What is a SSH Server?
As the backbone of many critical systems and applications, an SSH server serves is a crucial gatekeeper, protecting your valuable infrastructure and ensuring the integrity of your online operations. At its core, an SSH server provides a secure and encrypted communications channel, allowing mostly administrators and developers to access remote systems, execute commands and transfer files with unparalleled confidentiality. With the ability to control user permissions, monitor activity, implement robust access controls or manage IT systems in general, it is one of the most powerful tools within an admin’s toolbox. By leveraging advanced cryptographic protocols, a SSH server ensures that your infrastructure including your sensitive information remains protected from prying eyes, safeguarding your organization's most valuable assets.
What are the Risks Using an SSH Server?
In today's digital landscape, where cybersecurity threats loom large, the importance of a robust and secure SSH server cannot be overstated. However, their use is not without risks.
One of the primary concerns is the potential for unauthorized access. If SSH keys are compromised, malicious actors can gain entry to sensitive systems, leading to data breaches and significant financial losses: This can for example happen by potential brute-force attacks where hackers systematically try various private SSH keys with the publicly accessible public keys. The same applies for password protected servers which are still used sometimes (note: Do not protect your access with passwords but rather with SSH keys. Using a password is not secure.). This vulnerability can be mitigated through usage of well protected private SSH keys (or strong password policies). Well protected private SSH keys use asynchronous encryption (e.g. Elliptic Curves Digital Signature ED25519) which are assumed to be secure post-quantum computer cycles. Older encryption methods like technologies as RSA with less than 4096 bit encryption or DSA completely should no longer be used as they have already been hacked in the past and therefore are no longer secure.
Another concern is the risk of outdated software or bugs in the random number generation process which provides potential attack vectors to Private Public key pairs. An unpatched SSH server can expose your system to known vulnerabilities that hackers actively exploit. Regular updates and security patches are essential to safeguard against these threats.
Additionally, improper configuration of SSH servers can lead to unintended exposure of sensitive data or unauthorized access. It’s crucial to follow best practices in configuring your server settings, such as disabling root login and using key-based authentication instead of passwords.
Lastly, an often forgotten risk materializes when internal users are no longer aligned with the company’s strategy, get fired or tresign from their work contract. In such a case, IT engineers with SSH server access have the power to ruin the company misusing the powerful SSH-server tool. Even taking away the access rights to the SSH server immediately does not help to prevent a damage as users generally still have access to the systems for quite a while until the employee’s deactivation has been applied to all affected systems. It is not unusual even for only medium-sized companies to have hundreds of systems that need such updating. Without special tools, a roll-out or roll-down can take days to weeks. This is mainly the case due to weak roll-out documentation and processes. Consequently, nobody exactly knows to which systems a user had been granted access over time. Hence, often a number of access points are only de-activated over time when discovered (by accident) and stay a security challenge for the whole company IT landscape.
In summary, while SSH servers provide robust security features for remote connections, it is vital to remain vigilant about their associated risks.
Engity’s Advanced SSH Server
Engity has developed an advanced SSH server called Bifröst. Besides the “classic” features of a standard SSH server, Engity has solved some of the disadvantages and risks of today’s SSH servers. To this end, Engity’s focus has been on improving data security as well as usability. In addition, providing our Bifröst software open-source under the Apache 2.0 license and free of charge shows our commitment to the open-source and sharing economy.
Bifröst’s feature set & Use Cases
Bifröst is a powerful tool helping admins increase their efficiency and ease-of-use while connecting to multiple servers. By using a fully SSH protocol compliant server combined with OpenID Connect (or OAuth2) identity provider, admins are empowered to sign-in following a Single-Sign-On (SSO) logic and do not need to authenticate for every new server access. Bifröst also temporally caches the Public Key provisioned to a user and can, as a consequence, authenticate and reconnect much faster to a server if the session is still alive. Bifröst also can automatically provision local users with a predefined requirement template within a local environment. There is no longer a need for admins to provision each user locally; Bifröst does their job.
A powerful feature becoming more and more important from a security perspective is the abiltiy for admins to automatically lock-out users or user accounts if either they are no longer needed (e.g. session becomes idle or times-out) or if the respective user is no longer supposed to get access to a SSH server. In this case, the user will be disconnected and deleted (including its home directory) from the server and all its running processes will be stopped. This happens within the configured access token maximum lifetime (usually within maximum of 15 minutes) of the OpenID Connect provider used (such as Microsoft Entra ID, Google or Engity IdP). On the other hand, the set-up of new users with customized rights can be achieved hassle-free nearly in real time. On top of that, granting users different rules for several users becomes an easy task.
Additionally, admins can easily connect to Docker containers or Pods inside of a Kubernetes clusters by using Bifröst. Even better, users can use Bifröst to manage the virtual Docker or Kubernetes infrastructure by applying rule-based logics and processes.
More use cases can be found here.
Advantages of Bifröst’s SSH Server
Bifröst was designed to support admins doing their daily work while having best data security in mind.
- Admins often need to set-up local environments on a server with predefined applications (requirement templates) and authorize themselves with OpenID Connect. That used to be as it had to be done over and over again. Instead of searching for the right set-up within existing Kubernetes or Docker server clusters to be used, Bifröst can automatically create all requiremen templates. Instead of wasting time setting-up an environment you are immediately ready to go.
- Increase in company security: Bifröst allows to control the user access in the background in the shortest timeframe possible
- Best of all: In contrast to the other SSH servers with OpenID Connect, you don't need any other locally installed client, than your regular SSH Client (OpenSSH, PuTTy, ...).
Bifröst increases admins’ efficiency by simplifying access mechanism and hence reducing admins’ time resources quite dramatically.
Future Planned Developments within Bifröst’s Advanced SSH Server
The steadily growing Bifröst community is ready to further develop its advanced SSH server. The following features are planned for the near future:
- Ability to use Bifröst as a fully transparent SSH Proxy to other SSH hosts, but with the single-sign-on authentication method of Bifröst.
- Bifröst will provide a session recording routine. This is a powerful tool to see who is logged-in and what the users’ interactions have been. Summarized it is an advanced variant of an audit log.
- …
Bifröst & Our Open-Source Commitment
Open-source software has become a game-changer in the modern business landscape and open- source commitment is not just a trend. Embracing open source is not just advantageous—it's essential for staying competitive and driving meaningful change in the tech ecosystem. It’s a fundamental shift in how we approach technology and collaboration.
Additionally, the open-source model offers our customers a compelling alternative to traditional proprietary software, allows to significantly reduce costs, and empowers enterprises to take control of their technology stack. The collaborative nature of open source means that businesses can customize scalable solutions to fit their unique needs without being locked into rigid vendor agreements. Additionally, developers from around the globe can contribute their expertise to create robust solutions that benefit everyone.
It is our aim to further develop the Bifröst solution with the help of the open-source community to increase the security standards of SSH servers as well as offering more comfort to IT administrators. Bifröst has been released under the Apache 2.0 license.
You Want to Join our Bifröst Open-Source Community?
Engity has initiated the Bifröst project to support admins and engineers simplify their daily work. Our goal is to make Bifröst better and more powerful every day. Hence, if you have further ideas about what you would like to see implemented, let us know. If you are willing to join forces with us to improve Bifröst, join us on Github. You are also very welcome to fork our source code and develop your own project.
Let us start today to revolutionize the SSH server market together!