EZGIT uses SSH Certificates to create short-term access keys signed by our HSM backed Certificate Authority (CA) that will grant just in time access to your GitHub repository while creating an audit log that can be traceable back to the user and their actions.
Each GitHub instance will get their own HSM backed Certificate Authority, creating an identity perimeter limited to your own GitHub organization. If you prefer having control over your private keys, we also offer a bring your own CA option where we you can bring your own Azure Key Vault give EZGIT create, and sign permissions and you are in control of your private key and how they are used.
While using a short-term certificate sounds like a lot of work for a user each time they want to access your GitHub repositories. The user is not aware of all of this going on in the background. The user simply types the command, and we do all the magic in the backend, the only thing the user knows is they got a secure way to connect to their infrastructure.
You spend thousands of dollars adding identity protections to your corporate identity. Adding MFA, rotating credentials, conditional access, anomaly detections, and more. However, when it comes to accessing and pushing code (one of the most important parts of your business) the user only needs a password or an SSH key that never expires. By using EZGIT, you protect your GitHub repositories with all the same protections you use protect the rest of your corporate environment.
Most Git client tools use the computer’s default ssh agent to manage the ssh credentials used to access Git. EZGIT creates the just in time (JIT) SSH Certificates and adds it to the computer’s default ssh-agent. Making EZGIT a seamless experience with your favorite Git tool!
The user types "ezssh git" in their terminal
If the user is not logged in, EZSSH redirects you to your Identity provider to authenticate.
Once the user is authenticated, a short term asymmetric key pair is created and a certificate request is sent to the EZGIT service. (the private key never leaves the user’s computer)
The EZGIT Service checks the user mapping to create the correct certificate for GitHub.
EZGIT creates the certificate with the appropriate access level for the user, and sends it to the HSM to be Signed.
The certificate is signed.
Signed certificate is returned to the user.
EZGIT adds the certificate to your computer's ssh-agent allowing any Git product to use the certificate to authenticate with GitHub
The user uses their favorite git tool to manage their repositories.
Once the certificate expires, the certificate is removed from the user’s computer.