Core Concepts

Connection Methods in SecretZero PAM Solution

SecretZero PAM solution provides secure and seamless connection methods tailored to the requirements of both Linux and Windows systems. These connection methods ensure robust and secure access for end users, adhering to the principles of Zero Trust Security.

Supported Platforms

Linux Systems: Connections are supported via the SSH protocol.
Windows Systems: Connections are supported via the RDP protocol.

Connection Methods

1. Linux Systems - SSH Protocol

Overview: SecretZero leverages the Secure Shell (SSH) protocol to provide secure access to Linux systems. SSH ensures encrypted communication between the user and the target server.
Client Tool:
- Putty: The preferred client for establishing SSH connections in the SecretZero PAM solution.
Ephemeral Certificates:
- Instead of static passwords, ephemeral SSH certificates are generated by the SecretZero CA.
- These certificates allow seamless and secure access to Linux systems for a specified session duration.
Connection Workflow:
1. User requests access via the SecretZero application.
2. A short-lived SSH certificate is generated dynamically by the PAM solution.
3. The user connects to the Linux system using Putty, leveraging the ephemeral certificate for authentication.
4. Once the session ends, the certificate is invalidated, ensuring no standing access remains.

2. Windows Systems - RDP Protocol

Overview: SecretZero provides secure access to Windows systems using the Remote Desktop Protocol (RDP), ensuring a reliable and user-friendly experience for managing Windows servers.
Ephemeral Certificates:
- For Windows systems, ephemeral Smart Card certificates are used for authentication, eliminating the need for static passwords.
Connection Workflow:
1. User initiates an access request via SecretZero.
2. A Smart Card certificate is generated dynamically and is temporarily associated with the user.
3. The user connects to the Windows system via RDP, utilizing the ephemeral certificate for authentication.
4. After the session concludes, the Smart Card certificate is automatically invalidated, preventing further access.

Key Features of SecretZero Connection Methods

Secure and Temporary Access:
All connections use dynamically generated ephemeral certificates.
Credentials are destroyed or invalidated post-session.
Zero Trust Alignment:
Every session is independently authenticated and authorized.
No standing or pre-generated credentials exist.
Ease of Use:
Simple and intuitive workflows for users to connect to target systems.
Pre-configured support for widely-used tools like Putty for Linux and RDP for Windows.
Centralized Access Management:
All connection requests are routed and managed through the SecretZero PAM solution, ensuring strict control and auditability.

Example Use Case

Connecting to a Linux Server:

The user logs into the SecretZero application and requests access to a specific Linux server.
SecretZero generates a temporary SSH certificate and provides the connection details.
The user opens Putty and connects to the server using the provided details.
Once the session ends, the certificate is invalidated.

Connecting to a Windows Server:

The user requests access to a Windows server through SecretZero.
An ephemeral Smart Card certificate is generated and associated with the session.
The user uses an RDP client to connect to the Windows server securely.
The certificate is automatically destroyed when the session is terminated.

Conclusion

The SecretZero PAM solution provides secure, robust, and efficient connection methods tailored for Linux and Windows environments. By leveraging SSH for Linux and RDP for Windows, combined with ephemeral certificate-based authentication, SecretZero ensures compliance with modern security standards and facilitates a seamless user experience.