Zero Trust Access to a Collection of SSH Servers

  • Updated on Sep 27, 2022

This article describes features that require Banyan Netagent v1.27.1+ .


Following zero-trust principles, Banyan enables security policies to be applied at the granularity of a single SSH Server. However, organizations often maintain and manage multiple SSH servers, sometimes thousands, at a time. While some SSH servers require a unique set of access restrictions, many of them require identical access restrictions. Rather than configure each SSH server individually, you can group them and configure via a single service definition.

How it Works

Banyan uses standards-compliant HTTP Connect Tunneling to enable connectivity to multiple services via a single SSH service definition.

In the Banyan desktop app, the end user selects Connect, which adds an entry to the SSH config file with an SSH ProxyCommand to direct traffic to banyanproxy.

  1. When the user runs ssh user@host, traffic is automatically sent by the SSH client to banyanproxy running in HTTP Connect mode.

  2. banyanproxy initiates an MTLS connection with the Banyan service on the Netagent side at Netagent checks the device posture and identity and, if successful, establishes the MTLS session. banyanproxy then uses HTTP Connect to specify the actual destination of the SSH request.

  3. Netagent checks the Service Backend configurations for the httpconnect and allow_pattern settings. If the connection request matches, Netagent makes the connection to the backend.

Once the connection is established, communication from the SSH client is as if it were directly connected to SSH server.


To configure zero-trust access to a collection of SSH servers:

1. Navigate from Manage Services > Infrastructure, and then select + Register Service. Select the option SSH Service.

2. On the service registration page, configure all applicable fields and set the method for how incoming connection should be proxied to the backend to Client specified using HTTP Connect.

Additionally, you can configure a simple list of Allowed Hostnames and CIDR Ranges.

On that page, also specify the SSH Host alias that represents this collection of SSH servers. Banyan supports SSH Patterns, where an asterisk (*) matches zero or more characters in a row, and a question mark (?) matches exactly one character.

If you will be creating multiple collections of SSH servers, you need to ensure your SSH Host alias settings are non-overlapping.

3. In the Banyan app, end-users will see a single entry per collection of SSH servers.

Once the SSH service is activated, the desktop app will add an entry to SSH config file (typically located in ~/.ssh/config).

Now, they can access any SSH Server in the collection based on the SSH Host alias you’ve set up above:

ssh user@

The SSH client will use banyanproxy to automatically tunnel the SSH session over a Mutual-Auth TLS channel using HTTP Connect Tunneling.


Role-based Authorization

To enable role-based authorization for your SSH servers, review our SSH Certificate Authentication capability, which leverages SSH’s native AuthorizedPrincipals capability.

Include & Exclude Backends in your Collection

Simple Allow List

For simple use cases, you can restrict backend connectivity to the specified hostnames or CIDR ranges when configuring a collection of TCP services. In the example below, connections are allowed only if the service destination has the hostname

Advanced Use Cases with Complex Patterns

For advanced use cases that require complex patterns, you can create a custom Hosted Service JSON to specify CIDRs and IP Ranges in an “allow list” in the service spec. This lets you manage allow lists that include and exclude specific backends in your collection.

For example, you can define the pattern for the allowed backends using hostnames (via allow_patterns). In the example below, connections are allowed only the service destination is in the CIDR range

"backend": {
  "target": {},
  "allow_patterns": [
      "cidrs": [