bless better security and ops for ssh access
play

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, - PowerPoint PPT Presentation

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017 Post by Ryan McGeehan 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users


  1. BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017

  2. Post by Ryan McGeehan

  3. 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users Victim machine Attack elevates Data is Encrypted data are targeted is accessed access and collected, is exfiltrated, by phishing remotely by propagates prepared, typically to attacks. At adversary. throughout the and staged another least one network. for exfiltration. compromised succeeds. It exploits any system that privileges and is external information to the discovered organization. along the way. Adapted from https:/ /blogs.rsa.com/anatomy-of-an-attack/.

  4. What’s the Problem?

  5. LDAP

  6. LDAP

  7. Operator 1 App A Instances Operator 2 App B Instances App C Operator 3 Instances

  8. Operator 1 App A Instances Operator 2 Bastion App B Instances App C Operator 3 Instances

  9. What about single use SSH keys?

  10. What if they left great clues behind?

  11. And offered strong protections?

  12. Netflix’s Solution

  13. SSH Authentication

  14. Bastion’s Lambda Ephemeral Ssh Service

  15. def my_handler(event, context): message = 'Hello {} {}!'.format(event['first_name'], event['last_name']) return { 'message' : message } Invoke Lambda Lambda Response ClientContext Status + Payload

  16. Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS

  17. Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  18. Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  19. SSH Certificates

  20. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  21. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 User or Host Principals: Certificates host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  22. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control over what Principals: is logged by SSHd host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  23. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Short-lived certs Principals: reduce risk host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  24. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid for a single Principals: target (account, app, host_username Critical Options: username, etc) source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  25. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid from a Principals: single host host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  26. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control what the Principals: SSH session can host_username Critical Options: be used for source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  27. Scoping Credentials

  28. Access to Bastion == Access to Instances Instances Bastion BLESS Developer

  29. App Defines Access List Foo App Bar App Bastion BLESS Developer

  30. App Defines Multiple Roles Foo App Bar App Bastion BLESS Developer

  31. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: instance_user:aws_account:app_name source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  32. Config File /etc/ssh/sshd_config # Entries to enable BLESS TrustedUserCAKeys /etc/ssh/bless_user_ssh_cas.pub AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u

  33. Config File /etc/ssh/authorized_principals/blessdemo bless_demo_instances:bless_demo_instances:123456789012:i-18badf00ddeadbeef

  34. Operational Wins

  35. Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  36. 5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs

  37. Key Secrecy Personal Keys Shared Keys Expiration

  38. Key Rotation vs Human Machine

  39. Logging Jun 22 00:20:55 bless-demo- instances-i-0123456789abcde sshd[####]: Accepted publickey for bless_demo_instances from Context 192.168.1.1 port ##### ssh2: RSA-CERT ID request[##################] for[user_name] from[10.0.1.1] command[test:us- east-1:bless_demo_instances:bles s_demo_instances-v001:oq-ssh] Jun 22 00:20:34 bless-demo- ssh_key[RSA de:ad:be:ef: instances-i-0123456789abcde 00:00:00:00:00:de:ad:be] sshd[####]: Accepted publickey ca[arn:aws:lambda:region:account for bless_demo_instances from :function:name] 192.168.1.1 port ##### ssh2: RSA valid_to[2017/06/22 00:25:53] SHA256:de:ad:be:ef: (serial 0) CA RSA 00:00:00:00:00:de:ad:be SHA256:8badf00d000000008bad Traditional SSH certificates with BLESS

  40. Availability Wins LDAP

  41. Yes, It’s Open Source!

  42. https:/ /github.com/Netflix/bless

  43. https:/ /github.com/Netflix/bless

  44. https:/ /github.com/Netflix/bless

  45. https:/ /github.com/Netflix/bless

  46. https:/ /github.com/Netflix/bless

  47. Demo Time

  48. User Experience

  49. 5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs

Recommend


More recommend