2. A BASTION IS A STRUCTURE
PROJECTING OUTWARD FROM THE
CURTAIN WALL OF A FORTIFICATION
"Bastion" — Wikipedia, 2018-01-10
DEFINITION
3. HARDENED AND MONITORED DEVICE
THAT SPANS TWO DISSIMILAR SECURITY
ZONES AND PROVIDES A CONTROLLED
MEANS OF ACCESS BETWEEN THEM
"Jump Server" — Wikipedia, 2018-01-10
DEFINITION
7. IOT SECURITY WITH PI.PE
(NETMCR #17)
@steely_glint Tim Panton
SHOUT OUT #3
8. RIPE ATLAS PROBE SECURITY
(AQL IOT ROUNDTABLE)
@kistel Robert Kisteleki
SHOUT OUT #4
9. WHY WAS I LOOKING AT THESE PROBLEMS?
THE TASK AT HAND
▸ Customers with "Internet access is slow".
▸ At first it seemed that NNI was in common…
▸ Then it seemed that last-mile provider was in common…
▸ Then we thought it might be web filtering solution…
▸ Is it carrier network congestion/loss… not that either…
▸ We need to test this from within the customer network!
10. WHY WAS I LOOKING AT THESE PROBLEMS?
THE TASK AT HAND
▸ Put some probe devices in some customer networks
▸ …to be able to "ssh" into them, run measurements.
▸ Don't want customers to have to open ports on routers.
▸ Some sort of NAT-piercing required.
▸ Security is vital:
▸ Don't want probe to be an attack vector into customer.
▸ Team of staff need access.
11. STANDING ON THE SHOULDERS OF GIANTS
RIPE ATLAS
▸ Plug it in, gets address/DNS by DHCP
▸ Connects to RIPE bastion hosts using ssh (with provisioning)
▸ Creates tunnels to itself for telemetry, read all about it:
▸ https://www.uknof.org.uk/uknof18/Kisteleki-Atlas.pdf
▸ Security rep is pretty good, e.g.
▸ https://www.mdsec.co.uk/2015/09/an-introduction-to-
hardware-hacking-the-ripe-atlas-probe/
12. STANDING ON THE SHOULDERS OF GIANTS
SSH BASTION HOSTS, WITH SSH CA
▸ The big players are doing it:
▸ https://code.facebook.com/posts/365787980419535/
scalable-and-secure-access-with-ssh/
▸ https://github.com/Netflix/bless
▸ How to apply this pattern to our "IoT" probe project?
13. A LONGER TALK, MAYBE AT UKNOF, WILL HAVE MORE INFORMATION…
THE SOLUTION
▸ Ansible script #1:
▸ Deploys Teleport on a VM (or cluster for HA)
▸ Ansible script #2:
▸ Installs Teleport on a Raspberry Pi
▸ Preconfigures Teleport (outbound connection to bastion host)
▸ Bunch of Raspberry Pi / case / SD card combos
▸ Ship to customers with instructions about placement
▸ Within few days of shipping: RCA = vendor firewall config issue
15. WHO NEEDS ANOTHER SSHD?
WHY BOTHER USING TELEPORT?
▸ ssh CA out of the box, compatible with OpenSSHd
▸ 2FA out of the box (TOTP or U2F), no google_authenticator.pam
▸ ssh through-the-web out of the box
▸ Compliance Officer's dream: session recording jumphost.
▸ …and with "session_recording: proxy" it can do this for
legacy sshd implementations too! [caveat: Security Officer]
▸ Free OSS < $aa$_startup_pricing_model < enterpri$$$e
▸ $paid_editions feature include RBAC, LDAP/SASL integration
23. SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
24. SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPT
25. SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPT
AUTOMATION
26. SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPT
AUTOMATION
PLAYS
NICELY
WITH
ANSIBLE
(RTFM)
27. THE JESUS AND SSH-KEYCHAIN
MIX AND MATCH OPENSSHD AND TELEPORT
▸ Host blah.example.com
User salt
Port 3022
ProxyCommand ssh -p 3023 %r@teleport.example.com -s proxy:%h:%p
▸ ln -snf /usr/local/bin/tsh /usr/bin/ssh
ln -snf /usr/local/bin/tsh /usr/bin/scp
▸ …while using Ansible?
▸ scp_if_ssh = True
28. THE JESUS AND SSH-KEYCHAIN
TELEPORT AS CA FOR OPENSSHD
▸ tctl auth sign --host=yourhost.example.com --format=openssh
▸ HostKey /etc/ssh/ca_ssh_host_rsa_key
HostCertificate /etc/ssh/ca_ssh_host_rsa_key.pub
▸ You might have to…
▸ tsh login --compat=oldssh --proxy=teleport.example.com
▸ tsh ssh -p 22 root@yourhost.example.com
42. READ THE FINE MANUAL, MAKE A PLAYBOOK OR SALT STATE, DONE.
INSTALLATION
▸ Download binary, run installer (or compile your own)
▸ examples directory has systemd service file
▸ Create a user, let them login as root on any nodes:
▸ tctl users add marek root,postgres,www-data,…
▸ Follow enrolment link, set password, scan the QR code