Contact Us

AAD Login for Linux Machines is Here!

image
08 Oct 2021

AAD Login for Linux Machines is Here!

Azure Active Directory is one of the most used Identity providers in the world, and not without reason; it is one of the most secure ways to authenticate users, detect intruders, and it connects with your existing Active Directory. AAD Allows you to protect your organization with device attestation, impossible travel detection, MFA authentication and many more features. However, when it comes to protecting your Azure Linux VMs you are stuck with legacy SSH key based authentication and SSH passwords.

While SSH keys are a great option to protect your home server, or any endpoint that might have a few engineers authenticating to it, it does not scale. When we are talking about cloud scale, adding and lifecycle the keys of authorized parties (typically engineers, devops, security engineers, etc.) that might need access to a server, across the thousands or millions of servers a company might have, it becomes a full-time job that is left unfilled. This is why SSH Certificates were created: to make the management across large enterprises easier.

SSH Certificates are great to create short term, password-less, cryptographic logins with little to no management in the endpoint. However, the current SSH certificate implementation requires a PKI admin to manually issue each certificate and authenticate the request through an alternate channel learn how to run your own SSHCA. This is where EZSSH comes in, as the name implies, it is an easy way to SSH. EZSSH leverages your already secure AAD Identity to authenticate the user, and our Azure policy allows you to use your already highly governed Azure RBAC to grant users access to your Azure resources.

The User Experience

At Keytos we believe that the easiest way to secure infrastructure is to make the secure way easier than the unsecure way. This is why we made security transparent for the user. All the user has to do is login with their corporate identity and we will take care of creating all the short term credentials in the background.

Improving the User Experience

While removing the need to manage and rotate keys is a great security and user experience upgrade, at Keytos we don’t settle for good enough, this is why we improved on the regular SSH workflow by creating different ways to manage SSH access. From a regular SSH command to a UI based application that makes connecting to all your endpoints a click away.

Adding Endpoints to Your Policy

Once your Azure policy has been created in the EZSSH portal, you can EZSSH automatically scan and add the CA as a trusted CA to your new endpoints (we do this through VM Extensions, we never have access to your VM or data). Or you can use one of our guides to add it to your choice of deployment technology.

Authorization to The Endpoint

Since users use their AAD identity to login to EZSSH, EZSSH will scan the subscription RBAC and grant access to the requested endpoint based on your Azure RBAC. As simple as that, no more managing SSH keys; as long as you have access to the endpoint in Azure RBAC you have access to the VM.

Integrate with Azure Security

The advantages of EZSSH being integrated with Azure and AAD is that you can use all the security tools you already use to protect the rest of your Azure infrastructure. From Conditional Access, to PIM based access to your Azure resources, to even automatically requesting Azure Networking JIT to access your endpoints, EZSSH got you covered.

Multi-Cloud and Hybrid Support

In this blog post we have talked about the benefits of using EZSSH for Azure. However, one of the features that our customers enjoy the most is having EZSSH be the one stop shop for all SSH authentication. With our Hybrid policies, we allow you to use the same great EZSSH experience with any SSH endpoint, does not matter if they are on-premises, in AWS, GCP or anywhere else, as long as they use Open-SSH to authenticate users, you can use EZSSH to manage access to it. So what are you waiting for? Make your engineers work less, and your organization more secure by requesting a demo