Lack of access accountability and unmonitored access create a considerable security risk for organizations, and the best way to mitigate this challenge is by implementing identity-based access. The Computer Security Resource Center run by NIST defines an “identity-based access control” as an “Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.” Identity-based access entails integrating identity providers with access providers with single sign-on (SSO) features to deliver an efficient and secure access method. The security risks and costs associated with per-account password management, stolen credentials, and security breaches are also addressed with identity-based access.
In this article, we’ll talk about the features and advantages of identity-based access and how it can be used with SSH. We’ll also discuss one open-source solution for managing identity-based access for SSH: Remoteler.
In the case of SSH, the conventional access method involves sharing
root credentials amongst various users. With identity-based access for SSH, the user’s identity is not masked behind a shared credential which allows for the enforcement of access control methods such as RBAC (role-based access controls) to be used appropriately. With this setup, the audit of the user’s session also becomes a lot easier since the SSH access events can be easily traced back to the user’s organization-wide identity.
Identity-based access using SSO also minimizes theft of login credentials, such as passwords, by allowing users to authenticate once to access several SSH servers. Identity-based access also supports denying users access to SSH servers based on entitlements and location.
To set up identity-based SSH, you’ll need a few things: an identity provider and something to map users to access roles. Remoteler Server Access is an open-source option that provides identity-based access for SSH servers. It does this by authenticating the user against an SSO provider and then checking what authorization that user has. A short-lived SSH certificate tied to their identity will be issued to the user. These certificates are fully compatible with OpenSSH, and teams can quickly get access to resources using standard CLI tooling.
Remoteler’s certificate-centric design enables identity-based access with features like fine-grained RBAC, per-session MFA (multi-factor authentication), and other modern security best practices for SSH access with minimal configuration.
Remoteler offers several significant features that complement identity-based access. Let’s explore a few:
We’ve explored the concept of identity-based access for SSH and how it can be achieved for SSH access. We also covered how one open-source solution, Remoteler, provides identity-based access for SSH and acts as an identity-aware, multi-access protocol proxy. If your team is growing, adopting a system for identity-based access for SSH will both improve security and help with onboarding new teammates.
For further reading, learn how Remoteler’s certificate-based auth enhances identity-based access control for infrastructure access.