Forum Discussion

kevin_flynn_180's avatar
kevin_flynn_180
Icon for Nimbostratus rankNimbostratus
Aug 10, 2016

securing ssh with apm

Hey guys, Interesting idea I was presented with the other day. As an organization, we have pushed hard for MFA. We try to use it for new external apps, sites, etc.

 

However, I just came up against a new one. A customer has a requirement to SSH to a server from the Internet, no problem I can proxy that. But how can we MFA that? Yes, DUO has a plugin that can handle it BUT someone will have access to that server directly.

 

I want to try and control access with APM and my initial thought was some type of network access webtop. Only 'issue' is, you guessed it, port 22. Can I / is it possible, that if someone tries to SSH in on 22, a 'popup' or dialog is created via APM prompting them for credentials and their DUO token?

 

application delivery
BIG-IP Access Policy Manager (APM)
Secure Web Gateway
security

15 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 10, 2016

    no, i don't believe you can just put something in the middle of a SSH session. you could put up a webtop that sets up an application tunnel for 22. but that requires a different workflow.

     

    AFM does provide a ssh proxy now, but that remains limited and doesn't add authentication methods as far as i can see.

     

    http://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.html

     

  • Bill_Church_988's avatar
    Bill_Church_988
    Historic F5 Account
    Aug 10, 2016

    I have a solution around this but it's not quite public yet. Send me a PM and I can email you off forum if you're interested.

     

    • spalande's avatar
      spalande
      Icon for Nacreous rankNacreous
      Nov 03, 2016

      Dear Bill,

       

      I'm having similar requirement of securing SSH access of an back end linux server using APM. Please let me know the email ID where I can contact you.

       

    • Stan_Ward's avatar
      Stan_Ward
      Icon for Altocumulus rankAltocumulus
      Sep 19, 2017

      Bill, I have the same requirement. Has anything been published, or can you tell me how to contact you?

       

      Thanks,

       

      Stan

       

  • Stephan_Mierau's avatar
    Stephan_Mierau
    Icon for Employee rankEmployee
    Aug 11, 2016

    there is a ssh profile to control ssh sessions, it is new in 12.1. Belongs to the AFM

     

  • Carlos_Alperin's avatar
    Carlos_Alperin
    Icon for Nimbostratus rankNimbostratus
    Aug 22, 2018

    Is this item already public? I need to deploy exactly this, but I have no info to PM Bill

     

  • Informatica_CHJ's avatar
    Informatica_CHJ
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2019

    ill, I have the same requirement. Has anything been published, or can you tell me how to contact you?

     

    Thanks,

     

    Stan