Aporeto allows you to manage, control, and monitor secure shell (SSH) access to remote hosts.
Aporeto certificate authority: Aporeto provides a certificate authority that signs and issues OpenSSH certificates using the ECDSA algorithm with a 256-bit key.
Single sign-on: Aporeto integrates with your existing identity provider, giving users single sign-on access to SSH certificates.
Short-lived certificates: Convenient access to certificates allows you to set short lengths of validity, giving users just enough time to accomplish a discrete task.
Local private keys: Users generate a local public-private key pair. The private key never goes over the wire. It's stored only on the user's local host, protected by file permissions and a password.
Namespaced access: Users can use the same certificate to access more than one remote host. For example, you can allow a user to access any server in the development environment but no servers in the production environment.
One-time server setup: Once you perform some initial configuration on the remote host, Aporeto manages the user certificates for you. You won't need to manually copy keys to the
Monitoring, auditing, and alerts: Aporeto SSH certificates include custom extensions containing identity and namespace attributes, giving you context and visibility into user activity across hosts. You can access your logs through the Aporeto web interface or export them to the tool of your choice.
Restrict sudo access: Trusted users can issue
sudocommands, each one logged for forensics and analysis. You can configure alerts for problematic commands, such as tampering with the Aporeto SSH controls.
Control connections: You can control SSH session communications with network policy.
This section takes you through each phase of the initial setup. Once you have completed the setup, the user's authorization sequence looks as follows.
Users can execute a single
apoctl command to accomplish all the steps in the diagram or perform each step manually.
Observe that the user has an Aporeto token at the beginning of the sequence shown above. The sequence for obtaining an Aporeto token varies by identity provider. Refer to Configuring OIDC for SSH and Aporeto control plane users to learn more about the OIDC sequence.