BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017
Post by Ryan McGeehan
1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users Victim machine Attack elevates Data is Encrypted data are targeted is accessed access and collected, is exfiltrated, by phishing remotely by propagates prepared, typically to attacks. At adversary. throughout the and staged another least one network. for exfiltration. compromised succeeds. It exploits any system that privileges and is external information to the discovered organization. along the way. Adapted from https:/ /blogs.rsa.com/anatomy-of-an-attack/.
What’s the Problem?
LDAP
LDAP
Operator 1 App A Instances Operator 2 App B Instances App C Operator 3 Instances
Operator 1 App A Instances Operator 2 Bastion App B Instances App C Operator 3 Instances
What about single use SSH keys?
What if they left great clues behind?
And offered strong protections?
Netflix’s Solution
SSH Authentication
Bastion’s Lambda Ephemeral Ssh Service
def my_handler(event, context): message = 'Hello {} {}!'.format(event['first_name'], event['last_name']) return { 'message' : message } Invoke Lambda Lambda Response ClientContext Status + Payload
Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS
Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS
Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS
SSH Certificates
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 User or Host Principals: Certificates host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control over what Principals: is logged by SSHd host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Short-lived certs Principals: reduce risk host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid for a single Principals: target (account, app, host_username Critical Options: username, etc) source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid from a Principals: single host host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control what the Principals: SSH session can host_username Critical Options: be used for source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Scoping Credentials
Access to Bastion == Access to Instances Instances Bastion BLESS Developer
App Defines Access List Foo App Bar App Bastion BLESS Developer
App Defines Multiple Roles Foo App Bar App Bastion BLESS Developer
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: instance_user:aws_account:app_name source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Config File /etc/ssh/sshd_config # Entries to enable BLESS TrustedUserCAKeys /etc/ssh/bless_user_ssh_cas.pub AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u
Config File /etc/ssh/authorized_principals/blessdemo bless_demo_instances:bless_demo_instances:123456789012:i-18badf00ddeadbeef
Operational Wins
Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS
5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs
Key Secrecy Personal Keys Shared Keys Expiration
Key Rotation vs Human Machine
Logging Jun 22 00:20:55 bless-demo- instances-i-0123456789abcde sshd[####]: Accepted publickey for bless_demo_instances from Context 192.168.1.1 port ##### ssh2: RSA-CERT ID request[##################] for[user_name] from[10.0.1.1] command[test:us- east-1:bless_demo_instances:bles s_demo_instances-v001:oq-ssh] Jun 22 00:20:34 bless-demo- ssh_key[RSA de:ad:be:ef: instances-i-0123456789abcde 00:00:00:00:00:de:ad:be] sshd[####]: Accepted publickey ca[arn:aws:lambda:region:account for bless_demo_instances from :function:name] 192.168.1.1 port ##### ssh2: RSA valid_to[2017/06/22 00:25:53] SHA256:de:ad:be:ef: (serial 0) CA RSA 00:00:00:00:00:de:ad:be SHA256:8badf00d000000008bad Traditional SSH certificates with BLESS
Availability Wins LDAP
Yes, It’s Open Source!
https:/ /github.com/Netflix/bless
https:/ /github.com/Netflix/bless
https:/ /github.com/Netflix/bless
https:/ /github.com/Netflix/bless
https:/ /github.com/Netflix/bless
Demo Time
User Experience
5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs
Recommend
More recommend