Frequently Asked Questions
What is Userify?
Userify is an SSH key and User Manager for the cloud and datacenters that creates user accounts for devops, engineers, developers, database administrators, etc., and allows them to log in quickly and easily.
With self-service key management console, instant setup, and one-line deployment, configuring new user accounts and managing temporary keys is easy and fast. No more wasted time!
What happens to my SSH keys?
Userify only uses your public key to create user accounts on your servers; it creates the specified user account and creates a .ssh/authorized_keys file in that user's home directory just as you would by hand and even using the same commands and files (i.e., useradd, sudoers.d, etc.)
Sudo permissions are managed via /etc/sudoers.d, just like you normally would do by hand, so Userify works well with other user management tools.
Userify uses the comment metadata field of a user account so that it will not modify or delete a user account that it didn't create.
How do I convert existing Linux accounts to Userify?
Userify doesn't modify pre-existing Linux accounts by design in order to protect accounts like backup, system, etc., from being automatically removed or changed.
To override this behavior, execute the following command on any server to have a user's account converted to a Userify account:
sudo usermod -c 'userify-converted' alice
If the equivalent 'alice' username does not exist in Userify, or if it is not granted access onto your server, that user account will be removed from the system (but can be restored by re-granting Alice access to the server.)
How do I uninstall Userify?
Userify automates the regular Linux account process, so your user accounts on your servers are just regular non-expiring accounts. You can safely remove the shim from your server without affecting any accounts on the server by running
Is Userify secure?
We're tightly focused on security and conduct frequent external third-party penetration tests.
Userify is AICPA SOC-2 Type 1 certified and has achieved PCI-DSS and HIPAA compliance, as well as the top score at the Netcraft Site Report and has successfully completed the AWS Well-Architected Review.
Our web applications are designed to be resistant to XSS, CSRF, injection, inclusion, and many other attacks, and offers multi-factor authentication (MFA/2FA) for user logins. The source code for the Userify shim is opened on Github so you can audit its operation yourself.
Userify encrypts all data at rest, including all data that we store in Redis and S3, with Curve 25519. We minimize the use of secret materials in general, and sanitize incoming data. Passwords are hashed with bcrypt, scrypt, or argon2. All data in motion is encrypted with SSH or signed TLS.
We are constantly looking for ways to further improve our security profile and further work with the security community. Please email email@example.com if you have further questions.
Is Userify hard to deploy?
Deploying Userify is fast and simple!
Sign up for an account, create your projects and invite your users, and paste a one-liner into your server console. Currently using Chef, CloudFormation, or other systems? Check out the built-in integrations for popular platforms, or contribute your own.
If you purchase Userify Enterprise or Userify Express, install in your datacenter or VPC in seconds with a single command and use your corporate firewall, iptables, or AWS Security Groups to lock it down to your corporate subnets or VPN.
With Userify AWS, you don't even have to install: just click and your server will be live in your VPC in seconds!
What happens if Userify servers are offline and I need to log in to my servers?
Userify creates local accounts and keeps them synchronized through a centralized management dashboard. You will always be able to log in to your servers, since your SSH logins do not go through our servers to operate.
Are my private keys at risk?
No private key is needed at all to log you in! Your private key is the other half of the public key and can stay safely stored on your laptop. If your laptop is lost or stolen, you can remove your public key from all of your servers in seconds and block your own login.
This is a core principle of Userify's operation: Userify minimizes the use of secret material like private keys.
There is no shared secret like a password or a private key. Your public key is enough to securely log you in to a server, but you can still freely share your public key or publish it on your website.
If you use Userify's new Private Key generator, your private keys are encased within our strong Curve 25519 vault encryption, until you download it or if your administrator chooses to deploy that key on a remote server.
Rotating or updating your private key is much easier to deal with than ever before. Instantly rotate your keys without dealing with production pushes from configuration management or IT involvement. Just paste your new public key into Userify and it will be deployed in seconds.
- How much does Userify cost?
What are the different Userify editions?
Userify Cloud is our Cloud edition. It requires no installation or other fees and you can start using it instantly with no credit card needed.
Userify Express is our fast and easy-to-install edition that you can install on a single server and can manage up to 1,000 servers or instances, with no built-in limits on users, keys, or projects. Userify Express contains all of the functionality in Userify Cloud, but you can confine it within your VPC or LAN and configure it with your own mail server and domain names (i.e., https://userify.example.com).
Userify Enterprise is our solution for large enterprises and provides cascading integration with Active Directory or LDAP, as well as multi-server horizontal scaling and high availability.
What are the new Userify features?
New Userify Features:
- SSH Key Scanner Now your Server View screen shows any loose SSH keys that you should probably have a look at.
- Wipe Root Login Keys Sometimes you can't be too sure, and now you can just check the box to make sure that users can't log in with a root key. Note that this doesn't prevent logging in with passwords, though!
- Takeover User Tired of ec2-user, ubuntu, and other leftover users? Just add them to your Takeover User list and the users will be removed from your instances in minutes.
- SSH Key Generator Just click Generate Key in your profile page to download a new RSA 4096-bit private key and have your profile page automatically filled with the public key. Note, your key will be available for distribution (for example, to a bastion host) by an administrator, or click DISABLE to remove your private key from your profile and prevent it from being deployed.
- Private Key Deployments When your company administrator enables this policy feature by clicking the key icon, your new private key will be deployed into your home directory on any server group automatically. Useful for automated/service accounts like backups and database replication autossh users. (Not recommended for human users; jumpboxes/bastions should use ProxyJump instead of private key deployments.)
- Force key rotation When your company administrator enables this policy feature, you'll receive an email when your key expires; just update your key to continue working. Disabled by default, but annual key rotation is recommended.
- Require MFA This policy feature allows your company administrator to require all users to enable MFA/2FA before they can log in to servers. Disabled by default, but enabled is recommended.