Zero-Trust SSH Access
SSH Access via Zero Trust
SSH by its very nature is end-to-end encryption with strong protection against Man-In-The-Middle attacks. All servers need to be accessible via SSH to be manageable, often by external users (e.g. vendors, outsourced NOC, etc). However, despite SSH being strong on encryption it is challenging on accessiblity. The servers are typically on private networks (e.g. Virtual-Private-Cloud VPC, internal network VLAN’s, etc). Making them directly accessible to the Internet can be dangerous (we would have to somehow police that all users have passphrases on their keys, that we don’t have passwords allowed, etc.). SSH jump-boxes add a step to the workflow, are difficult to ssh-port-forward and scp through. VPN access is difficult to secure on a per-server basis, often being all-or-none.
In this guide we will setup the Agilicus Zero-Trust Network Access to directly access arbitrary SSH servers. The users will see them as being directly Internet connected. The users will have zero configuration (after the initial setup). Users can be individually authorised on a per SSH server basis. Additionally, users can be federated for identity by any upstream identity provider, allowing an external vendor to be identified by their own corporate Azure Active Directory, an independent contractor via their Google login.
The data flow is such that the SSH TCP session is intact from the client to the server: the hostkeys are unaltered, SSH anti-tamper mechanisms are unperturbed. SFTP just works.
The end user can use any SSH client (ssh command line, mobaxterm, putty, etc), with no complicated config to remember. The system administrator can gate access on/off per user, and, see an audit trail of who has accessed what, when, from where.
SSH Access Setup
Note: you can use a site-to-site VPN via IPSEC, or use the onsite Agilicus Connector for each pool of servers. These instructions assume the latter.
CREATE ORGANISATION
Your Organisation lets you setup your identity providers, your DNS name (CNAME), and control your users.
See SIGNUP
SETUP IDENTITY PROVIDERS
You can enable Google, Apple, LinkedIn as check box items. You may also wish to enable Azure Active Directory
Also setup initial users and group membership.
CREATE CONNECTOR PER SITE
Each pool of servers needs a method to reach it. This can be a site-to-site VPN, or an on-site connector. Install a connector now, this may be on each SSH server, on 1 of the servers that can reach the others, on a machine in the same network, its up to you.
CREATE SSH RESOURCE
The SSH resource has a unique name, a upstream host-name, and upstream port. Configuration will be automatically created for desktop clients such as OpenSSH or Putty.
ASSIGN PERMISSIONS
We must now assign ‘Owner’ permission to each user or group that should be able to connect. See “Resource Permissions” for more information.
SSH Resource Setup
4 steps:
- Select the connector (the site on which the underlying SSH resource exists)
- Create a name for the SSH resource. This will appear as a valid hostname and must be unique within your sub-domain. Feel free to use a pattern, e.g. ‘site-host-ssh’.
- Select the hostname/IP and port that the SSH server is on in that remote network.
- Assign permissions (who can use this SSH resource)
The underlying SSH resources will also show up under Network Resources.
Using the SSH Resource
If you have not done so, install the Agilicus Launcher on your desktop (Windows, Linux Mac) from profile (https://profile.YOURDOMAIN). The Launcher support runs on demand, it is not a service. It will automatically configure OpenSSH (Windows, MAC, Linux), or Putty (Windows).
Note: The Launcher will configure OpenSSH if the file ~/.ssh/config exists. If you have not used SSH before, you might need to create this file.
At this stage, you can ssh directly to the server, using the name you gave above. For example, if in step 4 you called the SSH resource “foobar”, you can type ‘ssh foobar’. This might bring up a browser to identify you and/or perform multi-factor authentication. The data flow is as shown below.
Related Configuration
Return to Product Configuration
- Agilicus AnyX Frequently Asked Questions
- VNC Desktop
- Agilicus Connector – Container/Docker
- Agilicus Connector – NanoPI R5S
- Agilicus AnyX Product Updates
- Agilicus Connector – Microsoft Windows
- Sign-In Errors
- Time Synchronisation
- Locked-Down Networks Certificate Revocation
- Signup: Firewall Configuration
- Geo-Location-Based Access Control
- Resources – Overview, Concepts
- Connect to VTScada – Adding a Web Application
- Web Application Security
- Administrative Users
- Define Application: Proxy
- Authorisation rules
- Real VNC & Raspberry Pi
- Connector Install: Raspberry Pi
- Kubernetes Connector Install
- Linux, FreeBSD, Embedded Connector Install
- Connector Install: Ubiquiti EdgeRouter X
- Audit Destinations
- Agilicus Connector Install: MikroTik RouterOS
- Connector Install: Netgate SG-1100 pfSense
- Identity Group Mapping
- Billing
- Auto-Create Users From Specific Domain With Google Workplace
- Organisation
- Authentication Audit
- Authentication Issuer – Custom Identity
- Sign Up
- Microsoft ClickOnce
- Groups
- Agilicus Connector Windows Cluster
- Launchers
- Forwarding
- Usage Metrics
- Service Accounts
- Identity & Authentication Methods
- Content Security Policy
- Users
- Sign-In Theming
- Sign in With Apple
- Azure Active Directory
- Sign in With Microsoft
- Agilicus Launcher (Desktop)
- Agilicus-Connector
- Zero-Trust SSH Access
- Theory of Operation: CNAME + DOMAIN
- Zero-Trust Desktop Access
- Command Line API Access
- Applications
- Permissions
- Profile
- Multi-Factor Authentication
- Authentication Rules
- Application Request Access
- OpenWRT Connector Install
- Synology Connector Install
- Authentication Clients
- Shares
- Services
- Resource Permissions
- Resource Groups
- Legacy Active Directory