- Meet Requirements? - Security - Software - Network …etc The Need for SSH - Real Server / IaaS / VPS - High Customizability IF NOT… The Need for SSH Still Remains…
Periodic Key Update - Too Costly… - Set Passphrase to Priv - Enough Strength? System supervisors expects Users to - Manage Keys Securely - Set Strong Passphrase Depends each user’s belief that Fundamentally good Server Login Needs Fine-grained Authz ü Introduce Expiry ü Minimize Permissions When Who Where
grep cert | ssh-keygen -L -f (stdin):1: Type: [email protected] user certificate Public key: ECDSA-CERT SHA256:eG0Sf9jAnTwYasZEh4e/s… Signing CA: ECDSA SHA256:+urvAARQYdVf62qIa2e…. (using ecdsa-sha2-nistp256) Key ID: [email protected], isEmg=false Serial: 12760075762236271585 Valid: from 2022-10-31T12:00:00 to 2022-10-31T14:00:00 Principals: alice Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding When Who Where Expiry Should be set necessity minimum
server-A server-B server-A server-B CA CA alice:prod bob:prod alice:prod mary:prod prod user x single server user x server group alice:serverA alice:prod
Users needs to execute any command for deploy, operation and other investigate - Must pay careful attention - Needs managers Reviews - Who - When - Where - Work plan details
by In-house Tools - Support OIDC Approval WF System - Provide util to create application forms - Customize Approval workflow - Hook Utility - triggered by approval action Existing Infra Secure Server Operation - Manage all YJ In-house servers - Configure each server’s properties - Account - Login shell - SSH public keys - sudoers … etc
Approval WF SRC USER DEST SERVER SUPERIOR # CA validation ᐅ step ssh login User Identity info ᐅ ssh-add -L | grep cert | ssh-keygen -L -f Type: ecdsa-sha2-nistp256-cert-v01@... … Valid: from 2022-10-31T14:00 to 2022-10-31T15:00 Principals: alice:secureB Extract Application info
Account (NOT human) - SRC User only needs to execute a deploy command with dedicated permission - Must pay careful attention - Minimize exec permission for The Application Account - Restrict deployment permissions on each CD Pipeline - Certain pipeline can only deploy to certain servers > Address by sudoers setting with Server Manage System > Address with SSHCA
to Auth OIDC (Use In-house IdP) X509 ClientAuth How to set Cert Properties User Application (Use In-house Approval WF) PipelineID (Use In-house CICDTool)
authenticity of host ‘yahoo.co.jp' can't be established. RSA key fingerprint is SHA256:3bf8MTEIsyc... Are you sure you want to continue connecting (yes/no)? $ ssh yahoo.co.jp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ... Offending ECDSA key in ~/.ssh/known_hosts:18 ... $ ssh -o 'StrictHostKeyChecking no’ yahoo.co.jp More Meaningful and comfortable
- Eliminate PrivateKey Managements Cost # System supervisors - Eliminate Considerations about PrivateKey Managements by Developers / Operators # YJ Customers - More safe to use YJ Services