SSHCA: Server Login that Achieves Both Security and Convenience by Using Certificates

Transcript

1. None

2. About My Team PKI SSHCA IdP I belong to Team

   VA (Versatile Authentication) USER SERVICE SERVER

3. - Now Trend is Containerize / Serverless - simplify management

   - Meet Requirements? - Security - Software - Network …etc The Need for SSH - Real Server / IaaS / VPS - High Customizability IF NOT… The Need for SSH Still Remains…

4. Importance of Fine-grained Authz

5. Think about Server Login Importance of Fine-grained Authz Priv Set

   Pub to Authorized_keys Pub Src Dest Leaked… Login with leaked Priv Pub Pub

6. Think about Server Login Importance of Fine-grained Authz Measures… -

   Periodic Key Update - Too Costly… - Set Passphrase to Priv - Enough Strength? System supervisors expects Users to - Manage Keys Securely - Set Strong Passphrase Depends each user’s belief that Fundamentally good Server Login Needs Fine-grained Authz ü Introduce Expiry ü Minimize Permissions When Who Where

7. SSH Authz based on Certs

8. SSH Authz based on Certs SSH Authz based on Certs

   CA CAPriv CAPub Priv Pub CAPub Request with Cert Issue Cert Include control Info

9. Expiry SSH Authz based on Certs ᐅ ssh-add -L |

   grep cert | ssh-keygen -L -f (stdin):1: Type: [email protected] user certificate Public key: ECDSA-CERT SHA256:eG0Sf9jAnTwYasZEh4e/s… Signing CA: ECDSA SHA256:+urvAARQYdVf62qIa2e…. (using ecdsa-sha2-nistp256) Key ID: [email protected], isEmg=false Serial: 12760075762236271585 Valid: from 2022-10-31T12:00:00 to 2022-10-31T14:00:00 Principals: alice Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding When Who Where Expiry Should be set necessity minimum

10. Principal SSH Authz based on Certs When Who Where ᐅ

    ssh-add -L | grep cert | ssh-keygen -L -f (stdin):1: Type: [email protected] user certificate Public key: ECDSA-CERT SHA256:eG0Sf9jAnTwYasZEh4e/s… Signing CA: ECDSA SHA256:+urvAARQYdVf62qIa2e…. (using ecdsa-sha2-nistp256) Key ID: [email protected], isEmg=false Serial: 12760075762236271585 Valid: from 2022-10-31T12:00:00 to 2022-10-31T14:00:00 Principals: alice Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding alice bob bob mary server-A server-B

11. Principal SSH Authz based on Certs alice:serverA bob:serverA alice:serverB mary:serverB

    server-A server-B server-A server-B CA CA alice:prod bob:prod alice:prod mary:prod prod user x single server user x server group alice:serverA alice:prod

12. Apply to In-house

13. Considerations for apply Apply to In-house # System Requirements -

    Construct process up to Certificates issuance - Where the request come from - How to authenticate request users - What permissions should be set

14. Use Cases Apply to In-house Secure Server Operation Deploy with

    CICD Tools Login User Human Not Human (Application User) Purpose Deploy Investigation Other operations Deploy

15. Secure Server Operation

16. Requirements Secure Server Operation - Access to sensitive components -

    Users needs to execute any command for deploy, operation and other investigate - Must pay careful attention - Needs managers Reviews - Who - When - Where - Work plan details

17. Server Management System In-house IdP - Used for user auth/authz

    by In-house Tools - Support OIDC Approval WF System - Provide util to create application forms - Customize Approval workflow - Hook Utility - triggered by approval action Existing Infra Secure Server Operation - Manage all YJ In-house servers - Configure each server’s properties - Account - Login shell - SSH public keys - sudoers … etc

18. Practical Use of OSS Secure Server Operation # CA -

    Based on smallstep/certificates - Customize for In-house Requrements SaaS OSS Scratch DevCost Customizability Vendor Dep …etc OSS + Customize # Request User - Use CLI smallstep/step - Simplify Cert Request MoneyCost

19. Structure Overview Secure Server Operation CA Server Manage In-house IdP

    Approval WF SRC USER DEST SERVER SUPERIOR

20. Destination Settings Secure Server Operation CA Server Manage In-house IdP

    Approval WF SRC USER DEST SERVER SUPERIOR SecureA SecureB alice:secureA bob:secureA alice:secureB bob:secureB

21. Approval Workflow Secure Server Operation CA Server Manage In-house IdP

    Approval WF SRC USER DEST SERVER SUPERIOR

22. Request Certs Secure Server Operation CA Server Manage In-house IdP

    Approval WF SRC USER DEST SERVER SUPERIOR # CA validation ᐅ step ssh login User Identity info ᐅ ssh-add -L | grep cert | ssh-keygen -L -f Type: ecdsa-sha2-nistp256-cert-v01@... … Valid: from 2022-10-31T14:00 to 2022-10-31T15:00 Principals: alice:secureB Extract Application info

23. Emergency Case Secure Server Operation CA Server Manage In-house IdP

    Approval WF SRC USER DEST SERVER SUPERIOR Operation Center Emergency Request Register Info Consider Fallback Structure

24. Audit Logging Secure Server Operation CA SRC USER DEST SERVER

    SUPERIOR SOC Team Operation Supporters Emergency Request Register Info Forward Syslog ᐅ ssh-add -L | grep cert | ssh-keygen -L -f Type: [email protected] user certificate Public key: ECDSA-CERT SHA256:eG0Sf9jAnTwYasZEh4e/s… Signing CA: ECDSA SHA256:+urvAARQYdVf62qIa2e Key ID: [email protected], isEmg=true Serial: 12760075762236271585 … Use KeyID for Identifying activities Confirm Activity

25. Deploy with CICD Tools

26. About In-house CICD Tool Deploy with CICD Tools Realize Continuous

    Deployment to Real Servers, IaaS Instances SSHCA

27. Requirements Deploy with CICD Tools - SRC User is Application

    Account (NOT human) - SRC User only needs to execute a deploy command with dedicated permission - Must pay careful attention - Minimize exec permission for The Application Account - Restrict deployment permissions on each CD Pipeline - Certain pipeline can only deploy to certain servers > Address by sudoers setting with Server Manage System > Address with SSHCA

28. Structure Overview Deploy with CICD Tools CA Server Manage CICDTOOL

    DEST SERVER DEST SERVER ADMIN DEVELOPER

29. Principal Detail Deploy with CICD Tools CA Server Manage CICDTOOL

    DEST SERVER DEST SERVER ADMIN DEVELOPER ID: 123456 ᐅ ssh-add –L… Principals: cicd:123456 … ID: 123456 cicd:123456 Use PipelineID as identifier

30. Authentication for Cert Request Deploy with CICD Tools CA Server

    Manage CICDTOOL DEST SERVER DEVELOPER DEST SERVER ADMIN Use x509ClientAuth when issue cert CA Verifies PipelineID ID: 123456 ID: alice:secureA

31. Diff Summary Secure Server Operation Deploy with CICD Tools How

    to Auth OIDC (Use In-house IdP) X509 ClientAuth How to set Cert Properties User Application (Use In-house Approval WF) PipelineID (Use In-house CICDTool)

32. Future Works

33. SSHCA x Host Authentication Future Works $ ssh yahoo.co.jp The

    authenticity of host ‘yahoo.co.jp' can't be established. RSA key fingerprint is SHA256:3bf8MTEIsyc... Are you sure you want to continue connecting (yes/no)? $ ssh yahoo.co.jp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ... Offending ECDSA key in ~/.ssh/known_hosts:18 ... $ ssh -o 'StrictHostKeyChecking no’ yahoo.co.jp More Meaningful and comfortable

34. SSHCA x Every Instance Future Works SSHCA

35. SSHCA x Git Future Works ᐅ step ssh list --raw

    [email protected] | step ssh inspect -: Type: [email protected] user certificate Public key: ECDSA-CERT SHA256:4K04uA2PmE5… Signing CA: ECDSA SHA256:DIxPlEGDQBu4jtGC… Key ID: “[email protected]" Serial: 10852099681988329813 Valid: from 2022-01-26T10:13:13 to 2022-01-27T02:13:13 ... Extensions: [email protected] alice Register CA Pub

36. Graduate from Private Key Future Works # Developers / Operators

    - Eliminate PrivateKey Managements Cost # System supervisors - Eliminate Considerations about PrivateKey Managements by Developers / Operators # YJ Customers - More safe to use YJ Services

37. Summary # SSH CA - Provide Fine-grained Authz - Eliminate

    PrivateKey Management Achieves Both Security and Convenience