When SSH was created, the average configuration was a few machines in a trusted network, with only a few engineers needing access to it. As the move to the cloud exploded, this is no longer the case. Companies have hundreds of engineers accessing thousands or millions of endpoints, across multiple clouds and hybrid environments. This move introduced the zero-trust design. Many Identity providers have adapted to this model by adding multi-factor authentication, conditional access, just in time access, security detections, and more. Unfortunately, one of the most important asset’s identity perimeter was left behind: SSH.
While large companies such as Facebook, Netflix, Uber, and Lyft have modernized their SSH stack to use the new SSH Certificates authentication standard, most companies still rely on hundreds of SSH keys across their endpoints with no expiration or very labor-intensive lifecycle procedures.
The main difference between SSH Key authentication and SSH Certificate authentication, comes down to what a server trust. With SSH keys, each key has to be added to all servers and since they do not expire, they also have to be removed when the engineer no longer needs access to the endpoint. When using SSH Certificate authentication, the Certificate authority’s key is the one trusted by the server, meaning that any SSH key signed by the CA’s key will be trusted. Sounds confusing, but once you understand it, makes life way simpler by solving all the problems SSH keys have. Learn more about SSH Certificates in our How SSH Certificates Work Blog
This is why we created EZSSH. EZSSH is an easy-to-use tool that removes the need to manually add each key to the endpoint and manually remove it when the user or machine no longer need access to the endpoint. EZSSH uses SSH Certificates, to create an SSH Certificate Authority that your endpoints trust and then issues short term signed certificates to your users and machines to access the endpoint for the approved amount of time.
Using SSH Certificates might sound hard to implement and use, but EZSSH makes it easier than regular SSH Keys. By creating scripts you can run to trust the CA in your endpoints (no agent required SSH Certificates are supported by OpenSSH meaning that from a small IoT endpoint to a huge cloud server, SSH Certificates are supported), to having a client that users can use to request and access endpoints by just calling ezssh ssh -e youruser@yourendpoint and authenticating with their secure production identity EZSSH will get the certificate in the background and connect the user, no more emailing the security team to add your key to the endpoint, as long as you have access in the access policy you get access to the endpoints in the policy.
EZSSH does not only make it easier to onboard and lifecycle keys, it also makes it more secure. By using your secure production identity, all the security features your identity provider has are translated to your SSH authentication.
At Keytos we know that for the most critical workloads sometimes the identity provider security is not enough, and additional dual key approvals are necessary. This is why we also offer manual approval identity management option for requiring a dual key approval for access to your most critical endpoints.
As you can see SSH Certificates will not only save you time and money, it will also make your organization more secure. So what are you waiting for? Request a demo and join Lyft, Facebook and many more using SSH Certificates to protect their SSH endpoints.
