Smallstep SSH

Mike Malone

Follow Smallstep

In high school, I dedicated most of my time and my meager income to building a motley little datacenter in my parents’ basement. It consisted mostly of decommissioned server hardware acquired second-hand from eBay. I had a Compaq Proliant running AIX, an SGI Challenge S running Irix, a Sun Ultra running Solaris, and a couple of old IBM PCs running Linux and FreeBSD.

I remember switching these systems from telnet to OpenSSH. It was an upgrade, but it was also a chore. Many years passed before I knew enough about the cryptography involved to feel comfortable configuring SSH and managing SSH keys.

When I started my professional career, SSH key management became a noticeable operational burden. Every time someone joined or left a team there’d be a scramble to grant or remove access -- to add or delete SSH public keys from hosts. I noticed as agile, cloud, microservices, and DevSecOps exacerbated the problem by requiring access for more people to more hosts. But SSH is the de-facto right way to remotely administer a server. This felt like a necessary cost of doing business.

Then I learned about SSH certificates, which were added to OpenSSH in 2010, and I realized that I’d been doing SSH wrong for the last decade. Late last year, I wrote a blog post sharing this discovery. That post blew up. It made front pages everywhere relevant, and many readers reached out to discuss how certificate-based SSH access might work in their world.

Smallstep SSH Professional

Since then we’ve been listening to feedback and working closely with early access customers to refine the ideas in that post. Today, we’re excited to announce the output of that work: the general availability of Smallstep SSH Professional Edition:

• Single sign-on SSH as a service for $3/host/month + Team account level or higher. We run a certificate authority for you with KMS-backed private keys. No contracts, no minimums, no fuss.
• One-line configuration, then use ssh like you’re used to. Built on our open source step-ca with standards-based single sign-on (OAuth OIDC) from your existing identity provider (e.g., Okta, Azure AD, G Suite) for easy integration and minimal lock-in.
• User lifecycle management, access control, and audit logging. Automatically synchronize users and groups from your identity provider to your hosts. Control access, and monitor SSH activity from the Smallstep SSH dashboard.
• OpenSSH, but better. Smallstep SSH works by configuring standard OpenSSH clients and servers. It works across clouds, on-prem, and anywhere else OpenSSH does.

You can sign up now for a thirty-day free trial. When you’re ready, enter your credit card information. No need to talk to a sales rep or sign a long-term contract (but you’re still welcome to contact us if you’d prefer). It took a lot of late nights and weekends to get here. I’m incredibly thankful for the work of our fantastic team, early access customers, and to their families for behind the scenes support.

From certificates to single sign-on for SSH

After our blog post, we quickly put together a crude demonstration of what life with SSH certificates might look like, using our open-source toolchain, and started showing it to anyone interested. Through these conversations, a product took shape.

We quickly realized that certificates, while important, weren’t the right lede. Certificates are like browser cookies: an ephemeral byproduct of the login process used to establish a session. More important is what certificates allow: they let you establish an SSH session using single sign-on and say goodbye to SSH key management forever. When users are added to the right group, they get SSH access. When they leave the company, SSH access is revoked immediately and automatically. In between, they use SSH like they’re used to, but with less hassle and less liability.

SSH key management is a waste of time. We talked to countless front-line operators and SREs who lamented time spent pushing keys around. Time that could have been invested in strategic initiatives. But, they told us, simply issuing certificates was not enough. Even with a certificate, you can’t SSH to a server unless you have a user account and a home directory. To really save time, we learned, we needed to handle these tasks as well.

So we built a lightweight toolchain for hosts to manage user accounts and access control. It plugs in, non-intrusively, via standard OS mechanisms (NSS and PAM). If you choose to use these features, they won’t interfere with your existing user management at all. As a bonus, we added SSH session audit logging to support basic compliance requirements.

We found operators & administrators were quite empathetic towards users. Time savings on their side wasn’t compelling if it meant time lost by their users. Footprint was also important. SSH is critical infrastructure, so new client or server software was a non-starter. Using OpenSSH, not replacing it, was the right move: by filling a few small gaps we could solve this problem without impacting users. We focused a lot of energy on perfecting the user experience, to disappear as much as possible. The only time a user will notice Smallstep SSH at all is when they’re periodically asked to authenticate via single sign-on.

Unsurprisingly, security was also top of mind. Certificates have some immediate security benefits: we’re able to leverage existing, hardened, authentication services to issue ephemeral credentials, hold keys in memory, and rotate them frequently. That makes it a lot more difficult for an attacker to jump from a popped endpoint into your production environment via SSH.

But running a secure, highly available certificate authority is non-trivial (although step-ca makes it easier than it’s ever been before). So we decided to start with a hosted offering. Click a couple buttons and we’ll run the certificate authority for you, with private signing keys held securely in a KMS.

Better SSH for everyone

We’ve talked to individuals and organizations of all sizes SSHing to everything from kubernetes containers to container ships; from Raspberry Pis to HPC clusters; scooters; trains; industrial sensors; and coffee machines. We’ve even talked to a couple of folks running their own little homelabs, like the one I had in high school.

Some of these devices are resource-constrained. Others have intermittent internet connectivity. Some operate in regulated environments, or get deployed into the world where they’re susceptible to physical attacks. Beyond operational efficiencies, customers showed us how certificate-based authentication brings unique operational agility. It works where other mechanisms simply don’t.

Now that I know how SSH can work I never want to go back. We believe this is a product for everyone, everywhere they use SSH. And we don’t think SSH access should cost more than whatever you’re SSHing to. So we priced it sustainably, but affordably, and made it easy to buy.

Use cases are varied, and today’s release is the first of many. A compliance edition will come later this year, bringing expanded audit and access control capabilities. And we will continue to partner and learn from everyone that uses our technology.

Take a look and let us know what you think.