Secure Shell Gateway
 
 

suSSHi is your first solution for an unique entry to data center and cloud resources. It enables you to control and log all SSH access to these resources. suSSHi provides simple configuration, manageable profiles and access rules for each and every target system.

Chef Cuisine

suSSHi Chef is the central user account and access management of the suSSHi Suite. A modern user interface supports you in all administrative tasks. suSSHi Chef comes with sophisticated features as well advanced integrations and automation options, i.g. a full REST API supports you in gaining full control over all configurations.

An extraordinary feature to be mentioned is multi tenancy support with a single suSSHi Chef installation, allowing each tenant having its own configuration and data sets. 

 

Support for multiple access control models 

suSSHi is your multi-tool Swiss army knife when it comes to authentication and authorisation: suSSHi supports Public Key Authentication, Keyboard-Interactive and Password authentication on the client side as well as on the target side, several combinations are possible, depending on your business requirements.

What makes suSSHi a masterpiece in authentication is the full integration of all authentication dialogs within the SSH authentication phase. It eases client error handling and allows graphical SSH clients with authentication dialogs to display them correctly instead of having authentication prompts showing up in the terminal session. 

The authentication and authorisation process can be customised by our professional service through a flexible plugin-architecture.

Flexible User Mapping

One strengths of suSSHi is the ability of mapping from real users to administrative accounts without loosing any security or control over the target system. This can be expanded further with build-in regex and regex-mapping rules to allow easy user mappings with regular expressions patterns.

Flexible Targets

suSSHi supports different kinds of targets to be ready for all situations. Static Targets allow the static mapping to IP addresses with pre-configured (or scanned) host keys - this is the most secure way to have targets configured. 


Dynamic Targets allow the use of DNS hostnames (FQDN) to identify targets and either have host-keys pre-configured (or scanned) or dynamically learned by the gateway. All dynamically learned host-keys have to be accepted and are stored individual per user.
 

Domain Targets allow the use of DNS domain names to identify targets. Target host-keys are dynamically learned by the gateway which gives high dynamic in changing targets like in cloud setups.
Network Targets act like Domain Targets but based on IPv4 or IPv6 CIDR addressed networks if you want to configure targets by network IP addresses instead of domain names.

 

Protocol Deep Inspection and Logging

Each session through suSSHi gateways undergoes a deep packet inspection for all SSH messages within the SSH protocol. Specialised dissectors perform analyzation and protocol aware logging for alle sessions and sub-protocols within the RFC standard based SSH v2 protocol suite. 

The dissectors allow fine granular control on what is allowed or denied and gives you control over protocol specific logging. The dissectors support all SSH features like interactive sessions, file transfers, port forwardings, SSH agent, tunnelings and a lot more.

 

IPv4 and IPv6 support

suSSHi has full support for IPv4 and IPv6 and both IP versions can be mixed in various ways.

 

The IP protocol of the connectivity to the target server is completely independent from the IP protocol of the client connection from the client to the gateway. This for example allows users coming from an IPv4 only network to connect to servers in an IPv6 deployment and vice versa. Even port forwarding can be combined both-way.


suSSHi implements an more advanced "happy eyeballs" that goes further in mixing IPv4 and IPv6 in an administrator configurable way. So you can choose from having IPv6 or IPv4 addresses preferred and suSSHi tries to connect to targets in preferred order. It even iterates through lists of IP addresses if DNS resolves to multiple IP addresses for a target.

 

Gateway Performance & Scale-out

Logging into an target system via suSSHi adds less than 100ms of delay compared to a direct login. Wire rate performance for active sessions or data copy makes the suSSHi gateway not act as a productivity limiter in any way. In other words a user is not recognizing the gateway in terms of speed, delays or jitters from session setup during the full session.  


All session reporting is done in an asynchronous way to not block I/O on the session processes interactive users or copy sessions are handled which guarantees minimal to none delay and jitter.

Easily add more gateways for more parallel session as needed by for a horizontal scale out. Each gateway acts independent and can even be deployed in different L3 networks. Also the suSSHi Chef component can be deployed multiple times to for more redundancy scale out.

Features, features, features ...

suSSHi comes with a lot of features and protocol support to make it as compatible and flexible for modern SSH servers and clients. State of the art authentication key support like ED25519, up-to-date ciphers as AES256, ED25519 and hash algorithms e.g. SHA256 come together with support for compression, openSSH deviations and extensions and configurable timers for session idleness and max session times make suSSHi a strong and masterful peace of work.


With the Integration of firewall/proxy functionality supported by common SSH GUI clients into suSSHi, users continue using their existing connection settings in their clients. 

© 2018 - 2019 by Wasabi Elements GmbH