Azure VM SSH Servers

How to integrate with your Azure VM SSH Servers with Apono for JIT access

Overview

If users need to debug, develop or troubleshoot Azure VM SSH servers, they can request Just-in-Time access to them in Apono!

Admins can create Access Flows with specific VM SSH servers and build approval and access duration flows for different users, groups, and shifts.

Upon an approved request, Apono creates a certificate that grants access to the server and makes the requester a member of the group(s) representing the access they need. Apono may also use the user's default Linux group.

How it works

Prerequisites

  • Installed Apono connector with network access to the Azure VM SSH Servers
    • Minimal Apono connector version: 1.4.0 (visit the Connectors Page and update the connector if needed)
  • A user with a key pair authentication for Apono to your SSH servers with sudo permissions.
    Add this line to the sudoers file:
    • apono ALL=(ALL) NOPASSWD:ALL
  • Optional: User groups representing access to the servers.
    The default value is "Default", representing access to the server with the user's default Linux group.

πŸ“˜

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended Azure Installation Architecture.

Step-by-step guide

  1. In the Apono app, navigate to the Catalog

  2. Pick the Azure VM SSH integration:

  3. Pick an existing connector or create a new one (see connector prerequisites)

  4. In the secret store of your choice, create a secret for Apono with the following params:

    1. Key: base64_private_key
    2. Value: the SSH Server private key in base64 format (see SSH key prerequisites)
      To find the private key in base64 format, run this command : cat /PATH-TO-KEY/key.pem | base64
  5. Fill the config:

    1. Integration name: Give the integration a name of your choice
    2. User: set the name of the user you created in the prerequisites for the Apono connector.
    3. User groups (Optional): The names of groups in the server representing the sudoer role (from a local server, puppet/chef, LDAP server, etc., depending on your network setup)
    4. Secret: according to the Secret Store of your choice, insert the secret you created in step 4.

πŸ‘

Note: Apono supports default access to SSH servers, even if no user groups were provided.

This means users can always log in with their default Linux group.

Results

  • You will be redirected to the Connected Integrations tab.
  • Make sure you see the Azure VM SSH integration as Active. The # of discovered SSH servers will appear in the table under Resources.
  • You can now create Access Flows for Azure VM SSH Servers!