Documentation

SSH Ephemeral Accounts integration

Suggest Edits

Overview

Through the SSH Ephemeral Accounts integration option, ephemeral (temporary) users are created and given SSH access. After that, the users are deleted.

Prerequisites

The account with which you wish to integrate with Entitle can be either one of two options:

  1. A root account that is capable of creating user accounts and modifying user files.
  2. An alternative account with the privilege to execute specific executables (listed below) using sudo, without requiring a password:

    1. cat - read file contents.
    2. chmod - change who can read and write a file or directory.
    3. chown - change the owner of a file or directory.
    4. mkdir - create a directory.
    5. mv - move a file.
    6. rm - delete a file.
    7. tee - write to a file.
    8. useradd - add a user.
    9. userdel - delete a user.

    • The privilege can be granted to the user by modifying the system's sudoers settings. Entitle highly recommends doing this with the visudo executable (which requires an editor to be installed) to protect the Linux machine from becoming inoperable.
    • Below is an example of modifying sudoers to allow passwordless execution for a single executable:
      <username> ALL=(root) NOPASSWD: <executable path>
    • The executable path can be identified by running 'which <executable name>.

General information

  1. Entitle can manage two types of roles: Regular user access to the machine, and Sudo user access to the machine.
  2. In both cases, a temporary user will be created by the integration, of whom details will be returned to the user.
  3. However, only in the Sudo access case, the created user will also be added to the /etc/sudoers.d directory.
  4. Eventually, the created user will be deleted, along with the associated with its created files (if they exist).

End-user experience

This section outlines the employees’ experience requesting access to SSH with Entitle.

Upon receiving JIT access using Entitle, the employee will receive a pre-made command for accessing SSH via Teams/Slack.

  • The employee will click the View account details button.

  • When opened, the employee will locate the SSH integration machine's key.

  • In your respective terminal, the employee will copy and paste the command:

  • Note: Microsoft OS is yet to be supported by Entitle for SSH. The employee now has access to the designated machine.

Set up SSH to work with Entitle

Note: all that is needed to integrate SSH with Entitle is the username and key of a Sudo user. One way of generating the key will be explained in the following steps, however, there are many other ways to achieve the same result.

Stage 1: Generate SSH keys

  1. Open the computer terminal.
  2. Generate an SSH key using the ssh-keygen command:
$ ssh-keygen
  • After running ssh-keygen, you'll receive two keys: id_rsa and id_rsa.pub (or the respective files you provided).
  • Note: In this guide, when prompted for the private key, please provide the id_rsa file. When prompted for the public key, provide the id_rsa.pub file.
    • To use the private key with Entitle, you need to replace all new lines with \n characters. You can achieve this by using sed command for Linux users only:
sed 's/$/\\n/' <key_path> | tr -d '\n'
  1. Replace input.txt with the name of your private key file.
  2. Below is an example of how a private SSH key will look like.

Stage 2: Set up SSH key authentication on the target machine

  1. Open the terminal on the target machine.
  2. Navigate to the /.ssh directory for the specific user (e.g., /home/username/.ssh). Keep in mind that this user is the same one you will set in the Example JSON configuration.
  3. Within the /.ssh directory, create a file named authorized_keys, and paste the public key generated in step 2 to the authorized keys file. You can achieve this by echoing the public key into the file:
~ echo "public_key_content" > /home/username/.ssh/authorized_keys

Note: Failure to place the public key in the authorized_keys file will result in SSH authentication failure. This is because the private key won't match with any public key.

Creating the integration in Entitle

All that is left to do is create an integration on the Entitle application.

  1. Log into Entitle and navigate to the Integrations page.

  2. After clicking the Add Integration button, type SSH Ephemeral Accounts in the Application field.

  3. Choose the Default Approval Workflow for your integration.

  4. Don’t forget to set the Save on field with your configuration, i.e. your own hosted agent or Entitle’s cloud.

  5. In the Connection JSON:

    • Assign the machine's IP address or domain name to the host field.
    • Paste the private key generated in stage 1, as the value for the key field.
    • Note: In the Connection JSON, it's essential to swap each new line with \n character.
    • Set the user field to the username from stage 2 to which the keys were mapped.
    • Example Connection JSON: 
{
    "host": "<IP or domain name>",
    "key": "<Private-key>",
    "user": "<username>"
    
}
  1. Click Save, you are done!🎉

Updated about 1 month ago

What’s Next