Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Login mit signierten ssh-Schlüsseln

fraosug
November 17, 2020
Technology
0
23

Login mit signierten ssh-Schlüsseln

Login mit signierten SSH Schlüsseln, Vortrag von Christopher J. Ruwe beim 88. Fraosug-Treffen.

fraosug

November 17, 2020
Tweet

More Decks by fraosug

See All by fraosug
Zeit, Schaltsekunden, Neujahr und ntp, Vortrag von Erwin Hoffmann
fraosug
0
35
Virtual Datacenter Cloud Framework
fraosug
0
94
pkgsrc bulk-builds für illumos SmartOS
fraosug
0
60
cloud-init mit SmartOS
fraosug
0
130
(Private) Cloud auf SmartOS
fraosug
0
110
Single Sign-On und User Self Service für den Hausgebrauch
fraosug
0
82
Do-it-yourself Kalender aus der Unix-Toolbox, Vortrag von Klaus-Dieter Ost
fraosug
0
140
What is new in TLS 1.3
fraosug
1
120
Qlibs und seine buckligen Verwandten
fraosug
0
180

Other Decks in Technology

See All in Technology
ZOZOTOWNの検索APIにキャッシュを導入、実装時の工夫や効果について
sattosan
0
290
PHP で学ぶ Cache の距離の話 / study_cache_with_php
hanhan1978
3
780
自分のデータは自分で守る - あなたのCI/CDパイプラインをセキュアにする処方箋
jacopen
4
460
Federated Learning 連合学習
regonn
1
490
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
250
Zennを支える Google Cloud の技術
wadayusuke
0
100
Oracle Container Engine for Kubernetes (OKE) ご紹介 / oke-overview
oracle4engineer
PRO
1
980
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
270
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
4
1.4k
[CI/CD2023]OSSで構築するOpenAPI開発のCI/CD
xibuka
2
260
テスト技法を使ったテストケースの表現方法/How to express test cases using test techniques
shimashima35
0
280
stdClassって一体何者なんだ?!/Who the hell is stdClass?
daina0321
0
260

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
A designer walks into a library…
pauljervisheath
199
16k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
How to Ace a Technical Interview
jacobian
270
22k
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
Visualization
eitanlees
129
12k
Git: the NoSQL Database
bkeepers
PRO
419
60k
We Have a Design System, Now What?
morganepeng
37
6k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k

Transcript

  1. Login mit signierten ssh-
    Schlüsseln
    Christopher J. Ruwe
    Cyberiada GmbH

    View Slide

  2. Problem

    ohne großen Aufwand sollen Personen zum Login
    auf eine (große) Menge an Hosts berechtigt werden

    Rechte sollen einfach und schnell entzogen werden
    können

    es soll keine aufwendige Authn/Authz-Infra
    (AD/krb) gepflegt werden

    View Slide

  3. Lösungs-Angebot

    View Slide

  4. Lösungs-Angebot
    Type: [email protected] user certificate
    Public key: RSA-CERT SHA256:tJYvjQig65sxMxlcoH9MJyboWu2Gru092ORNfh1XhNs
    Signing CA: RSA SHA256:tZIipsTz7DJE6kGbESP5d+sNvgryqK3fWPiIrDvzhFk (using rsa-sha2-256)
    Key ID: "[email protected]"
    Serial: 16626502850102714285
    Valid: from 2020-11-14T17:41:51 to 2020-12-16T17:42:21
    Principals:
    hal9000
    Critical Options: (none)
    Extensions:
    permit-X11-forwarding
    permit-agent-forwarding
    permit-port-forwarding
    permit-pty
    permit-user-rc

    View Slide

  5. wie hilft das?

    Schlüssel-Signatur nur gegegen Token von
    zentralem authn/authz Mechanismus

    Gültigkeit kurz

    Schlüssel ungültig heißt Login-Rechte weg

    View Slide

  6. wie läuft das?

    keine persönlichen Nutzer mehr

    nur noch Funktionsnutzer mit entsprechenden
    Rechten

    Zuordnung über Audit-Logs

    View Slide

  7. Mechanismus

    Nutzer-Datenbank entweder direkt oder federated
    in Keycloak

    dort Pflege von Gruppen-Zuordnung

    Übermittlung im OIDC-Token

    View Slide

  8. Identität und Rechte-Verwaltung

    View Slide

  9. Token-Mapping

    View Slide

  10. Verfahren
    OIDC "Login" / Keycloak
    Host Admin
    Host Admin
    User Agent
    (Shell)
    User Agent
    (Shell)
    User Agent
    (Browser)
    User Agent
    (Browser)
    Vault
    (Relying Party)
    Vault
    (Relying Party)
    OpenID Provider
    OpenID Provider
    Host
    Host
    Start Code Flow & Authenticate Against IdP (In-Browser)
    1 Access Vault Login
    2 Login Dialogue
    3 Login Params
    4 Redirect & Params
    5 Access IdP Login
    6 Login Dialogue
    7 Authenticate at Authorization Endpoint
    8 Validate
    9 Auth Code & Redirect
    Sign SSH Keys
    Page 1 of 5

    View Slide

  11. Gruppen-Zuordnung

    View Slide

  12. Rechte-Vergabe per Policy

    View Slide

  13. Transport per OIDC

    View Slide

  14. Transport Authentication & UserInfo to Vault
    Host Admin
    Host Admin
    User Agent
    (Shell)
    User Agent
    (Shell)
    User Agent
    (Browser)
    User Agent
    (Browser)
    Vault
    (Relying Party)
    Vault
    (Relying Party)
    OpenID Provider
    OpenID Provider
    Host
    Host
    10 Auth Code
    11 Auth Code to Token Endpoint
    12 Validate
    13 {ID, Access, Refresh} Token
    14 Validate ID
    15 Validate Access
    loop [Refresh Access Token]
    16 Refresh Token
    17 Access Token
    Query UserInfo and Map Permissions
    18 Request from Userinfo Endpoint)
    19 Validate Access
    20 Additional Claims (Group Membership!)
    21 Map Group ~> Policy (Vault Permissions on Secrets Engines)
    loop [Until Access Token Expires]
    22 Convert OIDC Access Token to Vault Token
    23 Vault Token
    Sign SSH Keys
    Page 2 of 5

    View Slide

  15. Use Vault Token
    Host Admin
    Host Admin
    User Agent
    (Shell)
    User Agent
    (Shell)
    User Agent
    (Browser)
    User Agent
    (Browser)
    Vault
    (Relying Party)
    Vault
    (Relying Party)
    OpenID Provider
    OpenID Provider
    Host
    Host
    Vault Token From Browser to Shell
    alt [curl]
    24 c&p Token to ENV
    [`curl -H 'X-Vault-Token: $(vault print token)`]
    25
    [`vault` (the binary)]
    26 vault login (c&p Token)
    27 Validate
    28 Sign Key
    29 (Saved Login)
    Key Signing Possible Until Vault Token Expires
    Sign SSH Keys
    Page 3 of 5

    View Slide

  16. How to Sign Keys
    Host Admin
    Host Admin
    User Agent
    (Shell)
    User Agent
    (Shell)
    User Agent
    (Browser)
    User Agent
    (Browser)
    Vault
    (Relying Party)
    Vault
    (Relying Party)
    OpenID Provider
    OpenID Provider
    Host
    Host
    "Sign Public Key"
    alt [curl]
    30 -H 'X-Vault-Token: ...' -XPOST -d @public_key -o signed.pub
    31 Validate
    32 Sign Key
    33 200 Content-Type: application/json '{...}'
    [`vault` (the binary)]
    no separate action
    Sign SSH Keys
    Page 4 of 5

    View Slide

  17. Rechte-Übersetzung per Rolle

    View Slide

  18. Signatur eines Schlüssels
    {
    curl \
    -X PUT \
    -H "X-Vault-Request: true" \
    -H "X-Vault-Token: $(vault print token)" \
    [email protected] \
    http://192.168.99.67:8200/v1/fraosug-demo/sign/host-admins-ssh \
    <{
    "cert_type":"user",
    "extensions": {
    "permit-X11-forwarding":"",
    "permit-agent-forwarding":"",
    "permit-port-forwarding":"",
    "permit-pty":"",
    "permit-user-rc":""
    },
    "public_key":"$(cat /home/cjr/media/src/50-edu/50-talks/201117-cjr--fraosug-ssh/doc/fraosug.pub)",
    "valid_principals":"hal9000"
    }
    EOT
    } | jq \
    -r '.data.signed_key' \
    | ssh-keygen -f - -L

    View Slide

  19. Login
    ssh \
    -i .../fraosug \
    -oCertificateFile=.../fraosug-signed.pub \
    [email protected]
    vault ssh \
    -mode=ca \
    -mount-point=fraosug-demo \
    -role=host-admins-ssh \
    [email protected]

    View Slide

  20. Audit-Trail (1)
    Nov 14 17:12:37 moon sshd[5716]: Postponed publickey for hal9000 from
    192.168.99.1 port 40154 ssh2 [preauth]
    Nov 14 17:12:37 moon sshd[5716]: Accepted publickey for hal9000 from
    192.168.99.1 port 40154 ssh2: RSA-CERT
    SHA256:TGvFsbj58aEX1hP3RMSUT/7t4y5lorasgfr9xhLYZwg ID vault-oidc-
    [email protected]81fafdc612d86708
    (serial 6705468412955462474) CA RSA
    SHA256:rW3eVJ1WXeCc/rou0g3MXIJXHlOYcJdf10/nYDWX250
    Nov 14 17:12:37 moon sshd[5716]: pam_unix(sshd:session): session opened for user
    hal9000 by (uid=0)
    Nov 14 17:12:37 moon systemd-logind[706]: New session 31 of user hal9000.

    View Slide

  21. Audit-Trail (2)
    type=USER_LOGIN msg=audit(1605373958.051:430): pid=5716 uid=0 auid=1000 ses=31
    msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.99.1
    addr=192.168.99.1 terminal=/dev/pts/1 res=success'
    type=USER_ACCT msg=audit(1605374084.981:439): pid=5827 uid=1000 auid=1000 ses=31
    msg='op=PAM:accounting grantors=pam_permit acct="hal9000" exe="/usr/bin/sudo"
    hostname=? addr=? terminal=/dev/pts/1 res=success'
    type=USER_CMD msg=audit(1605374084.981:440): pid=5827 uid=1000 auid=1000 ses=31
    msg='cwd="/home/hal9000" cmd="ls" terminal=pts/1 res=success'
    type=CRED_REFR msg=audit(1605374084.981:441): pid=5827 uid=0 auid=1000 ses=31
    msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo"
    hostname=? addr=? terminal=/dev/pts/1 res=success'

    View Slide

  22. Logging in to Hosts
    Host Admin
    Host Admin
    User Agent
    (Shell)
    User Agent
    (Shell)
    User Agent
    (Browser)
    User Agent
    (Browser)
    Vault
    (Relying Party)
    Vault
    (Relying Party)
    OpenID Provider
    OpenID Provider
    Host
    Host
    loop ["Login into Host"]
    alt [ssh]
    34 ssh -i private -oCertificateFile=public.signed [email protected]
    35 validate Signed CA
    36 validate Principal
    37 open session
    38 Log OIDC ID With Session
    [`vault` (the binary)]
    39 vault ssh host
    40 validate Signed CA
    41 validate Principal
    42 open session
    43 Log OIDC ID With Session
    Login Possible Until Signed PubKey Expires.
    Logged-In Session Does Not Expire Unless Explicitly Configured So.
    Sign SSH Keys
    Page 5 of 5

    View Slide

  23. Fallstricke

    es handelt sich beim signierten Schlüssel
    konzeptionell um ein Zertifikat, kein Token

    auch wenn das Zertifikat per `-i ...` übergeben
    werden kann, ist es kein neues Secret

    View Slide

  24. Exkurs: terraform

    API-Möhre

    recte: Erzeugung und Konfiguration von Ressourcen über
    eine API

    ursprünglich Cloud-Ressourcen, mittlerweile alles mögliche
    inkl. Pizza-Bestellung

    View Slide

  25. Exkurs: terraform
    terraform {
    required_providers {
    keycloak = {
    source = "mrparkers/keycloak"
    version = "2.0.0"
    }
    vault = {
    source = "hashicorp/vault"
    version = "2.15.0"
    }
    }
    backend "pg" {}
    }
    provider "keycloak" {
    client_id = "admin-cli"
    username = "terraform"
    password = "..."
    url = var.endpoint-keycloak
    }
    provider "vault" {
    address = var.endpoint-vault
    skip_tls_verify = true
    token = "...."
    }

    View Slide

  26. Exkurs: terraform
    {
    "version": 3,
    "serial": 1,
    "lineage": "4fc1a10d-9a41-e161-353a-06418f6d2f59",
    "backend": {
    "type": "pg",
    "config": {
    "conn_str": "postgres://terraform:[email protected]/terraform",
    "schema_name": null,
    "skip_schema_creation": null
    },
    "hash": 241288904
    },
    "modules": [ ]
    }

    View Slide