SLIDE 1
Bryan D. Payne, Director of Product Security June 2017
BLESS: Better Security and Ops for SSH Access Bryan D. Payne, - - PowerPoint PPT Presentation
BLESS: Better Security and Ops for SSH Access Bryan D. Payne, - - PowerPoint PPT Presentation
BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017 Post by Ryan McGeehan 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users
SLIDE 2
SLIDE 3
SLIDE 4
SLIDE 5
SLIDE 6
Post by Ryan McGeehan
SLIDE 7
SLIDE 8
SLIDE 9
SLIDE 10
1 2 3 4 5
Phishing & Zero Day Attack Backdoor Lateral Movement Data Gathering Exfiltrate Several users are targeted by phishing
- attacks. At
least one succeeds. Victim machine is accessed remotely by adversary. Attack elevates access and propagates throughout the network. It exploits any privileges and information discovered along the way. Data is collected, prepared, and staged for exfiltration. Encrypted data is exfiltrated, typically to another compromised system that is external to the
- rganization.
SLIDE 11
What’s the Problem?
SLIDE 12
SLIDE 13
LDAP
SLIDE 14
LDAP
SLIDE 15
Operator 2 App A Instances App B Instances App C Instances Operator 3 Operator 1
SLIDE 16
Operator 2 Bastion App A Instances App B Instances App C Instances Operator 3 Operator 1
SLIDE 17
What about single use SSH keys?
SLIDE 18
What if they left great clues behind?
SLIDE 19
And offered strong protections?
SLIDE 20
Netflix’s Solution
SLIDE 21
SSH Authentication
SLIDE 22
SLIDE 23
SLIDE 24
SLIDE 25
SLIDE 26
Bastion’s Lambda Ephemeral Ssh Service
SLIDE 27
SLIDE 28
def my_handler(event, context): message = 'Hello {} {}!'.format(event['first_name'], event['last_name']) return { 'message' : message } Invoke Lambda
ClientContextLambda Response
Status + Payload SLIDE 29
Bastion BLESS Invoke BLESS BLESS Response
Certificate Certificate Request SLIDE 30
Bastion BLESS Invoke BLESS
Certificate RequestBLESS Response
CertificateAWS KMS
Decrypt SSH CA private key SLIDE 31
Bastion BLESS Invoke BLESS
Certificate RequestBLESS Response
CertificateAWS KMS
Decrypt SSH CA private keyInstances
SSH with certificate SLIDE 32
SSH Certificates
SLIDE 33
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
SLIDE 34
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
User or Host Certificates
SLIDE 35
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Control over what is logged by SSHd
SLIDE 36
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Short-lived certs reduce risk
SLIDE 37
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Valid for a single target (account, app, username, etc)
SLIDE 38
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Valid from a single host
SLIDE 39
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
Control what the SSH session can be used for
SLIDE 40
Scoping Credentials
SLIDE 41
Bastion BLESS Instances Developer Access to Bastion == Access to Instances
SLIDE 42
Bastion BLESS Bar App Developer App Defines Access List Foo App
SLIDE 43
Bastion BLESS Bar App Developer Foo App App Defines Multiple Roles
SLIDE 44
Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
instance_user:aws_account:app_name
SLIDE 45
# Entries to enable BLESS TrustedUserCAKeys /etc/ssh/bless_user_ssh_cas.pub AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u
Config File
/etc/ssh/sshd_config
SLIDE 46
bless_demo_instances:bless_demo_instances:123456789012:i-18badf00ddeadbeef
Config File
/etc/ssh/authorized_principals/blessdemo
SLIDE 47
Operational Wins
SLIDE 48
Bastion BLESS Invoke BLESS
Certificate RequestBLESS Response
CertificateAWS KMS
Decrypt SSH CA private keyInstances
SSH with certificate SLIDE 49
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 50
Key Secrecy
Personal Keys Expiration Shared Keys
SLIDE 51
Key Rotation
vs
Human Machine
SLIDE 52
Logging Context
Jun 22 00:20:55 bless-demo- instances-i-0123456789abcde sshd[####]: Accepted publickey for bless_demo_instances from 192.168.1.1 port ##### ssh2: RSA-CERT ID request[##################] for[user_name] from[10.0.1.1] command[test:us- east-1:bless_demo_instances:bles s_demo_instances-v001:oq-ssh] ssh_key[RSA de:ad:be:ef: 00:00:00:00:00:de:ad:be] ca[arn:aws:lambda:region:account :function:name] valid_to[2017/06/22 00:25:53] (serial 0) CA RSA SHA256:8badf00d000000008bad Jun 22 00:20:34 bless-demo- instances-i-0123456789abcde sshd[####]: Accepted publickey for bless_demo_instances from 192.168.1.1 port ##### ssh2: RSA SHA256:de:ad:be:ef: 00:00:00:00:00:de:ad:be
Traditional SSH certificates with BLESS
SLIDE 53
Availability Wins
LDAP
SLIDE 54
Yes, It’s Open Source!
SLIDE 55
https:/ /github.com/Netflix/bless
SLIDE 56
https:/ /github.com/Netflix/bless
SLIDE 57
https:/ /github.com/Netflix/bless
SLIDE 58
https:/ /github.com/Netflix/bless
SLIDE 59
https:/ /github.com/Netflix/bless
SLIDE 60
Demo Time
SLIDE 61
User Experience
SLIDE 62
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 63
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 64
SLIDE 65
Bastion Using BLESS
SLIDE 66
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 67
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 68
SLIDE 69
Instance SSHd Setup
SLIDE 70
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 71
- 5. AWS ssh tool: Use
- 6. BLESS: Decrypt SSH CA
- 7. BLESS: Generate and
- 8. BLESS: Return
- 9. AWS ssh tool:
- 10. sshd: Validate
- 3. Pilgrim:
- 2. AWS SSH tool:
- 4. Sshaman
- 1. SSH: Auth to
SLIDE 72
SLIDE 73
Related Work
- Lyft
- Uses BLESS with client that runs on laptops
- https:/
- Leverages signed certificates with principals
- https:/
- Wikimedia
- SSH-agent proxy to protect private key on bastion
- https:/
SLIDE 74
Questions?
bryanp@netflix.com https:/ /bryanpayne.org
[PS… I’m hiring!]