I YK4 and So Can You Securing Dev/Ops with Hardware-Backed Keys

Hardware-Backed Keys? Vs.

What's the difference between... Vs.

Hardware-Backed Keys Keys stored on specialized, trusted hardware that: ● Can perform crypto operations (decrypt / sign data) with the keys, but ● Will resist all attempts to retrieve the keys themselves

Project 1: Bastion Host Hardening

Production Systems Bastion Host Ops Team

Review: SSH Keys user@client:~$ ssh-keygen -f ./id_foo -t rsa -b 2048 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_foo. Your public key has been saved in ./id_foo.pub. The key fingerprint is: SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I foo@localhost ...

Review: SSH Keys user@server:~$ cat >> ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHrlOXRWYZJI7RHcfGbOvaFc5/6u+LDfv/0gpfvtv5 qX5Vjyb4S6DaBFG3DamVa5XGuX5D/Xqq6YxkhMMDYkav1zAgnThg8jHkKTrDw0m1WcqhIpTTkEBMIGIO Fk3ehyrsagGsPqAK/52MVs7IaTtTB6pNSPVQNBzjypcpkI+7MQsKNLwUUHcMoD42E52xR/DVNy2tgYaE AI/7CufZc2ViYBzqipiEazoARc4JzYA//umhWWSL9ZyMUj3Q3rsl2SEHwM9UBLxjvQXDTUUzYdlFd/JR F94DFbKaWBOqd4C4hfAMUIBT+nitj/d1/DD3asVjtCroqrZIQnQgNOvXLuyR foo@localhost

Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

SSHv2 Protocol - Pubkey Signature The value of 'signature' is a signature by the corresponding private key over the following data, in the following order: string session identifier byte SSH_MSG_USERAUTH_REQUEST string user name string service name string "publickey" boolean TRUE string public key algorithm name string public key to be used for authentication

ssh-agent user@client:~$ eval $(ssh-agent) Agent pid 10610 user@client:~$ ssh-add id_rsa Enter passphrase for id_rsa: user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I id_foo (RSA) user@client:~$ ssh some_server ...

ssh-agent ssh ssh-agent unix socket sshd Server Client ssh → agent: gimme your pubkeys agent → ssh: ... ssh → agent: sign this data with agent → ssh:

ssh-agent + pkcs#11 ssh ssh-agent unix socket sshd Server Client opensc-pkcs11.so epass2003 Hardware Keystore

epass2003

Rube-Goldberg Machine pcscd libccid opensc-pkcs11.so ssh-agent epass2003 {

Card? Reader?

Production Systems Bastion Host Ops Team epass2003

So, in practice, something like... user@client:~$ sudo yum install opensc pcsc-lite-ccid pcsc-lite ... user@client:~$ eval $(ssh-agent) Agent pid 10610 user@client:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/pkcs11/opensc-pkcs11.so user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I /usr/lib/pkcs11/opensc-pkcs11.so (RSA)

Problem: Exclusivity Problem: Only one process can talk to the epass2003 at a time Solution: Share one ssh-agent process across all authorized users on the system! ... Problem: ssh-agent doesn't like that Solution: scary hax!

Scary Hax $ diff -u openssh-6.2p1-orig/ssh-agent.c openssh-6.2p1/ssh-agent.c --- openssh-6.2p1-orig/ssh-agent.c 2011-06-03 00:14:16.000000000 -0400 +++ openssh-6.2p1/ssh-agent.c 2013-04-04 14:58:34.364412927 -0400 @@ -1022,13 +1022,14 @@ close(sock); break; } - if ((euid != 0) && (getuid() != euid)) { - error("uid mismatch: " - "peer euid %u != uid %u", - (u_int) euid, (u_int) getuid()); - close(sock); - break; - } +// CRAZY @akgood HACKS SO EVERYONE CAN SHARE ONE SSH-AGENT + //if ((euid != 0) && (getuid() != euid)) { + // error("uid mismatch: " + // "peer euid %u != uid %u",

Securing Dev/Ops with Hardware-Backed Keys

Production Systems Bastion Host Ops Team epass2003

95% Top two failures causing data breaches Source: Verizon 2015 Data Breach Investigations Report 75%

Along Comes Yubico...

Project 2: Hardware-Backed Keys for Everyone!

No content

"Applets"

PIV is dead...

... long live PIV!

PIV is Complicated ● 3 different access-control mechanisms ○ PIN ○ PUK ○ Management Key ● 4 key slots ○ Slot 9a: PIV Authentication ○ Slot 9c: Digital Signature ○ Slot 9d: Key Management ○ Slot 9e: Card Authentication ● Configurable policy ○ PIN / PUK retries ○ pin policy ○ touch policy (yk4-specific)

Touch Policy Problem: Even if malware can't steal your SSH key, it still could ask the YK4 to sign things! Mitigation: YK4s can be configured to require a physical tap for every single crypto operation.

PIV Access Control

Provisioning PIV at Duo: ● Disable the PUK ● Generate random PIN (8 chars, alphanumeric) ● Set pin-retries=5 ● Generate 2048-bit key in slot 9a + self-signed certificate ● "touch-policy=always"

Basic Usage (OS X) user@client:~$ ssh-add -s /opt/yubico-piv-tool/lib/libykcs11.dylib Enter passphrase for PKCS#11: Card added: /opt/yubico-piv-tool/lib/libykcs11.dylib user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I /opt/yubico-piv-tool/lib/libykcs11.dylib (RSA)

Multiple YK4 taps Problem: Some source-control operations require multiple SSH connections. Solution: ControlMaster! Host svn.whatever.org git.whatever.org ControlMaster auto ControlPath ~/.ssh/cm_socket_%r@%h:%p ControlPersist 1m

Sleep / Wake on OS X Problem: YK4 PIV applet drops your PIN-auth when your laptop goes to sleep Solution: I hacked up some ObjC code to listen for "wake" events and nudge the ssh-agent back into functioning properly: https://github.com/duosecurity/ykpiv-ssh-agent-helper

ChromeOS

ChromeOS Secure Shell

ChromeOS SSH Agent

ChromeOS Smart Cards { {

Out-MacGyver'ing "MacGyver" Problem: chrome.certificateProvider extensions can do everything we need, but other extensions aren't allowed to call their API. Solution: Shove the 'MacGyver' ssh-agent code into one of the chrome.certificateProvider smartcard middleware extensions itself! https://github.com/duosecurity/chromeos-ssh-smartcard-hack

Possibilities that excite me ● SSH CA ○ See e.g. https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ ● YK4 "Attestation" ○ https://developers.yubico.com/PIV/Introduction/PIV_attestation.html

A note about U2F Hardware-Backed Keys for the Web! Really nice protocol overview here: https://developers.yubico.com/U2F/ Protocol_details/Overview.html

Would you like to know more? akgood@duosecurity.com @akgood