Teleport Bastion Jump-Hosts with SSH Certificates
•
0 likes•1,973 views
A jump host is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Teleport Bastion Jump-Hosts with SSH Certificates
Similar to Teleport Bastion Jump-Hosts with SSH Certificates (20)
More from Faelix Ltd
More from Faelix Ltd (8)
Recently uploaded
Recently uploaded (20)
Teleport Bastion Jump-Hosts with SSH Certificates
- 2. A BASTION IS A STRUCTURE PROJECTING OUTWARD FROM THE CURTAIN WALL OF A FORTIFICATION "Bastion" — Wikipedia, 2018-01-10 DEFINITION
- 3. HARDENED AND MONITORED DEVICE THAT SPANS TWO DISSIMILAR SECURITY ZONES AND PROVIDES A CONTROLLED MEANS OF ACCESS BETWEEN THEM "Jump Server" — Wikipedia, 2018-01-10 DEFINITION
- 4. SZILAS, PUBLIC DOMAIN, VIA WIKIMEDIA COMMONS
- 5. IOT SECURITY (NETMCR #11) @kooky_uk Tim Bray SHOUT OUT #1
- 6. SSH CERTIFICATES (NETMCR #13) @TimJDFletcher Tim Fletcher SHOUT OUT #2
- 7. IOT SECURITY WITH PI.PE (NETMCR #17) @steely_glint Tim Panton SHOUT OUT #3
- 8. RIPE ATLAS PROBE SECURITY (AQL IOT ROUNDTABLE) @kistel Robert Kisteleki SHOUT OUT #4
- 9. WHY WAS I LOOKING AT THESE PROBLEMS? THE TASK AT HAND ▸ Customers with "Internet access is slow". ▸ At first it seemed that NNI was in common… ▸ Then it seemed that last-mile provider was in common… ▸ Then we thought it might be web filtering solution… ▸ Is it carrier network congestion/loss… not that either… ▸ We need to test this from within the customer network!
- 10. WHY WAS I LOOKING AT THESE PROBLEMS? THE TASK AT HAND ▸ Put some probe devices in some customer networks ▸ …to be able to "ssh" into them, run measurements. ▸ Don't want customers to have to open ports on routers. ▸ Some sort of NAT-piercing required. ▸ Security is vital: ▸ Don't want probe to be an attack vector into customer. ▸ Team of staff need access.
- 11. STANDING ON THE SHOULDERS OF GIANTS RIPE ATLAS ▸ Plug it in, gets address/DNS by DHCP ▸ Connects to RIPE bastion hosts using ssh (with provisioning) ▸ Creates tunnels to itself for telemetry, read all about it: ▸ https://www.uknof.org.uk/uknof18/Kisteleki-Atlas.pdf ▸ Security rep is pretty good, e.g. ▸ https://www.mdsec.co.uk/2015/09/an-introduction-to- hardware-hacking-the-ripe-atlas-probe/
- 12. STANDING ON THE SHOULDERS OF GIANTS SSH BASTION HOSTS, WITH SSH CA ▸ The big players are doing it: ▸ https://code.facebook.com/posts/365787980419535/ scalable-and-secure-access-with-ssh/ ▸ https://github.com/Netflix/bless ▸ How to apply this pattern to our "IoT" probe project?
- 13. A LONGER TALK, MAYBE AT UKNOF, WILL HAVE MORE INFORMATION… THE SOLUTION ▸ Ansible script #1: ▸ Deploys Teleport on a VM (or cluster for HA) ▸ Ansible script #2: ▸ Installs Teleport on a Raspberry Pi ▸ Preconfigures Teleport (outbound connection to bastion host) ▸ Bunch of Raspberry Pi / case / SD card combos ▸ Ship to customers with instructions about placement ▸ Within few days of shipping: RCA = vendor firewall config issue
- 14. TELEPORT USING
- 15. WHO NEEDS ANOTHER SSHD? WHY BOTHER USING TELEPORT? ▸ ssh CA out of the box, compatible with OpenSSHd ▸ 2FA out of the box (TOTP or U2F), no google_authenticator.pam ▸ ssh through-the-web out of the box ▸ Compliance Officer's dream: session recording jumphost. ▸ …and with "session_recording: proxy" it can do this for legacy sshd implementations too! [caveat: Security Officer] ▸ Free OSS < $aa$_startup_pricing_model < enterpri$$$e ▸ $paid_editions feature include RBAC, LDAP/SASL integration
- 16. cluster of stuff
- 19. tsh login --proxy teleport.example.com --user networkmoose ssh-key -A LOGGING IN
- 20. tsh login --proxy teleport.example.com --user networkmoose ssh-key -A LOGGING IN THE BASTION HOST
- 21. tsh ssh root@example.com -L 8080:localhost:80 ssh LOGGING IN
- 23. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding.
- 24. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding. PROBABLY WANT A SCRIPT
- 25. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding. PROBABLY WANT A SCRIPT AUTOMATION
- 26. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding. PROBABLY WANT A SCRIPT AUTOMATION PLAYS NICELY WITH ANSIBLE (RTFM)
- 27. THE JESUS AND SSH-KEYCHAIN MIX AND MATCH OPENSSHD AND TELEPORT ▸ Host blah.example.com User salt Port 3022 ProxyCommand ssh -p 3023 %r@teleport.example.com -s proxy:%h:%p ▸ ln -snf /usr/local/bin/tsh /usr/bin/ssh ln -snf /usr/local/bin/tsh /usr/bin/scp ▸ …while using Ansible? ▸ scp_if_ssh = True
- 28. THE JESUS AND SSH-KEYCHAIN TELEPORT AS CA FOR OPENSSHD ▸ tctl auth sign --host=yourhost.example.com --format=openssh ▸ HostKey /etc/ssh/ca_ssh_host_rsa_key HostCertificate /etc/ssh/ca_ssh_host_rsa_key.pub ▸ You might have to… ▸ tsh login --compat=oldssh --proxy=teleport.example.com ▸ tsh ssh -p 22 root@yourhost.example.com
- 29. LABEL YOUR NODES (MASS COMMANDS)
- 34. you! proxy auth node client (tsh or https)
- 35. you! proxy auth node client (tsh or https) all-in-one
- 36. you! proxy auth node client (tsh or https) bastion node(s)
- 37. you! proxy auth node client (tsh or https) all separated
- 38. you! proxynode client (tsh or https) RBAC ("enterprise") auth LDAP SAML etc
- 39. you! proxies auth node client (tsh or https) HA auth etcd / dynamodb load bal
- 40. you! auth + proxy & trusted cluster auth node trusting cluster client (tsh or https) bastionanother node
- 42. READ THE FINE MANUAL, MAKE A PLAYBOOK OR SALT STATE, DONE. INSTALLATION ▸ Download binary, run installer (or compile your own) ▸ examples directory has systemd service file ▸ Create a user, let them login as root on any nodes: ▸ tctl users add marek root,postgres,www-data,… ▸ Follow enrolment link, set password, scan the QR code
- 43. ENROLMENT PROCESS YOUR FIRST USER
- 44. ENROLMENT PROCESS YOUR FIRST USER ▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
- 45. ENROLMENT PROCESS YOUR FIRST USER ▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
- 47. GETTING DEEPER MORE CONFIGURATION ▸ Limit your ciphersuites ▸ TLS cert for HTTPS
- 48. GETTING DEEPER MORE CONFIGURATION ▸ Limit your ciphersuites ▸ TLS cert for HTTPS ▸ Static labels from config
- 49. GETTING DEEPER MORE CONFIGURATION ▸ Limit your ciphersuites ▸ TLS cert for HTTPS ▸ Static labels from config ▸ Dynamic values from running commands periodically
- 50. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 51. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 52. GETTING DEEPER POOR MAN'S ORCHESTRATION tsh ssh root@debian=8.7
- 53. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 54. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 55. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 56. THANKS FOR LISTENING! ANY QUESTIONS? e: marek@faelix.net t: @maznu w: https://faelix.net/ https://faelix.link/netmcr19