Access Resources Remotely

Depending on the resource type, you can securely access resources in the following ways:

Prerequisites

Connect from the Secure Remote Access Portal

The default authentication method for logging in to the Secure Remote Access Portal is Security Assertion Markup Language (SAML). For details about integrating your SAML authentication with the Akeyless Platform, see here. Alternatively, you can choose OIDC to set the default authentication method.

  1. Go to https://zerotrust.akeyless.io.
  2. In the SAML Access ID field, enter your SAML Access ID. or click the OIDC button to work with OpenID Connect.
  3. In the Akeyless Gateway URL field, enter your Akeyless Gateway URL on port 8080.
  4. If you are connecting to a database, SSH server, Windows Server, or RabbitMQ resources, in the Web Client URL field, enter the URL of your Secure Remote Access Bastion with your web-sra cluster service port.
  5. (Optional) If you are connecting to applications using Web Access in Isolated mode, in the Web Application Dispatcher field, enter the URL of your Web Access Bastion with your web-access-dispatcher cluster service port, the default set to 9000. If you are working with Secure Proxy, also set the Web Proxy URL with the web-access-dispatcher cluster service port, the default set to19414.
  6. Click Sign in.
    The portal shows all the supported resource types. The number of resources of a particular type that you are authorized to access appears in the top-right corner of the resource tile.

👍

Note

To simplify login, after you enter all the required information but before you sign in, select Generate SAML Bookmark URL to create a link to the completed form. The link is copied to your clipboard for you to save in a convenient place, such as your browser bookmarks, and use in the future to automatically complete the login details.

Connect from a UNIX Terminal

Akeyless Connect command provides you with secure CLI access to resources or a secure tunnel from any UNIX terminal.

Prerequisites

To use Akeyless Connect you need:

📘

Info

Akeyless connect command supports legacy ~/.akeyless-sphere.rc configuration file.

  1. Download the latest version of Akeyless Command Line Interface (CLI).

  2. Create a resource file called ~/.akeyless-connect.rc as follows:

# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------

#
# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc
#

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
IDENTITY_FILE=""

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
CERT_ISSUER_NAME=""

# AKEYLESS_PROFILE - Akeyless CLI profile to be used
AKEYLESS_PROFILE="default"

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_GW_REST_API=""

# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
#
BASTION_API_PREFIX=""
BASTION_API_PATH=""
BASTION_API_PROTO=http
BASTION_API_PORT=9900
BASTION_SSH_PORT=22

# Allow caching of temp session creds
SESSION_CACHING=no

# Display connection stages
DISPLAY_STAGES=yes

# Use SSH Agent to store user's identity keys.
USE_SSH_AGENT=no

The latest version of this file can be found in Akeyless official artifacts.

Set the following settings as follow:

CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.

AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.

AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.

BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.

BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.

BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.

Optional when working with Application Load Balancers, you can set the exact path of your ssh-sra service, which listens to the bastion api control port:

BASTION_API_PREFIX - Set your path prefix

BASTION_API_PATH - Set your path suffix

Where the URL will be set as follow:

${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}

👍

Note

From Windows 10, the Windows subsystem for Linux feature enables you to use your Windows OS environment as a UNIX-like system. To work with Akeyless connect command from a Windows machine, place the .akeyless-connect.rc script in your home directory.

  1. Use the akeyless connect command to connect to a resource through the Secure Remote Access Bastion:
akeyless connect -t  <[user@]target/hostname/ip[:port]> via <sra-bastion-ssh-sra-service/ip[:port]>

Legacy Mode

To support legacy applications, Akeyless enables a hybrid mode based on SSH certificates and SSH keys. When a user accesses a legacy resource, the platform uses an SSH certificate to connect to the Secure Remote Access Bastion. The SRA Bastion, in turn, uses your SSH key or password to connect to the legacy resource.

❗️

Critical

There are risks to SSH password authentication. Ensure you are connecting to the correct resource.

  1. Create a static secret in Akeyless, the value of which is your SSH private key or SSH password.

  2. Run the update-item command to enable either the ssh-password or ssh-private-key mode to the secret.

akeyless update-item --name <Path/to/static/secret> /
--secure-access-enable true /
--secure-access-ssh-creds  <[password/private-key> /
--secure-access-bastion-issuer </Path/of/SSH Cert Issuer> /
--secure-access-host <Target SSH server >