Services allow you to authenticate and login to servers using a service user. This enables you to leverage the security of ephemeral certificates when building automation that requires access to remote servers.
Let's explore services with a basic example. Let's suppose you use your CI servers to deploy the latest build to your application servers. A typical solution for this would be to use static SSH keys without a passphrase and rely on SSH to perform whatever operations are required on the remote server. By defining a service in Advanced Server Access you'll be able to eliminate the static credential, and ensure that your CI user only has access to production when you intend it to.
Let's dive deeper into this example and explore how you could configure Jenkins to use service authentication to SSH to remote hosts.
To get started, configure these basic requirements first:
- Install the Advanced Server Access agent and enroll the server in Advanced Server Access.
- Install the Advanced Server Access client on the server.
- Identify the UID of the Jenkins user (for example, on Linux you can use a command similar to: id -u <username>).
- Create a service user and add an API key to it.
- Make sure the service user is provisioned on the servers you'd like to access.
Now you can create a service which can securely authenticate to servers with Jenkins.
To create a service, navigate to the services tab on the server details page of the source server you identified earlier, where Jenkins is running.
Here you should see a list of existing services for this server and a button to create a new service. Click this button and it will prompt you to select the service user to authenticate as and the UID of the Jenkins user.
The final step is to configure sft to use service authentication instead of expecting an enrolled client. For example, to do this on your jenkins server, run the command: sft config service_auth.enable true
You should now be able to SSH to remote hosts managed by Advanced Server Access using the command: sft ssh <server-name>.
In order to fully leverage service authentication in Jenkins, you will want to configure an SSH proxycommand for the jenkins user so that you can transparently authenticate while using any command that relies on SSH. To do this, run sft proxycommand --config, and copy the output into the SSH configuration file for the Jenkins user (for example, /home/jenkins/.ssh/config).