Behind the Scenes at Jungle Disk - Using Ephemeral Keys with ScaleFT
About two years ago, Google began discussing what has been referred to as the death of the firewall. This allows users to authenticate to their devices on unsecure networks and without a VPN. It affirmed trust based on information it knows about its users and their devices. Their ideology was to assume any network was untrusted and solve for that. It’s incredibly interesting to read about and it led us to think about our current method of authenticating users. We have made great use of SSH Keys, however, is that really the best way? Are we rotating keys often enough? How can I easily audit users to know what they’re accessing without needing to sift through logs on each system?
As a small business, we don’t necessarily have the time or resources to achieve something quite on the scale of Google, however, we did look at our options. Our goal was simply to find a platform that would allow us to stay focused on the important details without getting caught up in the minutiae. We began using ScaleFT as a means of solving the problems. ScaleFT uses role-based access controls for delegating access to your systems. A server or group of servers is referred to as a “Project” and you delegate access by assigning groups to a project. You further assign users to groups and that is how users get access to your machines. Very straightforward.
What we liked about it is that ScaleFT isn’t a tool to rotate SSH keys for us. We could have used Ansible for that. Rather, it validates that a user has permission to access a system and generates short-lived certificates to validate that particular user’s session. The user must also be validated by an identity provider to confirm the requests are coming from an authenticated user, otherwise, no certificate will be generated. These facts alone made it possible for us to strip SSH keys from our environment and relieved the need to stress over whether an SSH key had been compromised. Pre-authorizations further allow you to restrict access on a per user basis based on time of day.
Deploying ScaleFT to our environment and stripping all of our SSH keys was a simple process with Ansible. We broke our servers down into various projects and assigned the appropriate groups to those projects. We also wrote an Ansible playbook to install the ScaleFT Server Agent onto the boxes with the necessary config files, validate we could connect and strip the SSH keys. To reiterate, and as a word of warning, the lifespan of the certificates generated when authenticating is low – be sure your servers have time to appropriately sync. We ran into an issue where one server was behind by less than a minute which was causing generated certificates to seem expired.
Once ScaleFT was deployed onto our systems, our users needed to install the ScaleFT Client Tools and they were instantly able to login to the machines. The audit logs and ssh keys were replaced by the much cleaner UI of the ScaleFT portal. We’ve been using it in our production environments for several months now and have had no issues, no downtime and setup/deployment took 2-3 hours one afternoon. Let me know if you have any questions!