How Passwordless SSH Works in EZSSH and Entra ID
How Passwordless SSH Works
EZSSH uses SSH Certificates to create short-term access keys signed by our HSM backed Certificate Authority (CA) that will grant just in time access to your resource while creating an audit log that can be traceable back to the user and their actions.
Isolated SSH Certificate Authorities
Each policy inside each customer's account will get their own HSM backed Certificate Authority, creating an identity perimeter limited to your own access policy. We also offer a bring your own CA option where we you can bring your own Azure Key Vault give EZSSH create, and sign permissions and you are in control of your private key and how they are used.
Transparent to the User
While using a short-term certificate sounds like a lot of work for a user each time they want to login. The user is not aware of all of this going on in the background. The user simply types the command, and we do all the magic in the backend, the only thing the user knows is they got a secure way to connect to their infrastructure.
No Agent Required
Since EZSSH uses native SSH Certificates, most Linux distros have the ability to trust a specified certificate authority and accept certificates from it without having to do constant changes. Once it is trusted, any certificate that meets the requirements set by the admin will be grated access. This avoids having to run a highly privileged agent or any third-party code in your servers.
User Workflow
The user Types EZSSH ssh -e [username@host]
If the user is not logged in, EZSSH redirects you to your Identity provider to authenticate.
Once the user is authenticated, the request is sent to the EZSSH service.
The EZSSH Service checks that user's access to the endpoint the user requested and applies the appropriate approval workflow (the user can be auto approved, need a dual key approval from another user, or automatically denied).
Once the approval is processed, the EZSSH client creates a new SSH key for the user (the private key never leaves the user's computer) and sends the public key to be signed by EZSSH.
EZSSH creates the certificate with the appropriate access level for the user, and sends it to the HSM to be Signed.
The certificate is signed.
Signed certificate is returned to the user.
EZSSH calls your computer native SSH client to start the SSH connection to your host using the newly created certificate.
Once the certificate expires, the certificate is removed from the user's computer.
Host Setup
The resource owner creates an EZSSH policy.
EZSSH creates a HSM protected unique key for this policy.
This policy's key is added as a trusted CA to the servers. (This can be done automatically by EZSSH if the resources are hosted in Azure, or manually running the scripts that EZSSH created for the policy)
The resources now will accept SSH certificates signed by your policy's private key and the users will experience passwordless SSH experience.