SSH Servers

How to integrate with your SSH Servers with Apono for JIT access to SSH servers

SSH Servers

Overview

If users need to debug, develop or troubleshoot SSH servers, they can request Just-in-Time access to them in Apono!

Admins can create Access Flows with specific SSH servers and build approval and access duration flows for different users, groups, and shifts.

Upon an approved request, Apono creates a certificate that grants access to the server and makes the requester a member of the group(s) representing the access they need. Apono may also use the user's default Linux group.

How it works

Prerequisites

  • Installed Apono connector with network access to the SSH Servers

    • Minimal Apono connector version: 1.4.0 (visit the Connectors Page and update the connector if needed)

  • A user with a key pair authentication for Apono to your SSH servers with sudo permissions. Add this line to the sudoers file:

    • apono ALL=(ALL) NOPASSWD:ALL

  • JSON list of servers. For each server:

    1. Name, host, SSH user for the Apono connection, port, and tags, where:

      1. Name and Host are mandatory

      2. User and Port are optional. The default values are '22' and 'apono'.

      3. Tags are optional. Tag servers for dynamic access management.

  • Optional: User groups representing access to the servers. The default value is "Default", representing access to the server with the user's default Linux group.

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended Azure Installation Architecture.

Step-by-step guide

  1. In the Apono app, navigate to the Catalog

  2. Pick the SSH integration.

  1. Pick an existing connector or create a new one (see connector prerequisites)

  2. In the secret store of your choice, create a secret for Apono with the following params:

    1. Key: base64_private_key

    2. Value: the SSH Server private key in base64 format (see SSH key prerequisites) To find the private key in base64 format, run this command : cat /PATH-TO-KEY/key.pem | base64

  3. Fill the config:

    1. Integration name: Give the integration a name of your choice

    2. Servers: Insert JSON servers list (see example below)

    3. User groups (Optional): The names of groups in the server representing the sudoer role (from a local server, puppet/chef, LDAP server, etc., depending on your network setup)

    4. Secret: according to the Secret Store of your choice, insert the secret you created in step 4.

Apono supports default access to SSH servers, even if no user groups were provided.

This means users can always log in with their default Linux group.

JSON servers list example

[ { "name": "My Server 1", "host": "10.0.100.1", "user": "ec2-user", "tags": {"key1":"value1", "key2":"value2"} }, { "name": "My Server 2", "host": "10.0.100.2", "user": "ec2-user", "tags": {"key1":"value1", "key2":"value2"} }, { "name": "My Server 3", "host": "10.0.100.3", "user": "ec2-user" }, { "name": "My Server 4", "host": "10.0.100.4", "user": "root", "tags": {"key1":"value1", "key2":"value2"} }, { "name": "My Server 5", "host": "10.0.100.5", "user": "root", "tags": {"key1":"value1", "key2":"value2"} } ]

Integrate with Terraform

Use the following template to integrate SSH servers to Apono with the Apono Terraform provider:

resource "apono_integration" "ssh" {
  name = "naor-test-tf-2"
  type = "ssh"
  connector_id = "ron-aws-integration"
  metadata = {
    servers = jsonencode([
     {
      name = "ssh-ron"
      host = "ec2-35-173-237-211.compute-1.amazonaws.com"
      user = "ubuntu"
      tags = {
        tag1 = "value1"
      }
     }
    ])
    groups = "root" # optional
    shell = "/bin/bash" # optional
    user_key_name = "34.27.151.210" # optional
  }
  aws_secret = {
    region    = "us-east-1"
    secret_id = "arn:aws:secretsmanager:us-east-1:465742784255:secret:naor-test-tf-LwnCG9"
  }
}

\

Results

  • You will be redirected to the Connected Integrations tab.

  • Make sure you see the SSH integration as Active. The # of discovered SSH servers will appear in the table under Resources.

  • You can now create Access Flows for SSH Servers!

Troubleshooting

  • Don't see SSH in the catalog? Contact us

  • Secret store does not match connector? The secret store you use must match the cloud provider where the connector was installed. So a connector installed in AWS expects a secret from AWS Secret Store.

  • If in the UI you see the status of the SSH integration as Error - "Missing permissions", validate that the .ssh folder is owned by the Apono user. Run this command in the server to change the owner:

chown -R apono:apono /home/apono/.ssh
chmod 700 "/home/apono/.ssh"
chmod 600 "/home/apono/.ssh/authorized_keys"

Last updated