Zero Trust Access to an Individual SSH Server
- Updated on Dec 09, 2021
Overview
In most environments, SSH servers are not exposed to the public internet. In such cases, you can use Banyan’s default Mutually Authenticated TLS (MTLS) flows for TCP services to provide your end users VPN-free Zero Trust access regardless of their network location. SSH traffic flows through the Banyan Access Tier and is wrapped in a MTLS tunnel (shown in the diagram below).
Banyan, by default, is agnostic to the underlying SSH authentication method - be it password, public-key, host-based, GSSAPI, etc. If you wish to change how SSH authentication is set up for your organization, review our SSH Certificate Authentication capability.
Steps
Setting up VPN-free access to an SSH Server is the setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.
You can securely expose your SSH server in 4 steps. In this article, we will create a Banyan Role (for contractors) and a Banyan Policy so only users on devices that meet the policy can gain to secure access to the SSH Server, using the following steps:
- 1. In the Banyan Command Center, create a Role
- 2. In the Banyan Command Center, create a Policy
- 3. In the Banyan Command Center, define a Service
- 4. On the end user device, click “Connect” in the Banyan Desktop App
1. Create a Role for your End Users
In the Banyan Command Center, navigate to Secure Access > Roles and then click + Add Role. Create a User Role and then click + Add Role Attributes to apply it to specific sets of users (such as By Group contractors).
2. Create a Policy for your SSH Server
Navigate to Secure Access > Policies and then click Create Policy. Select the option TCP Policy.
3. Define a Service for your SSH Server
Then, configure an SSH service for Zero Trust access to your SSH Server.
Navigate to Manage Services > Infrastructure and then click + Register Service. Select the option SSH Service.
Configure the service as a SSH service as shown below:
Assign a domain name for this service mysshserver.corp.example.com and leave the port as 8443; the banyanproxy will tunnel SSH traffic over port 8443.
In the Desktop App Settings section, indicate that user connections to this Service should “Only use the TrustCert”.
Attach the policy we had previously created and set enforcement mode to Enforcing.
4. Connect via the Banyan Desktop App
Ensure your end users install the latest Banyan Desktop App and register their device.
Once the Service is defined, your end users will see it in their Banyan Desktop App.
When the user clicks “Activate”, the Desktop App will add an entry to the SSH config file (typically located in ~/.ssh/config).
Now, they can access the SSH Server as:
ssh user@myserver.corp.example.com
The SSH client will use banyanproxy to automatically tunnel the SSH session over the Mutual-Auth TLS channel set up by Banyan.
Test your Connection
Leverage the Test Connection functionality to diagnose any connection issues.
In the Command Center, navigate from Manage Services > Infrastructure Services, then select a Service Name. In your service, select Test Connection (the check icon in the upper right corner of the page). This will show you the status of your connection, detailing whether your domain name or hostname are resolvable and whether the Access Tier and backend port are reachable.
Notes
SSH Config file
When your end user clicks “Connect” in the Desktop App to connect to the SSH service, the Desktop App will automatically update the device’s SSH Config file with the banyanproxy settings needed.
The Desktop App looks for an SSH Config file location depending on the Operating System of the device:
| Operating System | SSH Config File Location |
|---|---|
| macOS | $HOME/.ssh/config |
| Windows | %USERPROFILE%\.ssh\config |
| Linux | $HOME/.ssh/config |
Other SSH Clients
If your end users use an SSH client that doesn’t use the SSH Config file, such as PuTTY, you must provide them slightly modified instructions. Please contact our Support team for details.