Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization with BLESS? #89

Open
braxtone opened this issue May 3, 2019 · 1 comment
Open

Authorization with BLESS? #89

braxtone opened this issue May 3, 2019 · 1 comment

Comments

@braxtone
Copy link

braxtone commented May 3, 2019

Reading through the validity constraints docs for SSH certificates, it doesn't look like there's the ability to specify which hosts a SSH user certificate is able to be used with. How are you solving authorization issues (allowing a user access to some hosts, but not all in a larger environment) with BLESS, or are you?

It looks like this would mean the holder of a valid SSH certificate would have access to any host configured to trust that CA certificate (plus or minus networking) without the ability to make access decisions by the type of host. Is that accurate or am I grossly misunderstanding something?

Source: OpenSSH ssh-keygen options docs

@russell-lewis
Copy link
Contributor

Any given SSH certificate (and key pair) for us is not an issue, as we restrict the certs so that they are only accepted from one bastion to exactly one use on exactly one instance, for only a few minutes.

If you have access to the IAM creds that can call BLESS, and you aren't using the kmsauth features, then whomever has access to the IAM Keys can issue any cert they want.

There are a few tools you can use to build AuthZ around BLESS. However the whole AuthZ system is still build it yourself.
Who has access to call a particular lambda?
What SSH CA key does that lambda have?
Can you request a cert with a particular principal?
You can use SSH Cert principals in creative ways.
Certs can expire right after a connection is authenticated.

The way we authorize SSH requests was recently talked about here:
https://www.slideshare.net/Docker/dcsf19-container-security-theory-practice-at-netflix
slides 28-29.
We don't give people access to the IAM Creds that can call BLESS. And we have a in-house AuthZ tool that decides if a cert should be issued.

Lyft is using a rather different model, that relies on IAM users and groups for AuthZ: https://github.com/Netflix/bless/blob/master/bless/aws_lambda/bless_lambda.py#L156-L174 and https://github.com/lyft/python-blessclient

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants