary.${BASE_DOMAIN}" alt_names="boundary.${BASE_DOMAIN}" ttl="8760h" > conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json
    1. Request a new certificate for Boundary
    2. Common name: controller01.boundary.hackinglab.local
    3. Additional SAN: boundary.hackinglab.local
    4. 8760 hours 122 = 1 year
  2. cat conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json | jq -r '.data.private_key' > conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).key
    1. Extract private key from JSON blob
  3. cat conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json | jq -r '.data.certificate' > conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).crt
  4. cat conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json | jq -r '.data.ca_chain[]' >> conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).crt
    1. Extract public certificate chain from JSON blob
  5. rm conf/tls/controller01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json

Create Boundary worker leaf certificate

  1. vault write -format=json boundary_pki_int/issue/$(tr . _ <<< ${BASE_DOMAIN}) common_name="worker01.boundary.${BASE_DOMAIN}" ttl="8760h" > conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json
    1. Request a new certificate for Boundary with common name: worker01.boundary.hackinglab.local
    2. 8760 hours 122 = 1 year
  2. cat conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json | jq -r '.data.private_key' > conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).key
    1. Extract private key from JSON blob
  3. cat conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json | jq -r '.data.certificate' > conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).crt
  4. cat conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json | jq -r '.data.ca_chain[]' >> conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).crt
    1. Extract public certificate chain from JSON blob
  5. rm conf/tls/worker01_boundary_$(tr . _ <<< ${BASE_DOMAIN}).json

Setup Vault Transit

  1. Log into Vault as an administrator
  2. vault secrets enable transit
    1. Enable Transit secrets engine
  3. for i in {root,recovery,worker}; do vault write -f transit/keys/boundary-$i-key; done
    1. Create Boundary named encryption keys
  4. for i in {root,recovery,worker}; do cat conf/vault/boundary-$i-key-policy.hcl | vault policy write boundary-$i-key -; done
    1. Write the Boundary policies to Vault for each key
  5. for i in {root,recovery,worker}; do echo -n "boundary-$i-token - "; vault token create -policy=boundary-$i-key --format=json | jq .auth.client_token; done
    1. Generate Vault tokens for each Boundary key type

Install/Setup Boundary with Docker-compose v3.x (Swarm)

WARNING

The Docker-compose v3.x setup is for development use ONLY. The setup contains hard-coded credentials in configs and environment variables. For a more secure deployment please skip to the next section to use Ansible.

WARNING

Create secrets

  1. for i in {root,recovery,worker}; do echo -n "boundary-$i-token - "; token=$(vault token create -policy=boundary-$i-key --format=json | jq .auth.client_token); echo $token; echo $token | tr -d '"' | docker secret create vault-kms-$i-token -; done
    1. Generate Vault tokens and store them into Docker secrets
  2. openssl rand -base64 32 | tr -cd '[:alnum:]' | docker secret create boundary-postgres-password -
    1. Generate a random secure password for Postgres database

Configure docker-compose

  1. vim docker-compose-swarm.yml and set:
    1. controller
      1. VAULT_ADDR – Set this value to the URL location of Vault
      2. VAULT_MOUNT_PATH – Set this value to the mount path of the Vault transit keys – default transit/
      3. BASE_DOMAIN – Set the domain of the network
      4. POSTGRES_DB – Set the Postgres database name – default boundary
      5. POSTGRES_USER – Set the Postgres username – default boundary
    2. postres
      1. POSTGRES_DB – Set the Postgres database name – default boundary
      2. POSTGRES_USER – Set the Postgres username – default boundary
    3. worker
      1. VAULT_ADDR – Set this value to the URL location of Vault
      2. VAULT_MOUNT_PATH – Set this value to the mount path of the Vault transit keys – default transit/
      3. BASE_DOMAIN – Set the domain of the network
  2. Save and exit

Docker start stack

  1. cat conf/tls/boundary_<domain>_pki_int.crt | docker secret create boundary-pki-int -
  2. cat conf/tls/controller01_boundary_<domain>.crt | docker secret create boundary-controller-crt -
  3. cat conf/tls/controller01_boundary_<domain>.key | docker secret create boundary-controller-key -
    1. Create Docker secrets containing the public certs and private keys generated above
  4. docker stack deploy -c docker-compose-swarm.yml boundary
  5. docker service logs -f boundary_postgres
    1. Wait until Postgres prints “database system is ready to accept connections”
  6. docker service logs -f boundary_controller
  7. docker service logs -f boundary_worker

Install/Setup Boundary v0.2.0 with Ansible

Setup playbook

  1. vim all.yml and set:
    1. base_domain – Set the domain of the network
    2. timezone – Set the machine hosting Boundary to a timezone – default UTC +0
  2. cp group_vars/boundary.yml.example group_vars/boundary.yml
  3. vim group_vars/boundary.yml and set:
    1. hostname – Set the hostname of the server hosting the Boundary controller and worker – default boundary
    2. boundary_version – Set the version of Boundary to use – this playbook has been tested to work with Boundary v0.2.0
    3. postgres_password – The password for the Postgres database for Boundary
    4. VAULT_ADDR – Set this value to the URL location of Vault
    5. VAULT_MOUNT_PATH – Set this value to the mount path of the Vault transit keys – default transit/
    6. vault_kms_root_token – Set to the Vault token generated above for root
    7. vault_kms_worker_token – Set to the Vault token generated above for the worker
    8. vault_kms_recovery_token – Set to the Vault token generated above for recovery
  4. vim hosts.ini and add the IP address of the Boundary server under [boundry_single_node]

Run playbook

  1. ansible-playbook -i hosts.ini deploy_boundary_single_node.yml -u <user> -K
    1. Enter password

Manual install/setup of Boundary v0.2.0 on Ubuntu 20.04

Install/Setup Postgres v13.2

  1. apt update -y && apt upgrade -y
  2. curl -s https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
    1. Add Postgres GPG key
  3. echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
    1. Add Postgres repo
  4. apt-get update -y && apt-get install postgresql-13 postgresql-contrib -y
    1. Install Postgres
  5. sudo -u postgres psql
    1. Switch to Postgres user
  6. create database boundary;
    1. Create Boundary database
  7. create user boundary with encrypted password '<password>';
    1. Create Boundary user with a password
  8. grant all privileges on database boundary to boundary;
    1. Create Boundary user all privileges on Boundary database
  9. \q
    1. Quit Postgres shell
  10. systemctl restart postgresql
  11. systemctl enable postgresql

Install/Setup Boundary v0.2.0 on Ubuntu 20.04

Install Boundary

  1. Create a DNS A record for your Boundary server on your local DNS server
    1. My DNS A record: boundary.hackinglab.local
  2. curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
    1. Add Hashicorp GPG key
  3. sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
    1. Add Hashicorp repo
  4. sudo apt-get update && sudo apt-get install boundary -y
    1. Install Boundary
  5. setcap cap_ipc_lock=+ep $(readlink -f $(which boundary))
    1. On Linux, to give the Boundary executable the ability to use the mlock syscall without running the process as root
  6. adduser --system --group boundary
    1. Create Boundary user
  7. mkdir -p /etc/boundary/ssl
    1. Create Boundary config directory
  8. chown -R boundary:boundary /etc/boundary
    1. Change permissions of the Boundary config directory
  9. curl https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/HashicorpBoundary/conf/ansible/boundary_controller/boundary-controller.service --output /etc/systemd/system/boundary-controller.service
    1. Pull down service config for Boundary controller
  10. sed -i 's/{{ boundary_user }}/boundary/g' /etc/systemd/system/boundary-controller.service
  11. sed -i 's/{{ boundary_group }}/boundary/g' /etc/systemd/system/boundary-controller.service
    1. Set the user and group to run the Boundary controller as
  12. curl https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/HashicorpBoundary/conf/ansible/boundary_worker/boundary-worker.service --output /etc/systemd/system/boundary-worker.service
    1. Pull down service config for Boundary worker
  13. sed -i 's/{{ boundary_user }}/boundary/g' /etc/systemd/system/boundary-worker.service
  14. sed -i 's/{{ boundary_group }}/boundary/g' /etc/systemd/system/boundary-worker.service
    1. Set the user and group to run the Boundary worker as
  15. systemctl daemon-reload
    1. Load the services into SystemD

Copy Vault certificate and private keys to Boundary server

  1. curl -s -k https://<Vault FQDN>:<Vault port>/v1/pki/ca/pem > /etc/ssl/certs/<domain>-root-ca.crt
    1. Write the Vault root CA to disk
  2. chown root:root /etc/ssl/certs/<domain>-root-ca.crt
  3. chmod 644 /etc/ssl/certs/<domain>-root-ca.crt
    1. Set the proper permissions of the root CA
  4. Copy Boundary intermediate certificate to /etc/boundary/ssl/boundary_<domain>_pki_int.crt
  5. Copy Boundary controller public certificate to /etc/boundary/ssl/controller01_boundary_<domain>.crt
  6. Copy Boundary controller private key to /etc/boundary/ssl/controller01_boundary_<domain>.key
  7. Copy Boundary worker public certificate to /etc/boundary/ssl/worker01_boundary_<domain>.crt
  8. Copy Boundary worker private key to /etc/boundary/ssl/worker01_boundary_<domain>.key
  9. chown root:boundary /etc/boundary/ssl/*
  10. chmod 640 /etc/boundary/ssl/*
    1. Set permissions of the private keys and public certificates

Set common values in configs

The Boundary controller and worker config have alot of similar values. This section is going to set those similar values for the controller and worker config

  1. curl -s https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/HashicorpBoundary/conf/ansible/boundary_controller/boundary-controller.hcl --output /etc/boundary/boundary-controller.hcl
    1. Pull down Boundary controller config
  2. curl https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/HashicorpBoundary/conf/ansible/boundary_worker/boundary-worker.hcl --output /etc/boundary/boundary-worker.hcl
    1. Pull down Boundary worker config
  3. sed -i "s#{{ base_domain | replace('.','_') }}#$(tr . - <<< '<domain>')#g" /etc/boundary/boundary-worker.hcl /etc/boundary/boundary-controller.hcl
  4. sed -i "s#{{ base_domain }}#<domain>#g" /etc/boundary/boundary-worker.hcl /etc/boundary/boundary-controller.hcl
    1. Set base_domain
  5. sed -i "s#{{ vault_addr }}#https://<vault FQDN>:<vault port>#g" /etc/boundary/boundary-worker.hcl /etc/boundary/boundary-controller.hcl
    1. Set Vault URL address
  6. sed -i "s#{{ vault_kms_mount_path }}#<Vault mount path - default transit/>#g" /etc/boundary/boundary-worker.hcl /etc/boundary/boundary-controller.hcl
    1. Set Vault mount path for transit keys – default transit/
  7. sed -i "s#\"{{ vault_addr.rpartition.*#\"vault.hackinglab.local\"#g" /etc/boundary/boundary-worker.hcl /etc/boundary/boundary-controller.hcl
    1. Set the common name in Vault TLS cert
  8. sed -i "s#{{ vault_kms_worker_token }}#<Vault transit worker token>#g" /etc/boundary/boundary-worker.hcl /etc/boundary/boundary-controller.hcl
    1. Set Vault worker token

Configure Boundary controller

  1. sed -i "s#{{ disable_mlock }}#false#g" /etc/boundary/boundary-controller.hcl
    1. Set memory lock flag
  2. sed -i "s#{{ tls_disable }}#false#g" /etc/boundary/boundary-controller.hcl
    1. Set controller TLS mode
  3. sed -i "s#{{ vault_kms_root_token }}#<Vault transit root token>#g" /etc/boundary/boundary-controller.hcl
    1. Set Vault root token
  4. sed -i "s#{{ vault_kms_recovery_token }}#s.LvlNGJqgHje0IEx289SmsLg2#g" /etc/boundary/boundary-controller.hcl
    1. Set Vault recovery token
  5. sed -i "s#postgresql://{{ postgres_username }}:{{ postgres_password }}@127.0.0.1:5432/{{ postgres_dbname }}#postgres://boundary:<password>@127.0.0.1:5432/boundary#g" /etc/boundary/boundary-controller.hcl
    1. Set Postgres URL and password
  6. chown root:boundary /etc/boundary/boundary-controller.hcl
  7. chmod 640 /etc/boundary/boundary-controller.hcl
    1. Change the permissions of the Boundary controller config

Configure Boundary worker

  1. sed -i "s#{{ ipify_public_ip }}#$( curl -s ifconfig.co )#g" /etc/boundary/boundary-worker.hcl
    1. Set public IP
  2. chown root:boundary /etc/boundary/boundary-worker.hcl
  3. chmod 640 /etc/boundary/boundary-worker.hcl
    1. Change the permissions of the Boundary worker config

Init Boundary

  1. /usr/bin/boundary database init -config /etc/boundary/boundary-controller.hcl > /tmp/boundary-init.txt
    1. Initialize the Boundary database
    2. Copy the password for the admin user
  2. systemctl restart boundary-controller
  3. systemctl enable boundary-controller
  4. systemctl restart boundary-worker

Setup UFW

  1. ufw allow OpenSSH
  2. ufw allow 9200/tcp
  3. ufw allow 9202/tcp
  4. ufw enable

Create/configure Boundary organization via CLI

Login into Boundary via command line on macOS

  1. brew install boundary
  2. export BOUNDARY_ADDR=https://<IP addr or FQDN of Boundary>:9200
  3. boundary authenticate password -auth-method-id=<Password auth method ID> -login-name=admin -password=<admin password>
    1. To get auth method: cat /tmp/boundary-init.txt | grep -B 4 'Generated global scope initial password auth method' | grep 'Auth Method ID'
    2. ONLY use the -tls-insecure flag if the TLS certificate is self-signed
    3. If you receive the following warning: x509: certificate relies on legacy Common Name field enter the following command: export GODEBUG=x509ignoreCN=0

Create org/scope

  1. boundary scopes create -name "<org name>" -description "<description>"
  2. Copy the org ID which is commonly referred to as the scope ID

Create project

  1. boundary scopes create -scope-id=<org/scope ID> -name="<project name>" -description="<project description>"
  2. Copy the project ID

Create host catalog and hosts

  1. boundary host-catalogs create static -name <host catalog name> -description "<description about host catalog>" -scope-id <project ID>
  2. Copy the host catalog ID
  3. boundary host-sets create static -name <hosts set name> -description "<description about hosts set>" --host-catalog-id=<host catalog ID>
  4. boundary hosts create static -name <machine name> -description "<description about machine>" -address "<IP address of machine>" -host-catalog-id=<host catalog ID>
  5. Copy host ID
  6. boundary host-sets add-hosts -d <Hosts set ID> -host <host ID>

Create Targets

  1. boundary targets create tcp -name <machine name>-ssh-access -default-port=<Port you want to connect too - I will use port 22> -description "<description>" -scope-id <project ID>
  2. Copy target ID
  3. boundary targets add-host-sets -id <Target ID> -host-set <Hosts set ID>

Setup Auth0 as auth method

  1. boundary auth-methods create oidc -issuer "https://<Auth0 app domain>" -client-id <Auth0 client ID> -client-secret <Auth0 client secret> -signing-algorithm RS256 -api-url-prefix "https://<FQDN of Boundary>:<Boundary port>" -scope-id <Project ID> -name auth0
    1. The issuer URL MUST end with a /
    2. The api-url-prefeix MUST NOT end with a /
    3. If get a 500 error run the following command:boundary auth-methods update oidc -id <OIDC auth method OD> -issuer "https://<ISSUER_URL>/" -max-age 0
  2. Copy auth method ID
  3. boundary auth-methods change-state oidc -id <Auth method ID> -state active-public
    1. Activate OIDC auth method
  4. boundary scopes update -primary-auth-method-id <auth method ID> -id <Org ID>
    1. Enable Auth0 OIDC auth method as the primary auth method for the Hackinglab org
  5. boundary auth-methods read -id <Auth method ID> | grep callback_url
    1. Copy callback_url
  6. Go back to the Auth0 tab I told you to keep open
  7. Scroll down to “Allowed Callback URLs” section
  8. Paste the callback_url
  9. Select “Save”

Test Auth0 auth method and create user entity

  1. Open a browser session in incognito mode
  2. Browse to https://<FQDN of Boundary>:9200
  3. Select <newly created org name> from the drop down menu
  4. Select “Authenticate” which will redirect you to a Auth0 login page
  5. Log into your Auth0 account
  6. Back to the terminal
  7. boundary users list -scope-id=<Org ID>
  8. Copy user ID

Create role to grant access

  1. boundary roles create -name <name>-role -description "<description>" -scope-id=<Org ID>
    1. Create role
  2. Copy the role ID
  3. boundary roles set-principals -id <role ID> -principal <user ID>
    1. Add principal/user to role
  4. boundary roles add-grants -id <role ID> -grant "id=<targets ID>;actions=authorize-session" -grant "id=*;type=session;actions=read:self" -grant "type=target;actions=list"
    1. Add grants to role
    2. -grant "id=ttcp_VEatLXaUdD;actions=authorize-session" – Allows users assigned to this role to create sessions
    3. -grant "id=*;type=session;actions=read:self" – Allows users assigned to this role to read their own sessions
    4. -grant "type=target;actions=list" – Allows users assigned to this role to list the created targets
    5. For more information on Boundary grants go here

 

https://www.boundaryproject.io/docs/installing/no-gen-resources#create-roles-to-manage-scopes

https://www.boundaryproject.io/docs/installing/no-gen-resources#create-roles-to-manage-scopes

Create/configure Boundary organization via WebGUI

Login Boundary via WebGUI

  1. Open a web browser to https://<IP addr of Boundary>:9200
    1. Enter admin for username
    2. Enter <Password from the Boundary init command above> for password
    3. To get password: cat /tmp/boundary-init.txt | grep -A 4 'Generated global scope initial password auth method' | grep Password
    4. Select “Authenticate”

Create org

  1. Open a web browser to https://<IP addr of Boundary>:9200 and login as admin
  2. Select “Orgs” in the top left
  3. Select “New” in the top right
    1. Enter <org name> into Name
    2. Enter a description – optional
    3. Select “Save”

Create project

  1. Select “Orgs” in the top left
  2. Select the org you just created
  3. Select “Projects” on the left under “orgs”
  4. Select “+ New”
    1. Enter a project name
    2. Enter a description – optional
    3. Select “Save”

Create host catalog

  1. Select “Host catalogs” on the left
  2. Select “+ New”
    1. Enter a project name
    2. Enter a description – optional
    3. Select “Save”
  3. Select “Hosts sets” tab
  4. Select “+ New”
    1. Enter a name for the host
    2. Enter a description – optional
    3. Select “Save”
  5. Select Manage > Create and add Host tab
    1. Enter a name for the host
    2. Enter a description – optional
    3. Enter IP address of the host
    4. Select “Save”

Create Targets

  1. Select “Targets” on the left
  2. Select “+ New”
    1. Enter a name for the target
    2. Enter a description – optional
    3. Enter the port to connect to server on – SSH is port 22
    4. Select “Save”
  3. Select “Hosts sets” tab
  4. Select “Add Host Sets”
    1. Select the host set you just created
    2. Select “Add Host Sets”

Create role to grant access

  1. Select “Users” on the left
  2. Find the user that has a name that matches the User ID from above when you logged in on the command line
    1. This ensures that Boundary successfully acknowledges your OIDC account
  3. Select “Roles” on the left
  4. Select “New” in the top right
    1. Enter a name for the role
    2. Enter a description – optional
    3. Select “Save”
  5. Select “Principals” tab
    1. Select “+ Add Principals”
    2. Check the User ID for your OIDC account
    3. Select “Add Principals” at the top
  6. Select “Grants” tab
    1. Enter id= <Hosts set ID>;actions=read,update into New Grant
    2. Select “Add”
    3. Select “Save”

Connect to remote server using Boundary CLI on macOS

  1. Open a terminal
  2. brew install hashicorp-boundary-desktop
  3. boundary authenticate oidc -auth-method-id <OIDC auth method ID>
    1. Authenticate using Auth0 account
  4. boundary targets list -scope-id <project ID>
    1. List targets
    2. Copy target ID
  5. boundary connect ssh -target-id <target ID> -username <SSH username>

Install/Setup Boundary Desktop on macOS

Install/Setup Boundary

  1. Open a terminal
  2. brew install hashicorp-boundary-desktop
  3. Open the Boundary app
  4. Enter https://<Boundary FQDN>:9200/ into Origin URL
  5. Select “Submit”
  6. Select “<Org name” from drop down meu
  7. Select “Authenticate”

 

Connect to a Target

  1. Select “Targets” on the left
  2. Select “Connect” on “Docker-dev-access”
  3. Copy the localhost and port combo
  4. Open a terminal tab
  5. ssh <username>@127.0.0.1 -p <Port from prompt above>
    1. Accept new fingerprint

DISCLAIMER

This blog post is a proof of concept (POC) for a homelab and does NOT implement best practices for an enterprise environment. Please review the Hashicorp Boundary documentation for best practices. In addition, this POC will be setting up a single Boundary controller and worker instance which does not provide high-availability.

DISCLAIMER

Lessons learned

New skills and technology

  • Learned how to setup Boundary v0.2.0
  • Learned how to setup OIDC

References

Leave a Reply

Your email address will not be published. Required fields are marked *