Monday, June 5, 2017

Centrally Manage SSH Administrative Access: KeyBox

1:27 PM Leave a Reply
Centrally Manage SSH Administrative Access: KeyBox
Centrally Manage SSH Administrative Access

    KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user’s public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator. From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.



    KeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: The Security Implications of SSH. Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.



KeyBox Benefits

Centralized user control – Grant access to systems through administrative profiles and user accounts.
Prevent SSH key sprawl and access mismanagement – Administrators set keys and distribute to systems through profiles. Strong passphrases are enforced by default for SSH keys on registered systems. Also, any administrative key can be disabled forcing key rotation.
Productivity – Instead of making the same changes on systems individually, share commands across systems. Eliminates redundancy when patching or debugging issues.
Portability – Run SSH through the browser without requiring client software or browser plugins.
Layered Protocols – Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding.
Infrastructure protection – A hardened version of KeyBox could act as a bastion host allowing for centralized administration through SSH, proxying traffic into a DMZ or perimeter network. (see diagram)
Auditable (experimental) – Audit the administrative activity on the systems. Prevents malicious users from deleting history or logs.




Prerequisites

Java JDK 1.8 or greater http://www.oracle.com/technetwork/java/javase/downloads/index.html
Browser with Web Socket support http://caniuse.com/websockets Note: In Safari if using a self-signed certificate you must import the certificate into your Keychain. Select ‘Show Certificate’ -> ‘Always Trust’ when prompted in Safari
Maven 3 or greater ( Only needed if building from source ) http://maven.apache.org
Install FreeOTP or Google Authenticator to enable two-factor authentication with Android or iOS


Application Android iOS
FreeOTP Google Play iTunes
Google Authenticator Google Play iTunes

download