Rootconf 2019

We all face problems in providing SSH access to the developers, it could be managing public keys of developers, updating authorized_keys file at servers and providing read-only (or full access) to limited developers. Have we ever think of solving this problem without updating all servers. It would be possible with SSH certificate-based authentication.

SSH access with public key based authentication requires copying public key on each host from the user, this approach doesn’t scale well. The certificate authority (CA) issues a certificate with a public key, copying the CA public key to every host remove the need to copy the user’s key on every host. For the validation of any user, CA uses an X.509 attribute of ssh-keygen to sign a user’s public key and generate a certificate. While signing a certificate we can specify a version, serial number, identity, validity and access level (principals).

There are alternative approaches to manage users using a central authentication system like LDAP or Kerberos. But centralize system has its own drawbacks. If the centralized system goes down you will lock out yourself from the system. For example: at the time of downtime from the service provider or DNS outage.

Here are some SSH CA features, which can increase security:

• CA offers certificate validity using which we can create a certificate for a limited validity, every time a user needs access to generate a certificate and access will be revoked in some time.
• Role-based access can be provided using the principals (attribute of ssh config).
• Each user will have a unique identity using which we can track user’s activities.

SSH CA is a very efficient and secure way to provide SSH access to users. Companies like Facebook, Netflix, Uber, Lyft are using this to provide access to the users by signing their public keys using CA.

Outline

• Traditional Public key (asymmetric key) cryptography authentication(2 min)
  • Traditional SSH authentication methods
  • Password-based authentication
  • Public-key (asymmetric) based authentication
  • Generic Security Service Application Program Interface (an API to access servers)
• Centralized authentication approach & limitations (3 min)
  • How LDAP/Kerberos working (in brief)
  • Limitations of a cenralized system
• A adventures ride with SSH certificates (6 min)
  • Working of SSH certificates
  • Generate signed certificate from CA
  • Configuration on the host system
  • Configuration on the user system
• Demo (3 min)
• Features of SSH CA (3 min)
  • Role-based access
  • Host-based access
  • Certificate validity
  • Certificate identity
• Limitation & solutions (3 min)

Requirements

Preliminary knowledge of ssh.

Speaker bio

Pulkit Vaishnav is working as a DevOps Engineer who builds a secure and scalable infrastructure at Moengage. Previously, he worked at Packetzoom and scale, automate and monitor the CDN infrastructure for billions of requests/day on a hybrid cloud infrastructure. He was a co-founder of Hashgrowth an App Store Optimization platform to drive mobile app growth.
Pulkit is open source enthusiasts and likes to explore new technologies. When not working like to travel, explore new food places and binge.

Links

• https://www.linkedin.com/in/pulkit-vaishnav-3215a385/
• https://medium.com/@pulkitvaishnav

Slides

https://docs.google.com/presentation/d/1o3JJdve-C--HJxhHzwXMkXyf74yNJOi7juVEn4phxQk/edit#slide=id.p