Overview

In most environments, SSH servers are not exposed to the public internet. In such cases, you can use Banyan’s default Mutually Authenticated TLS (MTLS) flows for TCP services to provide your end users VPN-free Zero Trust access regardless of their network location. SSH traffic flows through the Banyan Access Tier and is wrapped in a MTLS tunnel (shown in the diagram below).

Banyan, by default, is agnostic to the underlying SSH authentication method - be it password, public-key, host-based, GSSAPI, etc. If you wish to change how SSH authentication is set up for your organization, review our SSH Certificate Authentication capability.

Steps

Setting up VPN-free access to an SSH Server is the setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.

You can securely expose your SSH server in 4 steps. In this article, we will create a Banyan Role (for contractors) and a Banyan Policy so only users on devices that meet the policy can gain to secure access to the SSH Server, using the following steps:

1. Create a Role for your End Users

In the Banyan Command Center, navigate to Secure Access > Roles and then click + Add Role. Create a User Role and then click + Add Role Attributes to apply it to specific sets of users (such as By Group contractors).

2. Create a Policy for your SSH Server

Navigate to Secure Access > Policies and then click Create Policy. Select the option TCP Policy.

3. Define a Service for your SSH Server

Then, configure an SSH service for Zero Trust access to your SSH Server.

Navigate to Manage Services > Infrastructure and then click + Register Service. Select the option SSH Service.

Configure the service as a SSH service as shown below:

Assign a domain name for this service mysshserver.corp.example.com and leave the port as 8443; the banyanproxy will tunnel SSH traffic over port 8443.

In the Desktop App Settings section, indicate that user connections to this Service should “Only use the TrustCert”.

Attach the policy we had previously created and set enforcement mode to Enforcing.

4. Connect via the Banyan Desktop App

Ensure your end users install the latest Banyan Desktop App and register their device.

Once the Service is defined, your end users will see it in their Banyan Desktop App.

When the user clicks “Activate”, the Desktop App will add an entry to the SSH config file (typically located in ~/.ssh/config).

Now, they can access the SSH Server as:

ssh user@myserver.corp.example.com

The SSH client will use banyanproxy to automatically tunnel the SSH session over the Mutual-Auth TLS channel set up by Banyan.


Notes

SSH Config file

When your end user clicks “Connect” in the Desktop App to connect to the SSH service, the Desktop App will automatically update the device’s SSH Config file with the banyanproxy settings needed.

The Desktop App looks for an SSH Config file location depending on the Operating System of the device:

Operating System SSH Config File Location
macOS $HOME/.ssh/config
Windows %USERPROFILE%\.ssh\config
Linux $HOME/.ssh/config

Other SSH Clients

If your end users use an SSH client that doesn’t use the SSH Config file, such as PuTTY, you must provide them slightly modified instructions. Please contact our Support team for details.



Last modified: Aug 19, 2021