"Zero Trust SSH" - Jeremy Stott (LCA 2020)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I mean Jeremy the stage talking about zero trust as a sage Oh awesome thank you very much for having me I'm here to talk about zero trust is a sage I don't know if you guys what you guys thought of the title before you came in here but it's like even I when I was choosing the title I was like I hope for you guys it means I kind of caught borrowed it from that zero trust security buzzword just like beyond caught with like ozera trust cuz you don't trust anything but really you're trusting a lot more I don't know it's like lots of trust I don't know but then that doesn't make one trust I don't know it just doesn't make sense anyway hopefully you you all must have read the abstract and thanks for coming so a bit about me I'm a software security engineer background in electronics in software engineering right now freelancer entrepreneur unemployed I don't know one of those publics public speaker is the weirdest hobby ever I really recommend it hacker I just I can put anything in here this is for me this is actually this this beautifully rendered gif I might add is is me brewing some beer so there's like it's like a flamethrower it's like a 60 litres stainless steel thing the phone camera didn't work so well after the shots spent anyway I'm getting my getting my money's worth by like using an eerie presentation so it's SH how many how many people know about is SH yes I'll very briefly what what is it you know as a system administrator I need to connect to a server remotely to do a bunch of things maybe apply an update maybe deploy an application maybe install new package but the key bit here is connect to a server remotely so that's what it says H is gonna help us do so on your ssh journey when you first discovered it maybe you were using password authentication so the way you use it is your ssh Pirie because it starts with P password starts with P at host hostname and then you it will basically if you've been set up correctly and you've got it got all the XS it'll say what's your password and you enter your password and then you're on the machine but maybe pretty quickly you realize that password authentication wasn't great for you it's also quite there's a bunch of problems with this or maybe even your organization was just like we don't do password authentication so what's the next step public keys so what you do is you run this command it's a seiche keychain and then that generates you it's like okay we're gonna generate a public key public private TV and you enter in a passphrase I think I've I should actually use a passphrase here I push it into twice that's fine always use a passphrase so here you go it's outputted some some key app thing doesn't really matter but what's actually happened what's interesting is it's created this ID is a dub file so that's my public key it's a bunch of encoded stuff but this is the public part and that's also good created a private key that sits on my computer basically there's public bit you put on the server out-of-band which means you give it to your administrator or maybe you already have password orphan you're kind of like a bootstrapping public key you put it on there like that so and then essentially then you can SSH to your host and hopefully this works you enjoy your private your passphrase and you're on the house which is great so it runs with me like that's how you guys were is if I'm using public key authentication cool some people now interested in it that's cool well also the other thing you can do now is turn off password authentication so you know you're just public key authentication now I hear what you're saying I enter the password so what was the difference I've got a password the password I haven't really changed anything well the difference is the secret never leaves my laptop what happens in Siddhas I see in this public portion to the to the server and the server goes is this public key in my whitelist it is okay well here's a challenge for you to sign it gives me a challenge my laptop the challenge with the private key gives back the result in the services Hey yes cryptographically you have the private key for the public key so let's go so your password is much less acceptable to man in the middle and a whole bunch of other cool stuff but how many of you knew that there was a third stage out there oh yes couple yeah great okay interesting so it is a certificate it's in your OpenSSH client and server right now as of five point six something so hopefully you're on seven something but it's basically a public key plus some metadata plus a signature it's not x.509 certificates just like the classic HTTPS certificates it's like this proprietary openness well I say uprightly it's like a custom format so what does it look like so you can basically run your SSH key gene again and generate your user certificate that's fine and then you can then generate a certificate authority private key but it's actually exactly the same same key well not the same keep it the same type of key so now I've got two keys and now I want to sign my user key with my CI key so there's a - yes and then CA is the private key of the CA and then I've got some ID which might be you know my username or something I can have an expiry on it so it's valid valid for now for one day and then I've got a list of principles this bits really important this is essentially which uses on the host am I going to be able to sign in with the certificate and then there's the public key of the user you're trying to sign so let's see if that goes past Rea so again this is the important bits and this is the passphrase of the certificate authority private key we made it should it did so signed so now it's basically signed the key and you see there's Idid it's got my fault jeremy was my principal with an expiry so you can actually see now in my directory i've got this user which is my private key user cert which is this new thing that's created and my public key so it's just another public key in the same directory so you can use this H keygen to just have a quick look at what that's difficut there's basically that it's just a text format of this kind of unwraps all that metadata really the best resource for this other man pages for ssh-keygen SSH config this is HD config so if you if you're in this you want to look at this part of it like yet those many pages is great try looking online on just various websites I just end up on the freebsd main page for these so i really think they're really good so interesting features is these certificates can expire right so that's really the best one of the best features how many of you have like on board someone put their public key on your server and then just lift it there forever you know it's still there they've lift the company public key is still there right so there's no real way to automatically expire those keys if your normal processes for off-boarding kind of break down there's no real way to like tidy up keys that are just dangling there a force command feature so you can basically similar to the ssh FORSCOM it's the same same feature but in the certificate where your certificate authority can say hey when you connect you can only run this one commands you can't do anything else you can have a source IP address restriction so it's like I only want people from the office to be able to SSH or maybe from the same origin that you sign the certificate from you know so you can kind of impose yourself as a restriction you get your certificate sign but you like you know your home IP address at that point so you can sign your certificate and then it's kind of like linked to your IP address and if you were to go to the office you would just get a new certificate that says you could permit or deny forwarding some other things but hosts can have certificates too right so how many of you who've like seen this warning when you're connecting to a server yeah and you just like was it tell me to do go and remove a known host file okay deleted what that what this is telling you is when you're connecting their servers public key is different from last time we visited the server so I can't really I currently be sure that it's the right server you're trying to talk to and that's dangerous because if I connect to it if I give it my public key the server the malicious server might be like okay yeah you can come on in I'll accept any public keys and then they could if you're forwarding your agent for example they could they could use your your and private key to connect somewhere else but it's kind of annoying as a developer you like ours is just they probably changed the Gateway again you know so this is like my face when ever I go and delete that known hosts file you know but we'll so that the key thing is these si certificates do I have it here hosts hosts can have certificates too right so you have users have got a host certificate so all of your users can have the same public key of the certificate authority and then you'll never get that warning because all the hosts even ones you've never seen before they get their public key signed by the certificate authority first and then they present their public key to you your laptop can now verify while even though I've never seen this particular host before we've got a friend in common our buddy CA has signed your certificate so that's great so when that warning appears you'll actually like your users can actually come and tell you like hey is this for the journey like yes it's legit so where does certificates really shine and so I want to go over a couple scenarios that I've had in my past roles that have kind of led me to these certificates on and off boarding so it's part of my role in one of my jobs to like add users and like by the fifth sixth seventh usually like this is not fun you know I want to do something else so like of course tools exist to do all this and like pop it like LDAP instable but if you don't really have out there it's a bit of a tough sell you know to your boss like hey I'm just tired of automate of like you know onboarding all these users I just want to do this install LDAP might have a bit of a frosty reception so and also like my with instable and with puppet my last it's like in my last job the workflow was basically get a user to generate the keys do a git pull on our puppet repository like Ed the user read the key git commit get push open a pull request you know get a review on the pull request and then we can merge it into the profit Ori and then I can wait for two hours for puppet to deploy and all of the hosts right so that's not a great onboarding experience for me and for the person who's just joining what about if you've got a limited network access so embedded systems I also worked at a company designing electronics for luxury yachts so we had a bit of Linux touch displays and the back of one of these displays was an Ethernet port and we use it for loading the application to start with and for servicing and debugging so it normally is nothing connected to it so there's no way for it to get the new list of users that have joined alright so maybe you start like one developer generated a key and that Keys now on every device that's been manufactured and sold you know that's not great they lose their laptop in like I hear so we can't sign it anymore or even worse just like a shared password this is like route route you know then you end up on the front page of hacker news like oh you guys are insecure like but you can't connect to this port you know so this a certificate authority would solve that where you could have all of your engineers you know get their developers difficut signed and then even if someone joins the company all of the boats that are really difficult to upgrade are already out in the field you can connect to them if you go and visit the Pope maybe you're in a larger org like new servers coming online all the time you know you have to wait for these servers to provision the users maybe they're in a different Amazon account or a different you know different cloud provider all together it could be you know jeweled ocean and Amazon like how do you now get your digital ocean image to talk to Amazon to say hey I need the list of users and now you've got to set up some VPC peering I don't know like it gets too complicated right and that might be fine for your platform team or something but what about the marketing team that started their own Amazon account you know and then what about like someone who's just like oh we don't use we just use Google cloud computing because I just started it up and now it works so you could have like the very bare minimum requirement of hey this public key on whatever you do just one public key of the civic authority just put it there and then now I can connect to it so another situation was like as a developer I need to SSH to a random box and run SQL queries against the database this seems a bit weird but it can be quite common with sort of macro Services architecture we are giving developers more and more control over how they deploy their applications databases so they're creating their own databases and they need a bit of control over setting it up and everything to move really quickly so you don't really want to provision an SSH user necessarily but you could give them a certificate that just allows port forwarding for example so they can connect and just port forward and then it's kind of a cheap way to do like this kind of proxy without needing to do much more so then it's like auto scaling so taking advantage of auto scaling instances we had this in one company where we wanted to stat machines really fast so that we can respond to a demand so it's like all these requests coming in this stats more service but you've got to wait for puppet to run to provision your users and things right so that's too slow by that time the peaks already gone you know cost savings are gone so you could probably you could bake your users into your images which means putting them in that build time of your image and that works you can start quickly but now say someone leaves the company and all your images are still sitting there and then a new server comes online with the old users you know credentials and public key and things so you can see how it can like get a bit difficult to manage with servers like coming up on couple of time but if you had the civic authority public key put it in all your images that's fine if they come up you can SSH immediately even though the server's never seen you before because again we've got that common buddy see amen one of my one of my favorite examples of why it's why they're really handy is uber created this Pam module you say Pam module where's Pam or is it PA module I don't know Pam module to grant pseudo X is based on certificate in your agent so that's really cool so if you're falling your agent now on the host the Pam can check have I got a certificate in my agent with sudo in the principal list right and then it's if you do hey you've got you can do sudo so now you no longer need to manage user passwords on these hosts because if the hosts just come up and it doesn't know about any users and no passwords you need a way to say well you know the security guys trying to come in and fix something they can still run sudo and it can trust you or um trust your user but then imagine I actually had a someone come up to me and ask hey can we disable password on sudo because when I'm running my sensible scripts there's prompting me for every server all right so I've got something it needs root privileges but it's every server I'm clicking to is like hey what's your password once you pass what's your password and while instable has ways to kind of deal with that it's kind of up to the user to do that properly and maybe people end up like just putting your sudo password in a file and then just getting it to every you know server that needs it so with the certificate though if you SSH to a machine and you have sudo then it can know that you're authenticated with the second factor and everything like that across 100 machines even though the machines are not talking to each other so you can have like almost like a session if you will across all your hosts and it reduces the fatigue of your users and also I guess it's a really nice developer experience feature here you're going to prevent people from doing something silly by giving them a better way to do it so hang on a second I think I hear I think I know what you guys are thinking am I just like signing a cert so you like got all those cool stuff and now I'm just like my job was just signing these certificates you know and like someone comes I lost my QB key again okay yeah where did you lose it okay so what happens in like revocation and things like public infrastructures not an easy easy thing so what do we do we can automate it and other companies have already done very similar things so netflix have created this project called bliss and Sebastian's lambda ephemeral SSH service so they put any such certificate authority which again just remember as all it really is is a private key plus the ability to sign your public into a lender function in Amazon and they're still ricketts expire in two minutes so it's enough time to make the connection and then you still gets expired and then you're good you know you can if you want to click somewhere else you go back to the lambda I get you know another certificate and you connect again and you're good again you can even generate a new private public key pair for every connection if you wanted to so they combined it with a bastion host and that was a was kind of my starting point to this and then lift what they did was they said well we like bliss but we don't like this best gin part of it what we're trying to do is use our laptop users laptops they want to get that we want them to be able to directly get this public key sign so they took this but made it user like on your laptop and so your laptop talks to Emma's on it goes hey sign this public key and and then you can connect directly from your laptop to all the service the kind of users Amazon I am in a clever way to do an identity provider is it's clever but its kind then you but then you start depending on Amazon identities small stip have a tool called stip which is a lightweight go server to sign certificates I think mainly it's actually signing like HTTP it's like x.509 certificate authority but they also have a stay it's as a certificate authority pack to it so that's really cool and they can use Open ID connect to authenticate to their server so I'll explain that in a little bit another one is vault by Heshy Corp so they also hid so a lot of these tools where they've got like hey this is our security tool thing some of them might have is a certificate signing abilities so if you already running vault then that's really good you could just use there is a certificate abilities we weren't running bold and so it seemed like a bit heavy thing to install just for the stiff Authority part so I created shrimp why is it called shrimp well there's an emoji from shrimp emoji shrimp have shells right right [Music] sorry guys I don't know they're like lightweight maybe yeah it's actually an acronym for SSH really isn't my problem I don't know if shrimp sounded good yes I could have a baby that's the ah okay this is that's perfect I'm gonna borrow that if I make a million dollars you come find me afterwards I'll give you some of it because I need a name for the certificate authority Pat Bobby that's brilliant you put shrimp on the barbie oh my god okay so how does it work basically SSH demos of the most boring demos in the world because I just like run this and then it just connects to the server so that's really all it is but what's actually happening is SSH is talking to the SSH agent alright to say hey give me a list of identities that I can use to make this attach connection right those are those public keys that you recreated but it's not talking to ssh agent it's talking to shrimp agent right because shrimp agent is implementing the agent protocol and it's gonna say okay you want a list of identities okay I'll give you a list of entities but before it gives them to you it goes okay I'll just go out and do an open ID connect flow which is I can both flow it opens a browser and lets you sign in with Google or octor or one login or auth0 or key cloak or like whatever identity provider that you have that supports open and you connect it will go and get an identity token so that I didn't see token is a JWT it's like a JSON web token I think so the shrimp agent goes the Barbie the Barbie in Amazon right and it's got all of the it's got all the tools it needs because it's got that the Barbie has now your JWT plus your public key and so it can verify your identity because the jail which he was signed by Google or whoever your energy provider is the public key was the one that your user said hey sign this for me and then it can sign it and give you back the result and then the shrimp agent gives the agent just serves it up nicely from the Barbie to the user and then the SH clients none the wiser so it works like out of the box with like SSH assing it's copy like any of the tools that you've got like ansible like it's just gonna work because it's just the SSH agent as if you had like your keys on a hardware device except it's a really complicated cloud hardware device so a JWT kinda looks like this I thought I just put it in here because photos interesting that you get things like your email from Google you can get like a subject ID which is your unique Google ID so even if you change the email somehow your unique ID would stay the same an audience is kind of like the client app who's who's doing this like you know sign in with sign in to a shrimp and then issue her as Google so you lambda function our Bobby's gonna check all this and make sure it's valid if it is that I can basically sign a certificate for whatever the email is so I can I don't even need to know you know a list of users or anything it's just whatever the jout comes in airs i can sign a certificate for you because it's very difficult for me to get a JWT for somebody else like i can only get my own JWT because I'm signing into Google and if I if I could get your j-dog you see I'd need to be able to sign in on your browser step has a cool tool if you want to play with the stuff they've got oh oh oh ID see the air so it'll X do the whole flow for you if you're interested and you can actually pipe that into and like inspecting the JWT so if you wanted to play around you can have a look there's two really cool resources for like what's the straight model on this like what are we actually doing like both two from your computer what are the straight models and the second one pke is one of the mechanisms that makes Oh Perry connect one of the better choices for doing getting authentication on your laptop so there are other other types like sam'l and stuff but all of those don't really provide a way to like safely get that secret into memory on your process in your computer one problem is pesky users so the user has to exist on the host so I've already sold you all on my shrimps and my babbies but actually is a bit of a problem so very early on in OpenSSH control flow the chicks what does the user actually exist don't care what you've got you got certificates you've got a public keys your passwords if you user doesn't exist no dice which is a bit of a problem because we're trying to solve this problem was like hey a machine comes online doesn't know about anybody like can we still connect to it you could SSH as route so like or a shared user basically that's what Facebook do well they did a couple years ago a blog post that they wrote so that's kind of scary I feel like like it goes against some of the norms and it's difficult to convince somebody that's a good idea but they can they claim that you can still audit it because when you connect and your off logs it says which certificate authenticated as root so if you had really good logging setup and really good like sessions so that maybe you could do this maybe they only use this if the machines completely broken they take it out of whatever environment and now it's sitting in some kind of isolated thing and that's when they use it I don't know maybe it never goes back into production who knows in it this cache which is a project started by a couple of guys at Google and lifts it use this kind of method to basically synchronize your in assist database so your etc' password your EC group or all your machines it Schaick a very lightweight l depthless directory thing so you could do that it still gonna wait for it to run when your machine starts out you could use puppet just for the use of part again you gotta wait for puppet to run maybe your other orchestration tools so it's kind of a little bit of a bit difficult and this is one of the problems with is they certificates that people have seen like hey how do you get users onto machines one idea I have and I'm not saying it's a good idea because I is still in development but no one's been able to say it's bad yet so if you think it's bad come and tell me because I'll stop telling other people so basically you could create users on the fly and you could issue two certificates to users instead of just one one in the certificate is as we saw before for user Jeremy but the second certificate is for a user provision now that user provision could really exist on the machine but you can set that force command to add user Jeremy right so the civic authority will we'll be able to put my user name in there I can't manipulate any of the parameters of this force command I can't change it I can't add anything I can't bypass it when I'm gonna make my connection it literally all it runs as edie user Jeremy and then disconnect and then I could SSH as Jeremy so this is a choice of Jeremy it fails you pH provision and it's accepted and then you could say chose Jeremy again so it's not a great experience for people because they're like oh just this is H and if it doesn't work just try this other thing and then if it works then you can go so it's a kind of a little bit bit annoying so you could add something to your H config file to say well proxy all my connections through this other one this provision at host so any connection you make would first try to provision you and then it would connect it would sort of pass your connection through so I don't know which one of these I prefer yet I probably run with the first one but maybe people would prefer look like it was just transparent but then you've basically always got to SSH connections like has tunneled inside another but maybe that's cool one of the finer fixes if you do this you can limit the source address from your user certificate to want to localhost because once you've connected as a provisioned then the connections going to come from itself so you kind of can't get out of the loop like you can SSH without going through the provision certificate so that could be kind of a cool thing to look into so also maybe some of your wondering now I'm relying on Google for my whole infrastructure but no you're not what I would recommend you do is create some backup key so you can have as many CAE keys as you like so I'd recommend having like three one is the one that's your lambda function and then the other ones can be offline Hardware keys so I got some dog tags printed from some website that's like hey Prince um dog tags five dollars and it looked really cool so now I've got like we were putting it into a like a fire safe and so I'm like wow if it does like get really hot in there and I've got little labels and then you open it up and there's like all which of the keys is which I know so maybe now but I don't know it just looks look cool one problem though Oh who's that after I created them I guess is great fifty dollars shipping okay that's fine and then I'm like I need to add another one like I don't know keep doing this keep ordering so if I bought a machine so stamp that I could do that but that's too much so they completely offline your private key can be stored on the UB keys and then you can still sign certificates so all you need to sign those CA certificates is have a private key just as normal so you can have it on a hardware device and I'd set up your infrastructure to look alert on any of these being used because it really should be a dire situation because someone's gonna run to the safe get the QB key and start signing keys for people that have maybe ballad for add age but you wanna know if that happens so is they certificates I think a scaleable got a strong indication we've got this increased trust doesn't it so it's not easier trust now it's like multi trust I don't know like wait it's just open SSH so you're not installing anything you're not changing this as H client it's just it's a sage features already there and I think it's an the biggest thing as an improved experience for your engineers and your people using it because if you make it easier for them then they're gonna first of all think well this guy's awesome but you're actually going to make it harder for them to make mistakes right because they're gonna go down the path that's the easiest and if they always have to you know kept their sudo password to a standard in then they'll just do that so that it works a bonus section which is like how do I make these slides he's gonna be wondering that three people's yeah I love you like just command line slides pouring but actually this whole presentation is inside and it's a sage certificate it's a terrible idea but essentially like the foreskin man runs a Python script on connect which like echoes out the yeah but I like you can go you know like back and forwards like I spend a lot of time procrastinating the talk by running the slideshow program so if I yeah so funny should say I can share my slides you just give me a public key and I will I will sign a certificate for you and then you can connect to my server and yes so actually I think I can you don't even sure it's all a provisioning so like this is the certificate yes I got a bit out of hand actually don't know if there's a limit to how big your SSH force command can get I ran into the limit of the maximum command-line argument length before this which is two hundred thousand bytes before I so I guess there's more than there well it just failed to sign the certificate because I was using his search key chain and it was my basic my command line was just like massive because sh keygen wouldn't read it from a file but dying I ended up getting making a go script with like sign out so I don't know maybe some of your wondering how images are working in these flies so that's a bit of a bit of a laugh basically I term so I want to mag item has this feature feature where you can I kept base64 with the correct escape sequence and it'll download the file and in render is an image in line so this the server is actually downloading the images because I got past the 200k limit and then it's like getting the images back out into yeah maxximum if it okay if you have any questions please raise your hand so I've done this and I'm very happy with it my concern is that when in my stuff I don't have the mic my CA requires a passphrase and I'm scared that if your CIA gets this that's a really good question so those offline Keys you you can that you can deal with that because there's like you know you can put them in a safe and put it up put the passphrase in a password manager or something but yeah that the automated one how do you deal with that I'm actually the one of the reasons why i lemmed is quite good for this and Amazon in particular is you're kind of exploiting some of the services Amazon's offering they're not really the way that they're charging you for so for pretty cheaply what you can do is you create a key in Amazon's kms for the key management service and they've just released support for asynchronous key signing so you create the so Amazon actually has the private key I don't really have it but when you get the request to come in for the lambda the lambda just asks kms hey can you sign the signature for this bit and then kms comes back and goes here's your signature so really the lambda doesn't have the private key the lambda can sign certificates but you're going to get a log in your and you're like a cloud trail logs for like oh this it was invoked here and invoked here in the vote here so if someone compromises your lambda function it's still kind of bad because they can still sign certificates because your lambda function has permission to call the service but it's better than someone running away with your private key because in exactly and then at any time afterwards they could you know check like sign a new certificate yeah so I've implemented that it's if you go to these two repos they don't really exist yet so I saw someone ahead like six hour commit on their slides and minds are like unstaged commits so yes pretty I'm gonna share it all so that you can if you want to look at how that works it's a go lambda and you're welcome to so if you're looking sauce shrimp lambda might change this from Bobby and that's just brilliant yeah thank you have you thought about getting a prawn cocktail joke in there as well oh yeah so I I was I've been talking about silly joke ideas with Scott like this whole conference like what should we name it and everything and yeah that I wanted like I someone mentioned shuttle but that's taken that's a very simple is like a jump host thing prawn cocktail yes if you've got one come and talk to me I love I love dead jokes I love puns it'll it'll just make me very happy maybe it's a dumb question but you said it's pure OpenSSH but then yes agent so how do you get the agent to interact with each other do you ah so go-go has in their ex crypto library it's kinda not really the part of the call I was like this X X ones there's a really good agent implementation so they actually implement the agent protocol so instead of talking to your regular ssh agent you can change the socket to talk to your shrimp ssh agent and then it will it will basically the ssh client will think it's talking to the correct agent you could also proxy the agent so that instead of keeping the private key in your shrimp agent you could actually just sign the cert and then just pass it off to the actual agent so you connect men in the middle of the agent if you if you want but it literally just implements the agent I think I can exactly let's see if I can show you [Music] so in this config file you can have identity file which is like your private key but you can also have identity agent so this is like overriding this socket location normally would be in like bar Tim estate agent socket but you can override it so you could actually have a per host shrimp agent so you can you could have a mini starter than running as you like and then maybe ones for work and ones for personal so that the work agent doesn't have your personal identities in it so you could just leak you just like have them have them here in your config file Thanks so apart from the expires how do you handle rear vacations good question you can create a revocation list yes certificate revocation list with ssh-keygen as that functionality and you can then put the revocation list on to the hosts if you want this is like you just do a search config file this is HD config file you can say here's the list of revoked keys you can also do it by perky basis on the server as well so you can if you do just the public key that you didn't want to accept you can put that in a file but that if you have them only lasting for an hour that's at least something so you'd so you know that they've expired so the you know maybe half the time you don't need to revoke people certificates and you don't need to do it on it's like an emergency basis and then you might sit up some scripts to do that because then you would be like I'm gonna across my whole fleet revoke um you know this certificate so you would then maybe use ansible or something to do that alright sorry if I missed this have you come across or do you have any other suggestions for how to bootstrap the signing of the host key generate create a new host how do you get the host key signed by the see a good question I think it depends a bit on your environment I know Amazon has like a metadata service so if you launch your instance it's basically like an HTTP server you can ask for information about like what server this is and in that metadata service among other things you can get a sign token by Amazon that says this is the server name it's also a JWT I think so you could you could if you wanted any any of your Amazon hosts they were in your Amazon infrastructure to get a host key they could use that JWT pass it to the lambda and then do that way the host keys different to the user key so there's actually a flag that says it's a host key so you could comment be quite liberal and give them out and you could say you know any host like I can list the list of indication but you're gonna maybe reduce the validity of like hey there's a man in the middle because like if someone can sign their own certificate then you know it doesn't mean that they can take over there didn't even of the server but at least it's gonna trust someone's going to trust it there's a good I don't know the answer to that so it's a small step got crew we're doing just that with the Amazon identity and I think Google cloud has something very similar so we're trying to say oh what kind of server am i on you could also do it at like at image creation time so if you have a script that like when you when your instance gets deployed because those certificates can be can be a lot lot longer lived those ones could be like ten years or five years or one year or something so that you just do it a one-time thing maybe it's the script that deploys it has permission to like go and grab the public sign it or something crowd in it okay yeah cool yeah be a bit annoying to do like different environments so you have to have like different things for but that's one of the advantage of certificates is if you were running like something on-premise and something the cloud and something on Google compute they could all use the same authentication mechanism is there any way in your auth the authority to limit the lifetime of the talking so that you can force the browser to do the OAuth dance like maybe everyday or something like that yeah that's a good question so I think it depends on the identity provider a lot you can sometimes ask that inter provider to real indicate you on every request so that you could put a you basically put a flag and the request when you just a euro auth and flow and then these Google would then real indicate you with a password and MFA for example but then it would put hey wery authenticated into the into the JWT the day which is usually only lasts for one hour that you get back from most identity providers but you can also get back a refresh token so the work would happen is your client would save the refresh token and then perpetually go and get another identity token with the refresh token so your users actually don't know they just like you install it once and it just works and then forever on they have SH access but actually behind the scenes every hour it's going and getting another identity token if you need it only when you need it because it's in the agent so it does if you'd like to see that so we can do it with this there's this agent oh geez so shrimp setup in my host file to use that identity and now on the screen I have this it's go back that's cause it's like fullscreen or something so it's like now come up with like choose your account so then you would like sign in and then that one after real 'this is annoying it's a good work yeah you could yep so I think Google has like depending on how you or your organization setup you can trust a device for example and then the first time you're using that browser it'll ask you for FA and then from in onwards it's kind of like well we've got something in your cookie or something that's yeah but it depends all that's like in your elms register file and you can do some really cool stuff like I'd like to have it so that when if you do sudo then you need MFA so you it's kind of a nice way to say you can sudo for an hour now but we know that you had MFA when you got that certificate with sudo in the principle list we have time for one more question when you're talking about the backup keys can you configure the main CA certificate so such that these backup keys are only allowed to you sign in a certain way so they can only sign things that last have an expiry if one day or one hour to sort of avoid someone taking it without you noticing running away because you didn't audit it very well not as far as I know so they're just as just as valid as the C all you do is put the public key on your server and it's the up to the client to decide when you sign it with a private key how Belet how long it smelled for what are the permitted extensions and things but you could I think you can do it on a per user basis on the host so you could create a backup user and only allow the backup keys to connect to that backup user and even if it was signed for another user I think it just wouldn't accept it at that point so maybe that way you could have some increased vloging around someone using it or maybe you could like like record the session or something Thank You Jeremy big round of applause

Info

Channel: linux.conf.au

Views: 10,989

Rating: 4.9713264 out of 5

Keywords: lca, lca2020, #linux.conf.au#linux#foss#opensource, JeremyStott

Id: lYzklWPTbsQ

Channel Id: undefined

Length: 45min 18sec (2718 seconds)

Published: Thu Jan 16 2020