StrongDM Sidecar Connector

Last modified on March 24, 2023

The portal script connects to a StrongDM listener running in sidecar mode and tunnels localhost ports through the sidecar via SSH. It periodically scans for changes in the sidecar, and it automatically reopens connections if a network partition happens.

Basic (Unauthenticated) Use

On the sidecar server, start the listener with:

sidecar$ sdm sidecar --addr=$IP:$PORT

Set $IP to the listening IP address of the sidecar, and $PORT to the port you wish to run the sidecar listener on.

On the main server, start the portal script:

main$ SDM_SIDECAR_HOST=$IP SDM_SIDECAR_PORT=$PORT python portal.py

Ensure $IP and $PORT are the same as above.

Once connected, the sidecar and script will automatically map over any datasource and server ports that are connected in the StrongDM client. You can manually connect/disconnect datasources and servers on the sidecar server.

Adding Authentication

The portal script uses the locally configured ssh to talk to the sidecar server. You may want to extend this configuration with ssh_config. If you want to be sure that the sidecar only accepts connections from the right server, you may use a public key to authorize access:

On the sidecar server:

      sidecar$ export AUTHORIZED_KEY="ssh-rsa AAAA...qI/ user@example.com"
      sidecar$ sdm sidecar --addr=$IP:$PORT --pubkey="$AUTHORIZED_KEY"

On the main server:

main$ cat >> /etc/ssh_config
Host $SDM_SIDECAR_HOST:$SDM_SIDECAR_PORT
    IdentityFile specific-identity.pem

Lifecycle

                SSH connection: available
┌─────────┐          listening ports            ┌─────────┐
│               ├───────────────────────▶│                │
│               │                        │                │
│    Solaris    │   SSH forwarded ports  │     Linux      │
│  Main Server  │◀──────────────────────▶│  SDM Listener  │
│               │◀──────────────────────▶│                │
│               │◀──────────────────────▶│                │
└─────────┘                                     └─────────┘

The main server has a main loop comprised of three steps:

  1. Load state: The SDM listener uses the state tree to return a comma-separated list of available forwarded ports. It is a direct reaction to the regular SDM commands (sdm connect, sdm disconnect, sdm status, etc.)
  2. Update port forwarding: For the new ports, the main server invokes SSH to do local port forwarding (ssh -L -N) to the sidecar. For ports that are no longer available, the main server terminates the respective SSH process.
  3. Wait one second: The main server can take up to roughly one second to respond to state changes. This means that any automation scripts relying on the portal should wait for the update cycle to complete before making progress.