Skip to content

Configuration

Bifröst will be configured in the YAML language.

By default, the configuration is taken from the following location:

  • Linux: /etc/engity/bifroest/configuration.yaml
  • Windows: C:\ProgramData\Engity\Bifroest\configuration.yaml

This location can be changed by the --configuration=<path> flag when executing: 

bifroest run --configuration=/my/config.yaml

Properties

ssh

SSH

Defines how the SSH connections itself will behave.

session

Session

Defines where and how the sessions inside Bifröst are handled.

flows

Flow

Defines which flows are evaluated for user sessions.

housekeeping

Housekeeping

Defines how Bifröst will clean up its sessions and connections.

alternatives

Alternatives

Defines how the imp (if needed) behaves to help to bridge context boundaries, for example to enable port-forwarding into an OCI container.

startMessage

string Core = ""

If defined this message will be displayed in the log files of Bifröst on startup.

Examples

  1. Simple: 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    ssh:
  addresses: [ ":22" ]
  # ...
session:
  type: fs
  # ...
flows:
  - name: local
    # ...
housekeeping:
  # ...
alternatives:
  # ...
startMessage: ""

  2. Drop in replacement for OpenSSH sshd 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    ## The configuration can be used if you simply want to use Engity's Bifröst as a drop-in-replacement
## for the regular sshd.

flows:
  - name: local
    authorization:
      type: local
      ## If PAM does not exist or is not supported, please comment the following line.
      pamService: "sshd"

    environment:
      type: local
      name: "{{.authorization.user.name}}"
      ## If you only want to allow user with group "ssh" to log in, uncomment the following lines:
      #loginAllowed: |
      #  {{ or
      #    (.authorization.user.group.name | eq "ssh" )
      #    (.authorization.user.groups     | firstMatching `{{.name | eq "ssh" }}` )
      #  }}
  3. Docker environment with OpenID Connect authorization

    This example is using the Docker environment with OpenID Connection authorization. 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    flows:
  - name: docker
    authorization:
      type: oidcDeviceAuth
      issuer: https://login.microsoftonline.com/my-great-tenant-uuid/v2.0
      clientId: my-great-client-uuid
      clientSecret: very-secret-secret
      scopes:
        - openid
        - email
        - profile
    environment:
      type: docker
      image: alpine