SSH Access

Certificate-based authentication eliminates the need to approve and distribute keys. Instead of scattering public keys across static files, you bind a public key to a username with a certificate.

Akeyless SSH Secure Remote Access enables traffic connections to servers that are not directly accessible via SSH but directed through a bastion host, which proxies the connection between the SSH client and the remote servers. In addition, you can record all SSH sessions traffic and expose them to the filesystem for log forwarding.

๐Ÿ‘

Legacy mode

For legacy applications that do not support SSH certificates, Akeyless offers a unique hybrid solution that involves certificates and keys. For more details, please refer to Legacy mode section at the bottom of this page.

Prerequisite

To enable Secure Remote Access for SSH servers you need:

Set Up Remote Access to an SSH server from the Akeyless CLI

Let's set up remote access to an SSH server using the Akeyless CLI.

  1. Run the update-item command to set the following fields on the SSH Certificate Issuer item:
akeyless update-item --name <SSH Cert Issuer Name > \
--secure-access-enable true \
--secure-access-bastion-api <SRA-Bastion, ssh-sra service control API endpoint URL> \
--secure-access-bastion-ssh  <SRA-Bastion ssh-sra servic server IP and Port> \
--secure-access-ssh-creds-user <SSH username >

where:

  • secure-access-bastion-api: SRA Bastion ssh-sra service control API endpoint URL. (Default port 9900).
  • secure-access-bastion-ssh: SRA Bastion ssh-sra service IP and Port . (Default port 22).
  • secure-access-ssh-creds-user: SSH username to connect to target server, based on 'Allowed Users' list.

Set Up Remote Access to an SSH server from the Akeyless Console

Let's set up remote access to an SSH server from the Akeyless Console.

  1. Log in to the Akeyless Console and go to Secrets & Keys.

  2. Select the SSH Cert Issuer item that specifies the SSH server details and access credentials.

  3. Expend the Secure Remote Access menu, select the pencil icon and enable the Secure Remote Access, then fill the following fields:

  • Host(s): The hostname (or IP address) of your SSH target servers.
  • Bastion API URL : SSH Bastion control API endpoint URL. (Default port 9900).
  • Bastion SSH: SSH Bastion server IP and Port . (Default port 22).
  • Username: SSH username to connect to target server, based on the 'Allowed Users' list.
  1. To the right of the Enable Secure Remote Access field, select the tick mark icon to save your changes.

Akeyless Secure Access from CLI

Akeyless enables CLI access from any UNIX terminal.

๐Ÿ‘

Note:

Starting from Windows 10, Microsoft supports the native feature "Windows subsystem for Linux."
This feature enables users to utilize their Windows OS environment as a UNIX-like system.

To work with Akeyless connect command from Windows machine, place the .akeyless-connect.rc script on your home directory.

  1. Download and install the latest version of Akeyless CLI.

  2. Create your ~/.akeyless-connect.rc :

# ---------------------------------------------------------------------
# Copyright ยฉ 2021  Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------

#
# This file is a user-specific configuration file for akeyles-connect Secure Remote Access
# it should be located in user home directory named .akeyless-connect.rc
#

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
IDENTITY_FILE=""

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
CERT_ISSUER_NAME=""

# AKEYLESS_PROFILE - Akeyless CLI profile to be used
AKEYLESS_PROFILE="default"

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_GW_REST_API=""

# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
#
BASTION_API_PREFIX=""
BASTION_API_PATH=""
BASTION_API_PROTO=http
BASTION_API_PORT=9900

# Allow caching of temp session creds
SESSION_CACHING=no

# Display connection stages
DISPLAY_STAGES=yes
  1. Use akeyless connect command to perform SSH authentication to the target server via Akeyless Secure Remote Access Bastion:
akeyless connect -t  <[[email protected]]target/hostname/ip[:port]> -n [/path/to/dynamic-secret] -v <bastion-hostname/ip[:port]>

Legacy Mode

โ—๏ธ

Warning

SSH password authentication brings with it risks. Please make sure you are connecting to the correct target server.

To support legacy applications, Akeyless enables a hybrid mode based on SSH certificates and SSH keys. Where your client will connect to the Akeyless SRA bastion via SSH certificate, and the Akeyless SRA bastion will utilize your SSH keys\password to connect to your legacy server.

To work with SSH keys, you will have to create a static secret in an Akeyless vault to store your SSH private key or SSH password. i.e., the secret value should be either your SSH password or your SSH private key.

To enable Secure SSH Access for your target, set the following fields on your secret:

Run the update-item command to set the following fields on the static secret that stores the ssh password or private key details:

akeyless update-item --name <Path/to/static/secret> \
--secure-access-enable true \
--secure-access-ssh-creds  <[password/private-key> \
--secure-access-bastion-issuer </Path/of/SSH Cert Issuer> \
--secure-access-host <Target SSH server >

where:

  • secure-access-ssh-creds: Static-Secret values contains SSH Credentials, either Private Key or Password [password/private-key].
  • *secure-access-bastion-issuer ** Path to the SSH Certificate Issuer for your Akeyless Bastion.
  • secure-access-host: Target servers for connections. For multiple values, repeat this flag.

Now, you can connect to your target SSH server via Akeyless connect command:

akeyless connect -t  <[[email protected]]target/hostname/ip[:port]> -n [/path/to/secret] -v <professional-bastion-hostname/ip[:port]>