Jump to content

Use Just-In-Time (JIT) Access Controls

Jessica Brown
Jessica Brown
in Server Administration

Featured Replies

Posted

You are reading Part 46 of the 57-part series: Harden and Secure Linux Servers. [Level 5]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

Just-In-Time (JIT) Access Control enhances security by minimizing the attack surface by only granting temporary, time-limited access to users and applications when needed. This approach helps:

✅ Reduce the risk of privilege escalation attacks.
✅ Prevent long-term exposure of sensitive credentials.
✅ Ensure access is granted only for legitimate, time-bound tasks.
✅ Enhance compliance with least privilege and Zero-Trust security models.

By implementing JIT access, you limit security risks and enforce strict access control policies dynamically.

How to Implement JIT Access Controls in Linux

1. Use Temporary SSH Access with Ephemeral SSH Keys

Instead of permanent SSH keys, generate one-time, temporary SSH keys that expire automatically.

Step 1: Create a Temporary SSH Key

On the requesting user’s machine, generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -f /tmp/temp_ssh_key -N ""

This creates:

  • Public key: /tmp/temp_ssh_key.pub

  • Private key: /tmp/temp_ssh_key

Step 2: Add the Temporary Key to the Remote Server

Copy the public key to the remote server’s authorized_keys file:

cat /tmp/temp_ssh_key.pub | ssh user@server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"

(This allows access using the temporary key.)

Step 3: Automatically Remove the Key After a Set Duration

Schedule key removal using at:

echo "sed -i '\|$(cat /tmp/temp_ssh_key.pub)|d' ~/.ssh/authorized_keys" | at now + 1 hour

(This removes the temporary SSH key after 1 hour.)

Step 4: Use the Temporary SSH Key to Access the Server
ssh -i /tmp/temp_ssh_key user@server

🔹 Result: Access is granted only for the specified time window and is automatically revoked.

2. Implement JIT Access Using AWS IAM Temporary Credentials

For cloud-based Linux servers (AWS EC2, GCP, Azure), use IAM roles and temporary security tokens for JIT access.

Step 1: Create an IAM Role for JIT Access (AWS)

  1. Go to AWS IAM Console → Roles → Create Role.

  2. Choose "AWS Service" → EC2 (or relevant service).

  3. Attach policies (e.g., AmazonSSMManagedInstanceCore for SSH via SSM).

  4. Enable session duration limits (e.g., 1 hour).

Step 2: Use AWS STS to Generate Temporary Credentials
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/JIT-Access-Role" --role-session-name "JITAccess" --duration-seconds 3600

(This grants an IAM user 1 hour of access.)

Step 3: Monitor and Revoke Access

List active session tokens:

aws iam list-access-keys --user-name jit-user

Revoke access immediately:

aws iam delete-access-key --access-key-id <key-id> --user-name jit-user

🔹 Result: Users only get access for a limited time, reducing risk.

3. Automate JIT Access Using HashiCorp Vault

HashiCorp Vault can generate short-lived access credentials for SSH and database logins.

Step 1: Install HashiCorp Vault
sudo apt install vault -y
Step 2: Configure Vault to Issue Temporary SSH Certificates

  1. Enable the SSH secrets engine:

    vault secrets enable ssh

  2. Configure a one-time-use SSH certificate:

    vault write ssh/roles/jit-access \
    key_type=otp \
    default_user=admin \
    ttl=1h

  3. Generate a temporary login credential:

    vault write ssh/creds/jit-access ip=192.168.1.100

🔹 Result: Users must request temporary access, and credentials expire automatically.

4. Monitor and Audit JIT Access Requests

To detect misuse or anomalies, regularly review access logs and monitor JIT requests.

Monitor SSH Access Attempts
sudo cat /var/log/auth.log | grep "Accepted"
List Recently Issued SSH Keys and Sessions
ls -lt ~/.ssh/authorized_keys
who -a
Set Up Alerts for Unauthorized Access

Use Fail2Ban to block repeated unauthorized SSH attempts:

sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
maxretry = 3
findtime = 600
bantime = 3600

Restart Fail2Ban:

sudo systemctl restart fail2ban

🔹 Result: Attackers attempting unauthorized access will be blocked automatically.

Best Practices for JIT Access Implementation

✅ Use ephemeral SSH keys instead of permanent credentials.
✅ Leverage AWS IAM, Vault, or Kubernetes RBAC for time-restricted access.
✅ Automate JIT workflows to grant and revoke access dynamically.
✅ Log and audit all JIT access events to detect anomalies.
✅ Integrate JIT with MFA to enhance security.

By implementing Just-In-Time (JIT) access controls, you minimize security risks, reduce attack exposure, and ensure users only have access when they need it—strengthening Zero-Trust security principles. 🚀

  • Quote
    • Views 67
    • Created
    • Last Reply

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    Terms of Use Privacy Policy Guidelines We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.