Rootconf 2019

Rootconf 2019

On infrastructure security, DevOps and distributed systems.

About Rootconf 2019:

The seventh edition of Rootconf is a two-track conference with:

  1. Security talks and tutorials in audi 1 and 2 on 21 June.
  2. Talks on DevOps, distributed systems and SRE in audi 1 and audi 2 on 22 June.

Topics and schedule:

View full schedule here: https://hasgeek.com/rootconf/2019/schedule

Rootconf 2019 includes talks and Birds of Feather (BOF) sessions on:

  1. OSINT and its applications
  2. Key management, encryption and its costs
  3. Running a bug bounty programme in your organization
  4. PolarDB architecture as Cloud Native Architecture, developed by Alibaba Cloud
  5. Vitess
  6. SRE and running distributed teams
  7. Routing security
  8. Log analytics
  9. Enabling SRE via automated feedback loops
  10. TOR for DevOps

Who should attend Rootconf?

  1. DevOps programmers
  2. DevOps leads
  3. Systems engineers
  4. Infrastructure security professionals and experts
  5. DevSecOps teams
  6. Cloud service providers
  7. Companies with heavy cloud usage
  8. Providers of the pieces on which an organization’s IT infrastructure runs – monitoring, log management, alerting, etc
  9. Organizations dealing with large network systems where data must be protected
  10. VPs of engineering
  11. Engineering managers looking to optimize infrastructure and teams

For information about Rootconf and bulk ticket purchases, contact info@hasgeek.com or call 7676332020. Only community sponsorships available.

Rootconf 2019 sponsors:

Platinum Sponsor

CRED

Gold Sponsors

Atlassian Endurance Trusting Social

Silver Sponsors

Digital Ocean GO-JEK Paytm

Bronze Sponsors

MySQL sumo logic upcloud
platform sh nilenso CloudSEK

Exhibition Sponsor

FreeBSD Foundation

Community Sponsors

Ansible PlanetScale

Hosted by

Rootconf is a forum for discussions about DevOps, infrastructure management, IT operations, systems engineering, SRE and security (from infrastructure defence perspective). more

Pulkit Vaishnav

@pu1kit0

SSH Certificates: A way to scale SSH access

Submitted Feb 17, 2019

We all face problems in providing SSH access to the developers, it could be managing public keys of developers, updating authorized_keys file at servers and providing read-only (or full access) to limited developers. Have we ever think of solving this problem without updating all servers. It would be possible with SSH certificate-based authentication.

SSH access with public key based authentication requires copying public key on each host from the user, this approach doesn’t scale well. The certificate authority (CA) issues a certificate with a public key, copying the CA public key to every host remove the need to copy the user’s key on every host. For the validation of any user, CA uses an X.509 attribute of ssh-keygen to sign a user’s public key and generate a certificate. While signing a certificate we can specify a version, serial number, identity, validity and access level (principals).

There are alternative approaches to manage users using a central authentication system like LDAP or Kerberos. But centralize system has its own drawbacks. If the centralized system goes down you will lock out yourself from the system. For example: at the time of downtime from the service provider or DNS outage.

Here are some SSH CA features, which can increase security:

  • CA offers certificate validity using which we can create a certificate for a limited validity, every time a user needs access to generate a certificate and access will be revoked in some time.
  • Role-based access can be provided using the principals (attribute of ssh config).
  • Each user will have a unique identity using which we can track user’s activities.

SSH CA is a very efficient and secure way to provide SSH access to users. Companies like Facebook, Netflix, Uber, Lyft are using this to provide access to the users by signing their public keys using CA.

Outline

  • Traditional Public key (asymmetric key) cryptography authentication(2 min)
    • Traditional SSH authentication methods
    • Password-based authentication
    • Public-key (asymmetric) based authentication
    • Generic Security Service Application Program Interface (an API to access servers)
  • Centralized authentication approach & limitations (3 min)
    • How LDAP/Kerberos working (in brief)
    • Limitations of a cenralized system
  • A adventures ride with SSH certificates (6 min)
    • Working of SSH certificates
    • Generate signed certificate from CA
    • Configuration on the host system
    • Configuration on the user system
  • Demo (3 min)
  • Features of SSH CA (3 min)
    • Role-based access
    • Host-based access
    • Certificate validity
    • Certificate identity
  • Limitation & solutions (3 min)

Requirements

Preliminary knowledge of ssh.

Speaker bio

Pulkit Vaishnav is working as a DevOps Engineer who builds a secure and scalable infrastructure at Moengage. Previously, he worked at Packetzoom and scale, automate and monitor the CDN infrastructure for billions of requests/day on a hybrid cloud infrastructure. He was a co-founder of Hashgrowth an App Store Optimization platform to drive mobile app growth.
Pulkit is open source enthusiasts and likes to explore new technologies. When not working like to travel, explore new food places and binge.

Links

Slides

https://docs.google.com/presentation/d/1o3JJdve-C–HJxhHzwXMkXyf74yNJOi7juVEn4phxQk/edit#slide=id.p

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Rootconf is a forum for discussions about DevOps, infrastructure management, IT operations, systems engineering, SRE and security (from infrastructure defence perspective). more