Documentation

Controlling SSH sessions

Aporeto allows you to manage, control, and monitor secure shell (SSH) access to remote hosts.

  • Aporeto certificate authority: Aporeto provides a certificate authority that signs and issues OpenSSH certificates using the ECDSA algorithm with a 256-bit key.

  • Single sign-on: Aporeto integrates with your existing identity provider, giving users single sign-on access to SSH certificates.

  • Short-lived certificates: Convenient access to certificates allows you to set short lengths of validity, giving users just enough time to accomplish a discrete task.

  • Local private keys: Users generate a local public-private key pair. The private key never goes over the wire. It’s stored only on the user’s local host, protected by file permissions and a password.

  • Namespaced access: Users can use the same certificate to access more than one remote host. For example, you can allow a user to access any server in the development environment but no servers in the production environment.

  • One-time server setup: Once you perform some initial configuration on the remote host, Aporeto manages the user certificates for you. You won’t need to manually copy keys to the authorized_keys file anymore.

  • Monitoring, auditing, and alerts: Aporeto SSH certificates include custom extensions containing identity and namespace attributes, giving you context and visibility into user activity across hosts. You can access your logs through the Aporeto web interface or export them to the tool of your choice.

  • Restrict sudo access: Trusted users can issue sudo commands, each one logged for forensics and analysis. You can configure alerts for problematic commands, such as tampering with the Aporeto SSH controls.

  • Control connections: You can control SSH session communications with network policy.