Secure Shell Gateway
Your unique entry to data center
and cloud resources
In a world with continuous growth of servers, network equipment, appliances etc. keeping up with maintaining account and access management for all administrative users on all target systems may pose a great challenge.
Thus many customers try to shuffle out of this situation by simply adding a permanently growing list of allowed user keys or sharing passwords in between which leads into losing control on administrative user management.
suSSHi is your first solution for an unique entry to data center and cloud resources. It enables you to control and log all SSH access to these resources. suSSHi provides simple configuration, manageable profiles and access rules for each and every target system.
Chef Cuisine
suSSHi Chef is the central user account and access management of the suSSHi Suite. A modern user interface supports you in all administrative tasks. suSSHi Chef comes with sophisticated features as well advanced integrations and automation options, i.g. a full REST API supports you in gaining full control over all configurations.
An extraordinary feature to be mentioned is multi tenancy support with a single suSSHi Chef installation, allowing each tenant having its own configuration and data sets.
Support for multiple access control models
suSSHi is your multi-tool Swiss army knife when it comes to authentication and authorisation: suSSHi supports Public Key Authentication, Keyboard-Interactive and Password authentication on the client side as well as on the target side, several combinations are possible, depending on your business requirements.
What makes suSSHi a masterpiece in authentication is the full integration of all authentication dialogs within the SSH authentication phase. It eases client error handling and allows graphical SSH clients with authentication dialogs to display them correctly instead of having authentication prompts showing up in the terminal session.
The authentication and authorisation process can be customised by our professional service through a flexible plugin-architecture.
Flexible User Mapping
One strengths of suSSHi is the ability of mapping from real users to administrative accounts without loosing any security or control over the target system. This can be expanded further with build-in regex and regex-mapping rules to allow easy user mappings with regular expressions patterns.
Flexible Targets
suSSHi supports different kinds of targets to be ready for all situations. Static Targets allow the static mapping to IP addresses with pre-configured (or scanned) host keys - this is the most secure way to have targets configured.
Dynamic Targets allow the use of DNS hostnames (FQDN) to identify targets and either have host-keys pre-configured (or scanned) or dynamically learned by the gateway. All dynamically learned host-keys have to be accepted and are stored individual per user.
Domain Targets allow the use of DNS domain names to identify targets. Target host-keys are dynamically learned by the gateway which gives high dynamic in changing targets like in cloud setups.
Network Targets act like Domain Targets but based on IPv4 or IPv6 CIDR addressed networks if you want to configure targets by network IP addresses instead of domain names.
Protocol Deep Inspection and Logging
Each session through suSSHi gateways undergoes a deep packet inspection for all SSH messages within the SSH protocol. Specialised dissectors perform analyzation and protocol aware logging for alle sessions and sub-protocols within the RFC standard based SSH v2 protocol suite.
The dissectors allow fine granular control on what is allowed or denied and gives you control over protocol specific logging. The dissectors support all SSH features like interactive sessions, file transfers, port forwardings, SSH agent, tunnelings and a lot more.
IPv4 and IPv6 support
suSSHi has full support for IPv4 and IPv6 and both IP versions can be mixed in various ways.
The IP protocol of the connectivity to the target server is completely independent from the IP protocol of the client connection from the client to the gateway. This for example allows users coming from an IPv4 only network to connect to servers in an IPv6 deployment and vice versa. Even port forwarding can be combined both-way.
suSSHi implements an more advanced "happy eyeballs" that goes further in mixing IPv4 and IPv6 in an administrator configurable way. So you can choose from having IPv6 or IPv4 addresses preferred and suSSHi tries to connect to targets in preferred order. It even iterates through lists of IP addresses if DNS resolves to multiple IP addresses for a target.
Gateway Performance & Scale-out
Logging into an target system via suSSHi adds less than 100ms of delay compared to a direct login. Wire rate performance for active sessions or data copy makes the suSSHi gateway not act as a productivity limiter in any way. In other words a user is not recognizing the gateway in terms of speed, delays or jitters from session setup during the full session.
All session reporting is done in an asynchronous way to not block I/O on the session processes interactive users or copy sessions are handled which guarantees minimal to none delay and jitter.
Easily add more gateways for more parallel session as needed by for a horizontal scale out. Each gateway acts independent and can even be deployed in different L3 networks. Also the suSSHi Chef component can be deployed multiple times for more redundancy scale out.
Features, features, features ...
suSSHi comes with a lot of features and protocol support to make it as compatible and flexible for modern SSH servers and clients. State of the art authentication key support like ED25519, up-to-date ciphers as AES256, ED25519 and hash algorithms e.g. SHA256 come together with support for compression, openSSH deviations and extensions and configurable timers for session idleness and max session times make suSSHi a strong and masterful peace of work.
With the Integration of firewall/proxy functionality supported by common SSH GUI clients into suSSHi, users continue using their existing connection settings in their clients.