⇠ Back to the blog
Cover for Real identity for SSH with GSuite and Okta

Real identity for SSH with GSuite and Okta

Ted Nyman avatarWritten by Ted Nyman

Cased Shell enables you to control access to your command line tools with your IdP or SAML provider. This makes it possible for your team to access command line tools via their GSuite and Okta logins.

Big wins

  • Tie command line tool usage and session history to real user identity—not local identity like apache or root
  • Multi-factor authentication rules for command line access can be configured and managed from your identity provider

A great developer experience with SSH

SSH is the main way people interact with remote servers. In the same way a local terminal is a fast, powerful way to interact with your laptop — a fast, remote terminal is a powerful way to interact with your infrastructure. And for something as powerful as SSH, securing access is critical.

We think you should secure access to SSH the same way you do for all your other tools, third-party apps, and internal systems: with an identity provider that offers Single Sign On (SSO), multi-factor authentication (MFA), and easy administration.

With Cased Shell, you can use Okta or GSuite for access and identity, and do a lot more.

In ancient days, people used just passwords for SSH connections; soon familiar public key authentication emerged as the standard; in the last few years there’s been growing interest in using SSH certificates for doing large SSH installs. The particular technical mechanism used for that “final” stage of the connection is just one part of the larger access story—you need to tie SSH sessions to real, organization-wide user identity (local identity on a server is hard to do at all, and even harder to scale), and you want to benefit from all the features your IdP already offers.

The goal is to centralize and simplify access control for SSH, especially for common actions like removing access to servers, limiting which hosts are accessibly by which users, and doing audits of who has accessed what. What if all your SSH access could be done via a simple, secure web interface, and with your identity provider? What if you had a single controllable, auditable, loggable, recordable, shareable way to access to your servers?

Enter Cased Shell

Cased Shell is a web application, running on your own infrastructure, that combines the power of SSH with the securty of your existing IdP access control. And it does a lot more than that: it improves developer experience with session recording, session sharing, complete audit logging, and an API to extend functionality.

  • Onboarding and offboading happens for SSH exactly as it does for your all tools: via your identity provider.
  • You can restrict users to particular hosts entirely through the web.
  • You can monitor active sessions.
  • You can get logs of activity.

You can even change your identity provider, and Cased Shell will keep working. We've abstracted away connection pieces from your users; after all, why should your ordinary users need to worry about the details of SSH, nevermind worry about protecting secret keys on their own laptops?

Centralized access control to SSH means one less thing to worry about—all while increasing developer productivity and happiness.

Agentless, and in the browser

  • Cased Shell runs without new agents on your hosts: just keep using sshd.
  • Cased Shell access is entirely browser-based and very fast: moving to the browser opens up all sorts of possibilities for integrations, sharing, and collaboration.
  • SSH terminals move out of the shadows and into a shareable, visible, yet still secure environment.
  • And when Cased Shell is combined with the power of Cased's approvals workflows, you get full visiblity and control—without sacrificing the powerful dev tools that engineers know and love.