Active Members Fi8sVrs Posted August 15, 2017 Active Members Report Posted August 15, 2017 (edited) AUTHENTICATION SERVER The idea behind Isolate is that we should somehow manage how do people get access to our servers. How can we make this process more secure? How could we prevent a system from being compromised when someone lost the laptop with ssh key. What would we do in case someone quits the company - is there an alternative to just changing all passwords, keys, etc? Isolate adds OTP 2FA to SSH login. It could be hardware YubiKey or Google Authenticator app. If someone lost the password - OTP key is here and the intruder can't get access to the bastion host. Users don't get direct access to endpoint servers - they go there through Isolate server, the system tracks their actions. You can easily manage access to the bastion server - add/remove users, etc. Technically you should generate and place the bastion host key on endpoint servers, and users will get regular access to Isolate server with the sudoer access to ssh command. Once they want to connect to the endpoint server, the system executes ssh command and ssh client running with privileged user permissions gets server key and using it the system gets access to the server we need to get access to. Supports OTP (counter and time based) 2FA algorithms SSH sessions logging Requirements Fresh CentOS 7 / Ubuntu 16.04 / Debian 9 setup Ansible 2.3+ for install or update Installation https://github.com/itsumma/isolate#install Download isolate-master.zip Source: https://github.com/itsumma/isolate Edited August 15, 2017 by Fi8sVrs img 2 1 Quote
