Best practices for securing SSH access to VM instancesAllowing users to connect to Google Cloud VMs using SSH is convenient and often unavoidable. But it’s not without risks. Continue »
Using libssh2 with CryptoNG and ECDSAUntil recently, libssh2’s CryptoNG backend didn’t support ECDSA. But now it does. Continue »
Microsoft recommending IAP DesktopMicrosoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice. Continue »
You can use libssh2 with CryptoNG… unless you need ECDSALibssh2 lets us choose between multiple different crypto backends. But that doesn’t mean these backends are interchangeable – there are also some functional differences. Continue »
Keeping track of SSH keys using IAP Desktop 2.26When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Enforcing the use of OS Login for accessing Linux VMs on Google CloudGoogle Cloud lets us enable OS Login for a project by adding an entry to the project’s metadata. But is this approach sufficient to enforce OS Login for all VMs and users? Not really. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Using IAM to control SSH and RDP accessWhenever we grant users SSH or RDP access to VM instances, we have to ensure that access is revoked when the user changes teams or leaves the organization. This is easier said than done. Continue »
Using libssh2 on Windows: lessons learntDocumentation is not where libssh2 shines most. Continue »
Building libssh2 on Windows: lessons learntLibssh2 is written in plain C and runs on many platforms, including Windows. But to use the library on Windows, you have to build it first – and as it turns out, that is easier said than done. Continue »
How IAP Desktop protects TCP tunnelsIn the last post, we looked at the risks of using local port forwarding and how it’s difficult to protect TCP tunnels in a multi-user environment. In this post, we take a look at how IAP Desktop protects its tunnels. Continue »
Hijacking other user’s TCP tunnelsIf you are a frequent SSH user, then you’ll be familiar with local port forwarding. Creating tunnels by using local port forwarding is useful, easy, but also not without risks. Continue »