Best practice for SSH authentication
Posted by jetlagged-bee@reddit | sysadmin | View on Reddit | 14 comments
Hi all,
I'm a solo IT manager who will soon be getting a new member of the team as a sysadmin.
Currently, I SSH into our AWS EC2 web servers using my key. I also use Putty to SSH tunnel into PHPMyAdmin on each EC2 instance.
I want to change this approach for when the new starter joins so there is an audit trail, individual accountability, and revocation.
What is the recommended approach for managing SSH access? These are the options I'm aware of, in the order of preference:
- Cloudflare Access via cloudflared tunnel + WARP + short-lived certificates
- AWS EC2 EIC Endpoint
- Bastion server
- Other?
We already use Cloudflare Zero Trust + One client, so the first option should be feasible. Are there any drawbacks to this method, or better options?
CyphrsHub@reddit
All three options use short-lived credentials but the trust model behind each is different – worth being deliberate about which trust anchor you want.
Cloudflare Access with short-lived certs – your SSH server trusts Cloudflare as the CA. Works well, audit trail through Cloudflare Access logs, but your trust root is a third party.
AWS EC2 Instance Connect Endpoint – ephemeral certs, AWS is the trust root, audit trail through CloudTrail. Fits cleanly if you're already AWS-native.
Traditional bastion with SSH keys – simplest operationally but hardest to revoke cleanly. Relies on key rotation actually happening when someone leaves.
If the goal is individual accountability and clean revocation, both cert-based options are materially better than key management. The practical question is whether Cloudflare WARP deployment across all endpoints is manageable overhead, or whether the AWS-native path fits better with existing tooling.
Does the new hire need access from managed devices only, or unmanaged (personal) devices too? That changes which option is cleanest.
jetlagged-bee@reddit (OP)
Thanks.
We already use WARP across all devices, but that may change one day. AWS SSM or EIC sounds like the cleanest option. We enforce company devices only through entra, no BYOD.
jetlagged-bee@reddit (OP)
Thanks for the responses. Sounds like I'll give SSM a try first.
corgtastic@reddit
Just use AWS SSM, it's all of those things but works out of the box. You can also start doing other fancy stuff with it once you get into the groove of it, like automatically applying updates and running Ansible playbooks
hankhillnsfw@reddit
AWS SSM.
It works fabulously.
lemoninterupt@reddit
We use HashiCorp Vault, really happy with it.
EuphoricFly5489@reddit
Always keys
sotech117@reddit
Yeah lmao I just use ssh keys
michaelpaoli@reddit
ssh certs - your own hardened well controlled server that issues (relatively) short term ssh certs ... these can have duration as short as even a minute or less, and can be done on a per target ssh server basis, and even limited to specific login ID(s) on the ssh server.
malikto44@reddit
I used SSM, and SSH-ed using the AWS console. This way, I didn't need to worry about authenticating in via the "front door" to the machine.
At the minimum, always keys. If not keys, then have PAM configured to either allow a key, or a password + Google Authenticator 2FA. The PW + TOTP is something useful for recovering access should a key be lost.
As for SSH, I prefer having my main SSH key on a YubiKey or other hardware device. This way, it is PIN protected, and when I take my key with me, nobody can SSH using those credentials.
MeetJoan@reddit
Cloudflare Access with short-lived certificates is the right call here given you're already on Zero Trust - you get the audit trail, individual identity-linked access, and instant revocation without managing a bastion or key distribution. The main drawback is the cloudflared tunnel adds a dependency, but for a two-person team that's a non-issue compared to the operational overhead of the alternatives.
bobdobalina@reddit
bitwarden + sah-agent
gumbrilla@reddit
AWS SSM..
Command line access from local, uses you IAM account. Set SSO up (and automated user provisioning (use provisioning sets for this).
It's all tied together, comes with audit logging in SSM as well.
We just add users into a group in Entra, replicates over to a group in AWS, then we tie provisioning set to that with the access configured. Easy win. Running it for years.
Tiny-Cardiologist87@reddit
you are already using AWS, i'd suggest a good look at instance connect or session manager, youve already got the tooling for this.