Secure Shell (SSH)

Setup Methods

There are two ways to protect SSH servers.

  1. Native 2FA agents
  2. Via TRASA access proxy

Either way, you need to create a service first.

1. Native 2FA agents

You need to install and configure 2fa agents in all SSH servers you want to protect. This guide will help you configure native agents.

2. SSH Access Proxy

To use TRASA as an SSH proxy, you need to configure firewall rules to enforce ssh access from IP address of TRASA server only.

Now users need to SSH into TRASA proxy instead of the upstream server.

ssh user@TRASA_HOST -p 8022

Here the port 8022 is the default port of TRASA proxy.

tip

You can change the default port in config if you want.

Learn more about accessing SSH proxy here

Store Password/Keys in vault

If you save password or ssh keys in the TRASA vault, users don't need to enter the upstream server password while accessing through the TRASA proxy.
Follow this guide to configure and store credentials in the vault.

SSH Certificates

You can use TRASA as an SSH CA.

CA private keys are stored in the vault, so the vault must be in decrypted state to use TRASA CA.
If it is not initialized, it should be initialized.
If it is not decrypted , it should be decrypted.

Initialize CA

  • Go to Providers page.
download-user-ca
  • Click "Certificate Authority" tab.
  • Click the "Generate certs" button.
ca-tab
  • Generate both "SSH User CA" and "SSH Host CA"
generate-ca-dialog

User Certificates

User certificates are used to authenticate ssh users. It can be used instead of a password or a private key.

If you configure user certificates, you don't need to store password or private keys in the vault. During SSH access through TRASA access proxy, a temporary certificate is used to make an upstream connection. This makes remote access very easy and secure since the user doesn't need to know the password or store keys.

Now we are going to tell each upstream server to trust any certificate signed by TRASA CA.
To do that,

  • Download TRASA CA

    • Go to Providers page and click the "Certificate Authority" tab.

    • Download client CA public key.

      download-user-ca
  • Copy the downloaded CA key into upstream servers.

  • Edit /etc/ssh/sshd_config of upstream server and add the following.
    TrustedUserCAKeys <path to ca public key>

  • Restart ssh daemon of upsteam server.

    sudo systemctl restart sshd

Host Certificates

Host certificates are used to verify the authenticity of ssh servers (hosts). We need to generate a host certificate signed by TRASA SSH CA for each upstream server and configure them to use that certificate.

After that, when the SSH client connects to that upstream server, the ssh client can check whether the certificate is indeed signed by TRASA SSH CA.

TRASA access proxy will automatically validate host keys and certificates when accessing through the TRASA proxy. But if you are accessing the SSH server directly, the SSH client (your device) must be configured to trust the TRASA SSH CA.

Configure Upstream Server

  • Go to the service page in TRASA dashboard.

  • Click the Edit icon in "Certificates" section.

    services-page
  • A drawer will slide from right, click the "Generate and Download" button.

    service-certificate-slider
  • Copy the downloaded zip file to upstream server.

  • Extract the files into /etc/ssh.

  • Edit /etc/ssh/sshd_config and add the following.
    HostKey /etc/ssh/id_rsa HostCertificate /etc/ssh/id_rsa-cert.pub

  • Restart sshd daemon.
    sudo systemctl restart sshd

Configure Client Device

Configuring client device is applicable when accessing SSH servers directly instead through the TRASA proxy.

  • Go to Providers page and click the "Certificate Authority" tab.

  • Download host CA public key.

    download-host-ca
  • Copy its contents to /etc/ssh/ssh_known_hosts in following format.
    @cert-authority * <public key content>

Configuring Google cloud (GCP) to be accessible from TRASA

By default, google cloud uses OS Login, which uses google identity to manage SSH keys. To use TRASA to manage your SSH keys, you need to disable OS Login. Then you need to add ssh keys to the instance or project.

  • Go to google cloud compute instances page and click on the instance you want to configure.

  • Click the "Edit" button

    edit-instance-btn
  • Generate a new ssh key ssh-keygen -t rsa -b 4096 -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]

  • Scroll down to the "custom metadata" section and add a new key enable-oslogin:FALSE

  • Click the "add item" button under SSH Keys section

  • Copy the contents of [KEY_FILENAME].pub into the field

    instance-level-metadata
  • Click Save

  • Save the contents of [KEY_FILENAME] in TRASA vault

tip

If you want to configure this for all instances of a project, go to the Metadata menu on Compute Engine page.

project-level-metadata