Zero-Trust SSH Access

SSH Access via Zero Trust

SSH by its very nature is end-to-end encryption with strong protection against Man-In-The-Middle attacks. All servers need to be accessible via SSH to be manageable, often by external users (e.g. vendors, outsourced NOC, etc). However, despite SSH being strong on encryption it is challenging on accessiblity. The servers are typically on private networks (e.g. Virtual-Private-Cloud VPC, internal network VLAN’s, etc). Making them directly accessible to the Internet can be dangerous (we would have to somehow police that all users have passphrases on their keys, that we don’t have passwords allowed, etc.). SSH jump-boxes add a step to the workflow, are difficult to ssh-port-forward and scp through. VPN access is difficult to secure on a per-server basis, often being all-or-none.

In this guide we will setup the Agilicus Zero-Trust Network Access to directly access arbitrary SSH servers. The users will see them as being directly Internet connected. The users will have zero configuration (after the initial setup). Users can be individually authorised on a per SSH server basis. Additionally, users can be federated for identity by any upstream identity provider, allowing an external vendor to be identified by their own corporate Azure Active Directory, an independent contractor via their Google login.

The data flow is such that the SSH TCP session is intact from the client to the server: the hostkeys are unaltered, SSH anti-tamper mechanisms are unperturbed. SFTP just works.

The end user can use any SSH client (ssh command line, mobaxterm, putty, etc), with no complicated config to remember. The system administrator can gate access on/off per user, and, see an audit trail of who has accessed what, when, from where.

SSH Access Setup

Note: you can use a site-to-site VPN via IPSEC, or use the onsite Agilicus Secure Exposed Agent for each pool of servers. These instructions assume the latter.

SSH Resource Setup

4 steps:

1. Select the connector (the site on which the underlying SSH resource exists)
2. Create a name for the SSH resource. This will appear as a valid hostname and must be unique within your sub-domain. Feel free to use a pattern, e.g. ‘site-host-ssh’.
3. Select the hostname/IP and port that the SSH server is on in that remote network.
4. Assign permissions (who can use this SSH resource)

The underlying SSH resources will also show up under Network Resources

Using the SSH Resource

If you have not done so, install the Agilicus Launcher on your desktop (Windows, Linux Mac) from profile (https://profile.YOURDOMAIN). The Launcher support runs on demand, it is not a service. It will automatically configure OpenSSH (Windows, MAC, Linux), or Putty (Windows).

Note: The Launcher will configure OpenSSH if the file ~/.ssh/config exists. If you have not used SSH before, you might need to create this file.

The SSH access operates using the SSH ProxyCommand feature. It will create an entry such as:

Host <RESOURCENAME>
  ProxyCommand ~/bin/agilicus-agent wscat --oidc-issuer https://auth.MYCNAME --resource-name %h --port %p

Thus when a user runs ‘ssh <RESOURCENAME>’, they will transparently connect to it. Periodically, a browser will popup to confirm the user identity (optionally with multi-factor authentication).

Similarly the user can run ‘ssh’, ‘scp’ ,’sftp’ as if ‘myco-foo’ where directly internet connected.

Specific SSH Client Configuration

The Launcher, above, will automatically configure your client. If you wish, you may make manual configuration inspired as below. You may also wish to use a wildcard, so that e.g. the following works, and thus ssh <ANYTHING>.MYDOMAIN follows your pattern.

Host *.MYDOMAIN
  ProxyCommand /home/don/.agilicus/agilicus-agent wscat --oidc-issuer https://auth.dbt.agilicus.cloud --resource-name $(echo %h |
sed -e 's?\..*??'g) --port 22