Luminate platform provides secure access to various types ofcorporate applications and services. For background, please refer to this article, that describes the principles of using Luminate to access Linux (and other) servers using SSH Protocol without exposing the servers to external networks.

For teams that have complex multi-server environments Luminate provides a transparent secure access to all corporate SSH Servers via defined Bastions, while eliminating the need to enter password and/or store RSA Keys either on the Bastions or on the User Endpoints.

The following diagram depicts the topology of a targeted environment:

In the diagram, the user's SSH Client connects to the Luminate Cloud, authenticating either using an Access Token or a dedicated RSA Key, and then a brokered connection is created with the Bastion server.

Whenever the user tries to open an SSH session from the Bastion server to any other SSH server (that is provisioned to trust access certificates issued by Luminate platform), the authentication is performed automatically via SSH Agent Forwarding mechanism. The Key Challenge is propagated all the way to the Luminate platform, that generates Key Response, that, in turn, gets validated by the SSH Server using the Public CA Certificate that is deployed there.

Provisioning Bastion Access with Transparent Agent Forwarding

1. The Bastion server should be configured for SSH access through Luminate service as a regular SSH server, according to this article.

2. Each internal SSH server needs to contain the configuration for Luminate Public CA Key, according to this article.

3. An access policy for the SSH Application representing the Bastion server in the Luminate Admin Portal should be set, allowing the relevant IdP entities to access corporate SSH Servers with the relevant SSH/Unix accounts, including enabling the Transparent Agent Forwarding, similar to the below: