Linking an Identity to a File server user account

I am working through a few use cases, which includes integration into a LAN’s fileserver.

While I understand that its not a core part of Ziti… I am trying to scope out the gap an understand what is required to fill it.

For instance, with ZTNA, you will be able to authenticate into the LAN as a local user, which can then be used to gain access to shared folders.

I believe this is illustrated using the zssh example… is this correct?

  1. connect to the server using the Ziti identity using zssh
  2. the private key used for zssh authenticates into a user account on the server
  3. provide access to the shared folder using the server user account.

Does this make sense?

Also, is this an example of ZTNA… as I am not 100% clear on this.

Are there other ZTNA examples that can help me better understand this specific configuration.

Thanks

I don’t know how I missed responding to this. Sorry about that.

  1. the private key used for zssh authenticates into a user account on the server

No. At this time the pki used to be granted access to the network is not the same key as you’d use to ssh to the remote machine. You provide one identity to get into the network and to be authorized to connect to ssh, and another to the ssh daemon on the far side to do ssh authentication.

This would be ZTAA on the client side, and probably ZTHA on the far side. Remember that those terms are applicable to both sides of the connection. They represent the place where trust is established.

With ZTAA/zssh you’re establishing the trust from within the app itself. When you send the traffic to the far side, you’re most likely offloading from ziti using “localhost: 22” as the termination. That means you’re trusting the local host network – ZTHA (host access). If you offloaded from ziti and traversed your local network (sent traffic to another host), then you’re doing ZTNA (network access) on the far side. In this case you’re trusting that the entire remote network is safe. (The least zero trust, the most trust configuration)

That help at all?

1 Like

Very helpful… I thought I understood the three types until I started to explain it… then the holes appeared.

You provided a good illustration… makes sense.

One learning is that zssh to a remote machine is described as host access… this did confuse me… and its would be network access it if was used to connect to another remote machine… makes sense now.

I was getting a little confused with the LAN gateway examples… and other examples that use fabric routers… which would all be ZTHA… if I understand correclty.

ZTNA is only when one host is used to connect to another host in the same subnet.

1 Like