Skip to content

Zero-Trust SSH Access

SSH Access via Zero Trust

SSH by its very nature is end-to-end encryption with strong protection against Man-In-The-Middle attacks. All servers need to be accessible via SSH to be manageable, often by external users (e.g. vendors, outsourced NOC, etc). However, despite SSH being strong on encryption it is challenging on accessiblity. The servers are typically on private networks (e.g. Virtual-Private-Cloud VPC, internal network VLAN’s, etc). Making them directly accessible to the Internet can be dangerous (we would have to somehow police that all users have passphrases on their keys, that we don’t have passwords allowed, etc.). SSH jump-boxes add a step to the workflow, are difficult to ssh-port-forward and scp through. VPN access is difficult to secure on a per-server basis, often being all-or-none.

In this guide we will setup the Agilicus Zero-Trust Network Access to directly access arbitrary SSH servers. The users will see them as being directly Internet connected. The users will have zero configuration (after the initial setup). Users can be individually authorised on a per SSH server basis. Additionally, users can be federated for identity by any upstream identity provider, allowing an external vendor to be identified by their own corporate Azure Active Directory, an independent contractor via their Google login.

The data flow is such that the SSH TCP session is intact from the client to the server: the hostkeys are unaltered, SSH anti-tamper mechanisms are unperturbed. SFTP just works.

The end user can use any SSH client (ssh command line, mobaxterm, putty, etc), with no complicated config to remember. The system administrator can gate access on/off per user, and, see an audit trail of who has accessed what, when, from where.

SSH Access Setup

Note: you can use a site-to-site VPN via IPSEC, or use the onsite Agilicus Secure Exposed Agent for each pool of servers. These instructions assume the latter.

STEP 1: CREATE ORG

CREATE ORGANISATION

Your Organisation lets you setup your identity providers, your DNS name (CNAME), and control your users.
See SIGNUP

STEP 1: CREATE ORG
STEP 2: SETUP IDENTITY

SETUP IDENTITY PROVIDERS

You can enable Google, Apple, LinkedIn as check box items. You may also wish to enable Azure Active Directory
Also setup initial users and group membership.

STEP 2: SETUP IDENTITY
STEP 3: CREATE CONNECTOR

CREATE CONNECTOR PER SITE

Each pool of servers needs a method to reach it. This can be a site-to-site VPN, or an on-site agent connector. Install a connector now, this may be on each SSH server, on 1 of the servers that can reach the others, on a machine in the same network, its up to you.

STEP 3: CREATE CONNECTOR
STEP 4: CREATE NETWORK RESOURCE

CREATE SSH RESOURCE

The SSH resource has a unique name, a upstream host-name, and upstream port. Configuration will be automatically created for desktop clients such as OpenSSH or Putty.

STEP 4: CREATE NETWORK RESOURCE
STEP 5: ASSIGN PERMISSIONS

ASSIGN PERMISSIONS

We must now assign ‘Owner’ permission to each user or group that should be able to connect. See “Resource Permissions” for more information.

STEP 5: ASSIGN PERMISSIONS

SSH Resource Setup

4 steps:

  1. Select the connector (the site on which the underlying SSH resource exists)
  2. Create a name for the SSH resource. This will appear as a valid hostname and must be unique within your sub-domain. Feel free to use a pattern, e.g. ‘site-host-ssh’.
  3. Select the hostname/IP and port that the SSH server is on in that remote network.
  4. Assign permissions (who can use this SSH resource)

The underlying SSH resources will also show up under Network Resources

Using the SSH Resource

If you have not done so, install the Agilicus Launcher on your desktop (Windows, Linux Mac) from profile (https://profile.YOURDOMAIN). The Launcher support runs on demand, it is not a service. It will automatically configure OpenSSH (Windows, MAC, Linux), or Putty (Windows).

Note: The Launcher will configure OpenSSH if the file ~/.ssh/config exists. If you have not used SSH before, you might need to create this file.

The SSH access operates using the SSH ProxyCommand feature. It will create an entry such as:

Host <RESOURCENAME>
  ProxyCommand ~/bin/agilicus-agent wscat --oidc-issuer https://auth.MYCNAME --resource-name %h --port %p

Thus when a user runs ‘ssh <RESOURCENAME>’, they will transparently connect to it. Periodically, a browser will popup to confirm the user identity (optionally with multi-factor authentication).

Similarly the user can run ‘ssh’, ‘scp’ ,’sftp’ as if ‘myco-foo’ where directly internet connected.

Specific SSH Client Configuration

The Launcher, above, will automatically configure your client. If you wish, you may make manual configuration inspired as below. You may also wish to use a wildcard, so that e.g. the following works, and thus ssh <ANYTHING>.MYDOMAIN follows your pattern.

Host *.MYDOMAIN
  ProxyCommand /home/don/.agilicus/agilicus-agent wscat --oidc-issuer https://auth.dbt.agilicus.cloud --resource-name $(echo %h |
sed -e 's?\..*??'g) --port 22
  1. Download agilicus-agent to a location the user has read/write access to, make it executable
  2. Add a line to ~/.ssh/config (either 1 per service, or, using patterns) as below:
Host RESOURCENAME
  ProxyCommand ~/.agilicus/agilicus-agent wscat --oidc-issuer https://auth.MYCNAME --resource-name %h --port %p

Now we have the Agilicus agent downloaded and on the path. We can setup .ssh/config in the same way as previously:

Host <RESOURCENAME>
  ProxyCommand ~/.agilicus/agilicus-agent wscat --oidc-issuer https://auth.MYCNAME --resource-name %h --port %p

Note: at this time the ‘shell’ we can ‘ssh RESOURCENAME’ directly. However, the ‘tabbed sessions’ view does not appear to support ProxyCommand. As a workaround, create a new tabbed session, use type=shell, and make the command-line be ‘ssh RESOURCENAME’. This will allow direct launching individual ssh hosts from the tab interface.

Download the Agilicus Agent:

In the Connection/Proxy section, add a line, changing the path and issuer according to your environment. Unfortunately, Putty cannot expand environment variables. In the xample, where we have %LOCALAPPDATA%, find the proper value for your system (typically

echo %LOCALAPPDATA%
C:\Users\don\AppData\Local

Your command will look as below, please fill in %LOCALAPPDATA%

%LOCALAPPDATA%\Agilicus\agent\agilicus-agent.exe wscat --oidc-issuer https://auth.MYCNAME --hostname %host --port %port
  1. Create a session. The hostname will be as in the ‘host’ column (column 2) in the networks tab in the Admin portal.
  2. Set a Local proxy as below.
  3. Save the session