SSH Key Management

 

ssh key management
ssh key management

SSH key based authentication  is the default method that any Linux admin would choose for  granting ssh access to  Linux servers or Linux cloud instances. SSH key based  authentication is the preferred method since its far more secure and more popular than password based authentication. The two commonly used   keys for authentication are RSA and DSA and RSA Keys are preferred since DSA is known to be vulnerable.

Its good to have SSH Key based authentication but imagine the amount of management that has to be done if you have 100 employees and have 1000 Linux instances and how do you  grant access to the employees to the thousand Linux servers or Linux cloud instances? How do you add the ssh keys to grant access ?  How do you remove the ssh keys when the employee leaves the company? How do you rotate the keys?

You would have to manually add the keys to all the Linux servers and cloud  instances to grant access and when an employee leaves, you would have to ensure that the employees public keys are removed from all your servers failing which it becomes a serious security issue.

Ezeelogin helps you address the following issues

  1. SSH  Key rotation
  2. Centralised ssh key management
  3. Helps to reduce the overhead that comes with managing the ssh keys to almost zero.

 

Parallel Shell

Parallel shell – Run commands on multiple Linux servers or Cloud instances   simultaneously

If you are in charge of large server farms, cluster of Linux nodes for high performance computing, or cryptocurrency mining farms then parallel shell would easily let you manage multiple Linux servers or Cloud instances easily and quickly.

Parallel shell is built into the backend shell of the Ezeelogin SSH Jump host. You can work with it as you would work on a normal bash shell and the command would be simultaneously executed on multiple Linux servers.

Imagine, that you are the security engineer in charge for fleet of linux server or aws instances. One fine morning as you are going through your daily job routine you are notified of a critical kernel vulnerability.  As a responsible security officer, you do not want to postpone patching the kernels for the next day  as the longer the delay to patch the Kernel, greater the possibility of a security breach.

In such critical scenarios, the parallel shell feature could be extremely useful as you can compile kernel  on one thousand machine at the time of compiling a kernel for one server.

This feature is a god send for many , however with great powers come great responsibilities.  The image shows a command being executed in using parallel shell.

parallel shell
parallel shell- Multiple Linux server management

Some of the benefits of this feature are

  1. Improve productivity of your system administrators and devops engineers
  2. Improve the efficiency with which Linux nodes or cloud or aws instances are managed.
  3. Easily execute command simultaneously on group of servers. There are no hard configurations to be done.
  4. Better and faster management of Linux server and cloud instances.
  5. Easily copy files across group of servers
  6. Server orchestration would be very easy if you have many Linux instances.
  7. There is no need to install agents on remote machines
  8. Faster setup
  9. Delivery faster services
  10. Runs on OpenSSH

SSH Two Factor Authentication

ssh jumpbox with duo two factor authentication
SSH gateway and Jumphost with DUO 2FA o

 

SSH JumpHost and SSH Gateway Ezeelogin supports DUO Security two factor authentication ( 2FA ) which means that anyone having a smartphone these days can easily use it for the second layer of authentication. With DUO, you dont have to type in complex strings or numbers, just tap on the smartphone screen and you are securely authenticated easily. No extra devices like RSA Keys or security token generating devices has to be carried since you already have a smartphone with you to authenticate into your SSH Gateway.

Automated root password management on Linux servers

Automatic root password management
Automatic root password management

 

Boss wants you to enable password based authentication on hundred  Linux server, he wants you to  set 30 plus character strong password on each server, share the root passwords with  developers ,  change the root passwords again once the developers logs out of the servers at the end of the day, also your boss want you to reset the root password on all the Linux server on a daily basis  as he is paranoid  when it comes to security.

Well without eating your boss alive and instead to get a promotion, here is the magic wand, use the Ezeelogin root password management feature and you will  be able to meet all his requirement and if not even better. Being a Linux system administrator you know for fact that Key based authentication are exponentially stronger even if your passwords are 100 characters long but for some unearthly reasons you need to have password based authentication enabled on your hundred Linux servers.

 

jump server password view
jump server password view

Here are the key issues that Ezeelogin root password management features addresses.

  • Automatically set and reset and strong root passwords up to 32 characters long in a click on hundreds or thousands of Linux servers
  • Schedule periodic reset of root password across all your linux servers in a click
  • Reset root passwords on all your Linux server in a click.

 

 

 

 

Bastion host – How to secure and harden the ssh server on it?

  1. Enable a firewall and by default block all  IP access to the SSH Port and enable only your staff ips or dynamic ip ranges that you trust.
  2. Disable direct root login. Its always better to login as a non privileged user first and the switch to the root user. This is the norm if you are looking for PCI DSS Compliance.Edit /etc/sshd/sshd_config
    PermitRootLogin noEzeelogin SSH Gateway has a feature called ‘AUTO SU or SUDO’ which would automatically does the switching part  so you would not waste your time retrieving password of the ‘admin’ user and then entering the root password.
  3. Disable password based authentication and enable only Key based authentication in the  sshd configuration file. I would rate this as the most important of all.

    PasswordAuthentication no

  4. Enable Key based authentication. RSA is know to be more secure than DSA keys.

    RSAAuthentication yes

    PubkeyAuthentication yes

     

  5. Change the sshd default listening port from 22 to something like 22656 since its hard to guess and attackers would have to scan.Use custom SSH Port and Listening IPs.
    Port 22656
    ListenAddress 192.168.5.6.123
  6. Configure a VPN and having your server behind a VPN is good idea. This would really improve the security and harden the server.