Access Resources Remotely
Depending on the resource type, you can securely access resources in the following ways:
-
From the Secure Remote Access Portal, access a resource over the web or using native CLI.
-
With the Akeyless Connect command, access a resource using native CLI from any UNIX terminal.
Prerequisites
-
Secure Remote Access Bastion Installed.
-
SAML, OIDC , Certificate or LDAP Authentication method available.
-
Optional - Web Access Bastion Installed.
Connect from the Secure Remote Access Portal
The default authentication method for logging in to the Secure Remote Access Portal is Security Assertion Markup Language (SAML). For details about integrating your SAML authentication with the Akeyless Platform, see here. Alternatively, you can choose OIDC to set the default authentication method.
- Go to
https://zerotrust.akeyless.io
. - In the SAML Access ID field, enter your SAML Access ID. or click the OIDC button to work with OpenID Connect.
- In the Akeyless Gateway URL field, enter your Akeyless Gateway URL on port 8080.
- If you are connecting to a database, SSH server, Windows Server, or RabbitMQ resources, in the Web Client URL field, enter the URL of your Secure Remote Access Bastion with your
web-sra
cluster service port. - (Optional) If you are connecting to applications using Web Access in Isolated mode, in the Web Application Dispatcher field, enter the URL of your Web Access Bastion with your
web-access-dispatcher
cluster service port, the default set to9000
. If you are working with Secure Proxy, also set the Web Proxy URL with theweb-access-dispatcher
cluster service port, the default set to19414
. - Click Sign in.
The portal shows all the supported resource types. The number of resources of a particular type that you are authorized to access appears in the top-right corner of the resource tile.
Note
To simplify login, after you enter all the required information but before you sign in, select Generate SAML Bookmark URL to create a link to the completed form. The link is copied to your clipboard for you to save in a convenient place, such as your browser bookmarks, and use in the future to automatically complete the login details.
Connect from a UNIX Terminal
Akeyless Connect command provides you with secure CLI access to resources or a secure tunnel from any UNIX terminal.
Prerequisites
To use Akeyless Connect you need:
-
Akeyless CLI version 1.42.0 or higher.
-
An SSH certificate issuer for certificate authentication.
-
OpenSSH V7.2 or higher on target servers.
Info
Akeyless connect
command supports legacy~/.akeyless-sphere.rc
configuration file.
Set Up Akeyless Connect
-
Download the latest version of Akeyless Command Line Interface (CLI).
-
Create a resource file called ~/.akeyless-connect.rc as follows:
# ---------------------------------------------------------------------
# Copyright © 2021 Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------
#
# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc
#
# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
IDENTITY_FILE=""
# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
CERT_ISSUER_NAME=""
# AKEYLESS_PROFILE - Akeyless CLI profile to be used
AKEYLESS_PROFILE="default"
# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_GW_REST_API=""
# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
#
BASTION_API_PREFIX=""
BASTION_API_PATH=""
BASTION_API_PROTO=http
BASTION_API_PORT=9900
BASTION_SSH_PORT=22
# Allow caching of temp session creds
SESSION_CACHING=no
# Display connection stages
DISPLAY_STAGES=yes
# Use SSH Agent to store user's identity keys.
USE_SSH_AGENT=no
The latest version of this file can be found in Akeyless official artifacts.
Set the following settings as follow:
CERT_ISSUER_NAME
- Full path to the Akeyless SSH Certificates Issuer item.
AKEYLESS_PROFILE
- Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default
profile of your Akeyless CLI.
AKEYLESS_GW_REST_API
- Set your Akeyless Gateway URL on port 8080
for Zero-Knowledge items and for internal network access.
BASTION_API_PROTO
- Default is http
. Set to https
when your Secure Remote Access Bastion is configured with TLS.
BASTION_API_PORT
- Default is set to 9900
. Set your matching ssh-sra
cluster service port.
BASTION_SSH_PORT
- Default is set to 22
. Set your matching ssh-sra
cluster service port.
Optional when working with Application Load Balancers, you can set the exact path of your ssh-sra
service, which listens to the bastion api
control port:
BASTION_API_PREFIX
- Set your path prefix
BASTION_API_PATH
- Set your path suffix
Where the URL will be set as follow:
${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
Note
From Windows 10, the Windows subsystem for Linux feature enables you to use your Windows OS environment as a UNIX-like system. To work with Akeyless connect command from a Windows machine, place the
.akeyless-connect.rc
script in your home directory.
- Use the
akeyless connect
command to connect to a resource through the Secure Remote Access Bastion:
akeyless connect -t <[user@]target/hostname/ip[:port]> via <sra-bastion-ssh-sra-service/ip[:port]>
Legacy Mode
To support legacy applications, Akeyless enables a hybrid mode based on SSH certificates and SSH keys. When a user accesses a legacy resource, the platform uses an SSH certificate to connect to the Secure Remote Access Bastion. The SRA Bastion, in turn, uses your SSH key or password to connect to the legacy resource.
Critical
There are risks to SSH password authentication. Ensure you are connecting to the correct resource.
-
Create a static secret in Akeyless, the value of which is your SSH private key or SSH password.
-
Run the
update-item
command to enable either the ssh-password or ssh-private-key mode to the secret.
akeyless update-item --name <Path/to/static/secret> /
--secure-access-enable true /
--secure-access-ssh-creds <[password/private-key> /
--secure-access-bastion-issuer </Path/of/SSH Cert Issuer> /
--secure-access-host <Target SSH server >
Updated about 2 months ago