Access to Distributed Systems Presentation at Devops Toronto

Presentation Length: 16 Slides

cloud_download Download Presentation

Description

In this talk, we'll review legacy SSH patterns relative to new way teams manage, deploy, and troubleshoot their applications running on elastic infrastructure. Along the way, Kevin will demo Teleport (https://github.com/gravitational/teleport), an open source re-implementation of SSH using Google's golang crypto and show how to cross the chasm from traditional SSH anti-patterns into fancy new orchestrated worlds with automatically expiring access certificates.

Slide Notes

  1. Kevin Nisbet Gravitational Access to distributed systems

  2. Gravitational Overview - Teleport (PAM for Elastic Infrastructure) and Telekube (Multi-region Kubernetes for Cloud-Native applications)

  3. LET’S SOLVE A PROBLEM • Scenario • Production… • Elastic Infrastructure • Separate Networks • The database is slow…

  4. WHAT JUST HAPPENED… source: https://www.gagcartoons.com/cartoons/87/

  5. TSH LOGIN • Generates new cryptographic keys • Connects to CA via Proxy • Signs a certificate granting access to the cluster

  6. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: [email protected] Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {“version”:“v1”,“roles”:[“admin”]}

  7. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: [email protected] Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {“version”:“v1”,“roles”:[“admin”]}

  8. WHY CERTIFICATES? • Ever? • Lost a backup? • Run untrusted Software? • Rotated keys? • Sent the private key instead of the public? source: https://www.gagcartoons.com/cartoons/305/

  9. • FreeBSD packaging servers hacked • http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons- on-SSH-Public-Key-Authentication.html • Malware & Hackers collect ssh keys • https://www.ssh.com/malware/ • Active attacks using stolen SSH keys (2008) • https://isc.sans.edu/forums/diary/ Active+attacks+using+stolen+SSH+keys+UPDATED/4937/ • New Attacker Scanning for SSH Private Keys on Websites • https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ • CIA malware can steal SSH Credentials • https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh- credentials-session-traffic/

  10. • Large Database of Device Certificates, SSH keys published • https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys- published/ • Learning from the Expedia Heist • https://medium.com/starting-up-security/learning-from-the-expedia- heist-6cf8a0069ce0 • New ‘MASK’APT Campaign called most sophisticated yet • https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/ • Multi-billion dollar defence firm fails to protect private SSH keys • https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh- keys/ • The default OpenSSH key encryption is worse than plaintext • https://latacora.singles/2018/08/03/the-default-openssh.html

  11. TSH LS • List all the servers in you’re infrastructure • New servers join the cluster, old ones leave • Labels • Automatically update as infra changes

  12. TSH SSH • SSH to the Node • Or the Label(s) • Automatic Bastions • Auditable • and SCP

  13. SESSION RECORDING • Record what happens in production • Proxy • Endpoint

  14. ARCHITECTURE

  15. KUBERNETES INTEGRATION • Short lived certificates • Multi-factor authentication • Audit all k8s actions • Session recording • Currently Alpha

  16. QUESTIONS More Information https://gravitational.com/teleport https://github.com/gravitational/teleport We’re Hiring https://github.com/gravitational/careers [email protected]

Share this page