4.2. Roles & Functions

While the gateway acts as a pure Policy Enforcement Point (PEP), suSSHi Chef plays the role of Policy Decision Point (PDP) and Policy Administration Point (PAP).

4.2.1. Policy Administration Point

During startup, the suSSHi Gateway communicates with suSSHi Chef via a so-called Secure Internal Communication (SIC). The SIC is used for several functions:

  • suSSHi Gateways obtain their current configuration stored in suSSHi Chef.

  • suSSHi Chef initiates the reloading of new configurations created in suSSHi Chef.

  • suSSHi Chef starts SSH Host-Key Scans from suSSHi Gateways.

  • suSSHi Chef collects information from the gateway or can trigger a gateway reload or shutdown.

4.2.2. Policy Decision Point

For every new SSH session through the suSSHi Gateway, it communicates with suSSHi Chef to gather all information about the session in phase of authentication:

  • Does the connecting user exist?

  • Which authentication methods are permitted and which public keys are stored?

  • Is the session allowed from the source IP of the SSH client?

  • Does an access rule exist that allows the gateway user to access the target with the specified target user?

All this information is retrieved in a single call, making the authentication and authorization phase very fast.

4.2.3. Session Management

Active user sessions can be disconnected at the request of the suSSHi Chef UI administrator.

4.2.4. Reports

suSSHi Chef collects session information in the form of short reports that can be easily searched.