How Netflix Gives All Its Engineers SSH Access To Instances Running In Production Russell Lewis Product and Application Security Team 

Dangers Of A Stolen SSH Key • Insider stole funds • Changed all their keys • Rebuilt their whole infrastructure on a new cloud provider • Hacked again • Server logs had been wiped • One stolen SSH key enabled subsequent thefts, from an installed backdoor Shapeshift, a cryptocurrency exchange startup, was hacked three times in a month. http://bit.ly/1T23WJG 

Table of Contents 1. What Do We Need? 2. Industry Practices 3. The Netflix Approach 4. Detecting Undesirable SSH Usage 5. How Do We Issue SSH Certificates? 

SSH Key Management • Private keys can get lost, stolen, or shared • Replacing a key means updating all your servers • Can you easily update every server? • Do you have an up to date inventory of all enabled SSH keys in your organization? • How do you know if there isn’t a backdoor key? • Do you rely on SSH to update all of those servers? “Many organizations don't even know how many SSH keys they have configured to grant access to their information systems or who has copies of those keys” - NISTIR 7966 

How Can You Limit That Danger? 

What About Single Use SSH Keys? 

What If It Left Great Clues Behind? 

How Can We Protect Server Access? 

Is Anybody Doing This? Will their solution work for us? 

Freedom & Responsibility • Share information openly and proactively • Context, not control • You build it, you run it How can we work like a startup, but with all the responsibilities of a big company? 

So How Do We Secure Things? • Feature, not friction • Define secure defaults • Automated scanning • Secret management • Alerting and reports 

How Should We Secure SSH? 

1.What Do We Need? 2. Industry Practices 3. The Netflix Approach 4. Detecting Undesirable SSH Usage 5. How Do We Issue SSH Certificates? 

SSH Key Protection • How can you protect your private keys? • Hardware SSH Key Protection • How can you verify they are protected? 

Traditional Access Operator 2 App A Instances App B Instances App C Instances Operator 3 Operator 1 

Bastion Access Operator 2 Bastion App A Instances App B Instances App C Instances Operator 3 Operator 1 

1.What Do We Need? 2. Industry Practices 3. The Netflix Approach 4. Detecting Undesirable SSH Usage 5. How Do We Issue SSH Certificates? 

System Objective • Give developers freedom to access SSH • Gather context without friction • Scan for undesirable SSH usage 

Bastions • Choke point on the network • Simplify Authentication, using SSO • Log all activity • Users self manage Public Keys • One system to manage for server access tools 

2FA • Verify intended use • Second factor already provisioned • PAM modules for most 2FA solutions • Discourages undesirable automated workflows • SSH Multiplexing to reduce additional challenges 

SSHD Config • Secured by default SSHD config in BaseAMI • Out of the box, just works • Tooling in place to track deployed BaseAMIs 

What About Single Use SSH Keys? 

BLESS: Single Serving SSH Certificates 

Type: [email protected] user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc User or Host certificates 

Type: [email protected] user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Control over what is logged by sshd 

Type: [email protected] user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc If you can issue an SSH Certificate for every SSH request, you only need the certificate to be valid during session authentication. Sessions stay established after the certificates expire. 

Type: [email protected] user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Valid for a single target, no matter how you define that target. • Account • Application • Username • Instance • Define and Authorize as you see fit 

Type: [email protected] user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Valid from a single host 

Type: [email protected] user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Control what the SSH session can be used for 

SSH Certificate Authorities • Trust CAs with SSHD Configs • Deploy multiple trusted CAs • Leave some offline • Rotate Regularly • Emergency Preparedness 

Enable BLESS /etc/ssh/cas.pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… /etc/ssh/sshd_config : TrustedUserCAKeys /etc/ssh/cas.pub 

1.What Do We Need? 2. Industry Practices 3. The Netflix Approach 4. Detecting Undesirable SSH Usage 5. How Do We Issue SSH Certificates? 

What Is Undesirable SSH Usage? • Malicious • Dangerous • Avoidable 

Detecting Undesirable SSH Usage With as many instances as Netflix runs, administered by all its engineers, finding undesirable SSH sessions could feel like finding a needle in a haystack. 

Finding A Needle In A Haystack The Mythbusters tested the difficulty of this problem with two very different approaches. 

Shapeshift’s Approach • Had to act fast • Didn’t have tooling in place to help with the compromise • Tore down and rebuilt everything Discard the haystack, buy more hay. 

Burn It Down! • Simple, in theory • Destructive • Still have a searching problem Burn the haystack and search the remains. Does shutting off SSH access entirely work? 

Can We Sort The Good From The Bad? • Not overly complex • Built a machine for the searching problem • Use Our Data Pipeline Built a Machine to exploit the different densities of the hay and needles. 

What SSH Properties Can We Exploit? Start by understanding how your engineers use SSH. 

Security Intelligence And Response Team • Process SSH Certificate requests • Process SSH authentication attempts • Process SSH session logs • Reports and Alerts 

1.What Do We Need? 2. Industry Practices 3. The Netflix Approach 4. Detecting Undesirable SSH Usage 5. How Do We Issue SSH Certificates? 

Bastion's Lambda Ephemeral Ssh Service 

What is BLESS? • Python AWS Lambda Function • Constructs SSH Certificates • Signs SSH Certificates 

Why Lambda? • No circular dependencies on Netflix ecosystem • Easy to run in special purposed AWS account with the tightest controls • Separate account, separate rate limits • Bootstrap system with AWS KMS • Lambda Secured w/IAM instead of SSH key management • Audit-able • Alias let you manage deployments of new versions easily 

No content

No content

No content

No content

No content

No content

No content

SSD Auth.log May 19 14:30:00 host sshd[#####]: Accepted publickey for host_username from 192.168.1.1 port ##### ssh2: RSA-CERT ID request[########################### #########] for[developer_username] from[10.0.1.1] command[ssh [email protected]] ssh_key:[RSA 00:00:00:00:de:ad:be:ef00:00:00:00:de:ad:be :ef] ca: [arn:aws:lambda:region:account#:function:na me] valid_to[YYY/MM/DD HH:MM:SS] (serial 0) CA RSA 8b:ad:f0:0d: 00:00:00:00:00:00:00:00:8b:ad:f0:0d May 19 14:30:00 host sshd[#####]: Accepted publickey for host_username from 192.168.1.1 port ##### ssh2: RSA de:ad:be:ef: 00:00:00:00:00:00:00:00:de:ad:be:ef 

No content

Would This Have Helped Shapeshift? • 2FA on the Bastion • Audit Logs locked away • Key Rotations all the way down 

Go Use SSH Certificates! https://github.com/Netflix/bless 

Questions? RussellL@netflix.com