Frequently Asked Questions

What is Userify?

Userify is an SSH key and User Manager for the cloud and datacenters that creates user accounts for devops, engineers, developers, database administrators, etc., and allows them to log in quickly and easily.

With self-service key management console, instant setup, and one-line deployment, configuring new user accounts and managing temporary keys is easy and fast. No more wasted time!

What happens to my SSH keys?

Userify only uses your public key to create user accounts on your servers; it creates the specified user account and creates a .ssh/authorized_keys file in that user's home directory just as you would by hand and even using the same commands and files (i.e., useradd, sudoers.d, etc.)
Sudo permissions are managed via /etc/sudoers.d, just like you normally would do by hand, so Userify works well with other user management tools.
Userify uses the comment metadata field of a user account so that it will not modify or delete a user account that it didn't create.

How do I convert existing Linux accounts to Userify?

Userify doesn't modify pre-existing Linux accounts by design in order to protect accounts like backup, system, etc., from being automatically removed or changed.

To override this behavior, execute the following command on any server to have a user's account converted to a Userify account:

sudo usermod -c 'userify-converted' alice

If the equivalent 'alice' username does not exist in Userify, or if it is not granted access onto your server, that user account will be removed from the system (but can be restored by re-granting Alice access to the server.)

How do I uninstall Userify?

Userify automates the regular Linux account process, so your user accounts on your servers are just regular non-expiring accounts. You can safely remove the shim from your server without affecting any accounts on the server by running

/opt/userify/uninstall.sh

Is Userify secure?

We're tightly focused on security and conduct frequent external third-party penetration tests.

Userify is AICPA SOC-2 Type 1 certified and has achieved PCI-DSS and HIPAA compliance, as well as the top score at the Netcraft Site Report and has successfully completed the AWS Well-Architected Review.

Our web applications are designed to be resistant to XSS, CSRF, injection, inclusion, and many other attacks, and offers multi-factor authentication (MFA/2FA) for user logins. The source code for the Userify shim is opened on Github so you can audit its operation yourself.

Userify encrypts all data at rest, including all data that we store in Redis and S3, with Curve 25519. We minimize the use of secret materials in general, and sanitize incoming data. Passwords are hashed with bcrypt, scrypt, or argon2. All data in motion is encrypted with SSH or signed TLS.

We are constantly looking for ways to further improve our security profile and further work with the security community. Please email [email protected] if you have further questions.

Is Userify hard to deploy?

Deploying Userify is fast and simple!

Sign up for an account, create your projects and invite your users, and paste a one-liner into your server console. Are you currently using Chef, CloudFormation, or other systems? Check out the built-in integrations for popular platforms, or contribute your own.

If you purchase Userify Enterprise or Userify Express, install in your datacenter or VPC in seconds with a single command and use your corporate firewall, iptables, or AWS Security Groups to lock it down to your corporate subnets or VPN.

With Userify AWS, you don't even have to install: just click and your server will be live in your VPC in seconds!

What happens if Userify servers are offline and I need to log in to my servers?

Userify creates local accounts and keeps them synchronized through a centralized management dashboard. You will always be able to log in to your servers, since your SSH logins do not go through our servers to operate.

Are my private keys at risk?

No private key is needed at all to log you in! Your private key is the other half of the public key and can stay safely stored on your laptop. If your laptop is lost or stolen, you can remove your public key from all of your servers in seconds and block your own login.

This is a core principle of Userify's operation: Userify minimizes the use of secret material like private keys.

There is no shared secret like a password or a private key. Your public key is enough to securely log you in to a server, but you can still freely share your public key or publish it on your website.

Rotating or updating your private key is much easier to deal with than ever before. Instantly rotate your keys without dealing with production pushes from configuration management or IT involvement. Just paste your new public key into Userify and it will be deployed in seconds.

What are the different Userify editions?

Userify Cloud is our Cloud edition. It requires no installation or other fees and you can start using it instantly with no credit card needed.

Userify Express is our fast and easy-to-install edition with no built-in limits on users, keys, or projects. Userify Express contains all of the functionality in Userify Cloud, but you can confine it within your VPC or LAN and configure it with your own mail server and domain names (i.e., https://userify.example.com).

Userify Enterprise is our solution for large enterprises and provides powerful cascading integration with Active Directory or LDAP.

What are the new Userify features?

SSH Key Scanner Now your Server View screen shows any unmanaged SSH keys that you should probably have a look at.

Wipe Root Login Keys Sometimes you can't be too sure, and now you can just check the box to make sure that users can't log in with a root key. Note that this doesn't prevent logging in with passwords, though!

Takeover User Tired of ec2-user, ubuntu, and other leftover users? Just add them to your Takeover User list and the users will be removed from your instances in minutes.

Require MFA This policy feature allows your company administrator to require all users to enable MFA/2FA before they can log in to servers. Disabled by default, but enabled is recommended.