Onboard faster, stay secure with Keyless SSH

María de Antón
María de Antón
Product Manager
13 Aug 2020

Today, we’re announcing Keyless Secure Shell (SSH) access to your Platform.sh websites. Powered by OAuth 2 and SSH certificates, your teams can now SSH into your applications without having to worry about SSH key management.

SSH is the shell protocol that securely connects users to an application server. Developers all over the world rely on SSH to establish a secure connection with a remote server.

Now with Keyless SSH, Platform.sh helps you onboard developers to your website projects more quickly. It also enhances security by binding authentication to users’ identities rather than their laptops.

How it works

Users type platform ssh in the Platform.sh Command Line Interface (CLI) and are asked to log in through Platform.sh, using Single Sign-On. After sign-in, we automatically generate a short-lived SSH certificate to establish a secure shell connection to your application’s server.

What’s so great about SSH without keys?

No need to generate or manage SSH keys to join a project—just log in

You’ve seen SSH keys’ usability in action: users generate a public/private key pair, add it to their ssh-agent, protect it with a passphrase (or not, there’s no way to enforce this), and finally, once the SSH key pair is ready, add their public key to their account so that it can be recognized by the application server once they attempt to connect to it.

From now on, you no longer need to set up SSH keys to work on a Platform.sh project, whether it’s your first or your 100th. Simply log in with the Platform.sh CLI and get to work immediately.

Keyless SSH is more secure, especially for teams and website fleets

SSH keys are trusted forever, and there’s nothing binding the private key to an individual computer. So while you can refresh an SSH key, given that they’re trusted forever and hard to refresh, people are almost encouraged to never update it. SSH keys are often reused across many services, and to save time many developers also save their SSH keys without a password, meaning anyone that gains access to their computer could potentially access servers with those keys.

Keyless SSH on Platform.sh uses secure certificates rather than keys to ensure that only authorized developers have access to projects, and only when required.

The underlying technologies that provide Keyless SSH are:

  • SSH Certificates, introduced back in 2010 with OpenSSH 5.4, which provide the encryption technology
  • OAuth2 tokens, which provide the secure authentication technology

The certificate we provide has been signed by the Platform.sh Certificate Authority (CA). We’ve configured Platform.sh to trust our CA and everything it signs. You have seen this concept before, but on a bigger scale. It’s the same method used across the Internet for HTTPS traffic. Moreover, we refresh these SSH certificates every hour, effectively updating the keys used to connect to your Platform.sh websites via SSH.

Additional security for Enterprise and Elite customers: enforcing multi-factor authentication over SSH

To enhance security, you can require multi-factor authentication (MFA) at Platform.sh, so that no one on your team is able to SSH unless they have a second factor configured.

Enforced MFA over SSH and Single Sign-On are available for Elite and Enterprise customers.

If you’re interested in enforcing MFA over SSH or Single Sign-On SSH connections for your organization, make sure to contact our dedicated sales team.