Foxpass - How It Works

See what Foxpass
offers you

  • Uses your existing directory (Google Apps, Office 365, Bitium, Okta, OneLogin, etc.)
  • Cloud-hosted LDAP service
  • Per-user logins to your Linux environment
  • Single-sign-on for legacy applications
  • RADIUS interface to secure your WiFi network
  • Self-service SSH key management
  • Enforce password- and key-rotation policies

Uses your existing directory

Foxpass integrates with your current root identity (whether that's Google Apps, Office 365, Bitium, Okta, OneLogin, etc.) to bring single-sign-on into your server and Wifi infrastructure.

Cloud-hosted

Foxpass is cloud-hosted, meaning there's no hardware to build, buy, scale, or maintain. And if cloud doesn't work for you, we have an on-premise version available.

Individual logins to your Linux environment

With Foxpass, it's no longer necessary to hard-code all users, groups, and SSH keys onto each host with Puppet or Chef. Instead, using trusted LDAP PAM modules built into every popular Linux distro, each host will check Foxpass to see if a certain user is allowed access, and then will check the user's SSH key with the keys in the user's Foxpass account. LDAP will pass along the user's group information as well, which facilitates a robust and dynamic access policy on a per-host or per-resource basis. Example setup notes are available.

Network logins to your Mac OSX computers

Foxpass allows you to have individual logins to your Mac OSX computers, all served up from our LDAP server. Each user will get his/her own private home folder, or all users can share one.

Single sign-on for legacy applications

Applications like OpenVPN, Jenkins, Tableau, Chef Server, Nagios, TeamCity, JAMF Casper, Github Enterprise, Splunk, etc. have LDAP connectors that will work with Foxpass. See our documentation for detailed how-to for many applications.

RADIUS interface secures your WiFi network

A network password that is shared with all employees is a security risk when an employee departs and the password is not changed. Most access points support WPA2 enterprise, which enables 802.1x authentication via RADIUS. By default, our RADIUS servers use only the most secure RADIUS variants available: EAP-TTLS-PAP to secure password transmissions over the Internet and (optionally) certificate-based EAP-TLS. (PEAP and PAP available but not recommended.) Our RADIUS interface can also work to simplify logins to your VPN.

Self-service SSH key management

Foxpass allows users to manage their own SSH keys. When an employee gets a new laptop, he/she can upload his/her new key to Foxpass and log into machines without needing to go through an admin or wait for a Puppet/Chef cycle. Furthermore, admins can enforce an SSH key rotation policy adhere to company guidelines.

Advanced access control

Infrastructure access should not be all-or-none. Server access should be granted only on a "need-to-go" basis. Foxpass makes it simple to create groups of servers; either by hostname or by Amazon Web Services properties like VPC id, Subnet id, or even a tag. Individual users and groups of users can be permitted access, either on a permanent or temporary basis. Now it's simple to let a single QA engineer visit production to track down a bug, but have their access be revoked automatically at the end of the day.

Ready to try Foxpass?

Try Foxpass FREE for 30 days! No credit card needed.

Start Free Trial Now

Frequently Asked Questions

Is Foxpass secure?

Yes. When implemented with best-practices, all the benefits that Foxpass offers don't come at the cost of reduced security.

What are the best practices when using Foxpass?

Foxpass should always be augmented with two-factor authentication that is orthogonal to Foxpass. For example, if Foxpass is used to authenticate access to your bastion host or VPN, a second factor (usually using Google Authenticator) should be implemented. In this way, a compromise of Foxpass is not sufficient to gain access to your environment.

Why is Foxpass better than running my own LDAP server?

LDAP is a mission-critical function for your organization. Any downtime can impact your workforce's efficiency. Foxpass's LDAP server is designed for high traffic and high availability. We have engineers on-call 24x7 to address any issues. If your internal LDAP fails or experiences high load, it is likely to take your engineering or IT team a long time to fix the problem.

Additionally, we have built many features into Foxpass that are not available in most LDAP servers. Foxpass offers easy-to-use host access control, temporary permissions, auditing, SSH key and password rotation enforcement, and more.

Why should I care about having per-user logins to my infrastructure?

Many reasons. First, if an employee's credentials are stolen, you want to be able to turn off that user's access to lock out the attacker, but you don't want to impact access to your other engineers. Similarly, when an engineer leaves the company, you do not want them to retain access to any shared accounts. Additionally, per-user logins helps you audit who is logging into which servers.