Managing SSH Acccess Without Managing SSH Keys

•

0 likes•223 views

Cashier is a certificate authority (CA) for OpenSSH certificates At Intercom we use the CA to issue short-lived SSH certificates so that engineers can access production servers. Certificates are issued by exchanging an Oauth access token for a valid certificate. Source is available at https://github.com/nsheridan/cashier

Software

Managing SSH Access
Without Managing SSH Keys
Niall Sheridan
niall@intercom.com  
Intercom Production Systems

- NIST IR 7966 Security of Interactive and Automated Access Management Using Secure Shell (SSH)
"Many organizations don't even know how
many SSH keys they have configured to
grant access to their information
systems or who has copies of those keys"

SSH Certificates
•Composed of: ssh key + signature +
signing key + metadata
•Only need to distribute 1 public key to
machines - the signing key
•Metadata allows for some nice properties
to be set

Type: ssh-ed25519-cert-v01@openssh.com user certificate
Public key: ED25519-CERT SHA256:WHATEVER
Signing CA: ED25519 SHA256:WHATEVER
Key ID: "some identity string"
Serial: 0
Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36
Principals:
niall
Critical Options:
force-command /bin/date
source-address 12.34.56.78/29
Extensions:
permit-pty
permit-port-forwarding
permit-x11-forwarding

/etc/ssh/sshd_config: 
# Required: 
TrustedUserCAKeys /etc/ssh/ca.pub 
# Optional, useful for shared accounts 
AuthorizedPrincipalsFile %h/.ssh/auth_users 
 
$ cat /etc/ssh/ca.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAYZL32Emt4Ap...... 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGmvJaFt37ZTz...... 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWmdffJK0YR8z...... 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBL2PHBRyIa7ok......

SSH Key Authentication: 
sshd[6382]: Accepted publickey for prod-user from
10.0.0.167 port 49562 ssh2: RSA bb:86:14:02:cf:
37:91:b9:4f:09:76:8f:e0:bc:52:77
SSH Certificate Authentication: 
sshd[6382]: Accepted publickey for prod-user from
10.0.0.167 port 33984 ssh2: ED25519-CERT ID
niall_1503934975 (serial 0) CA ED25519 bd:0b:55:9f:
84:be:ad:e9:eb:ac:7e:8c:83:ed:4d:cb

https://github.com/nsheridan/cashier
Thank you!
Niall Sheridan
niall@intercom.com

What's hot

SSL Secure socket layer

Ahmed Elnaggar

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Nick Maludy

Sniffing SSL Traffic

dkaya

TLS Interception considered harmful (Chaos Communication Camp 2015)

hannob

Ssh And Rlogin

Sourav Roy

SSl/TLS Analysis

Duduman Bogdan Vlad

Types of ssl commands and keytool

CheapSSLsecurity

Secure shell

Arjun Aj

Ssh (The Secure Shell)

Mehedi Farazi

Secure SHell

Çağrı Çakır

SSL/TLS

pavansmiles

Overview of the SSH protocol. SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of commands, file transfer). Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping. SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1. SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.

SSH - Secure Shell

Peter R. Egli

Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel. Secure Shell client and server applications are widely available for most popular operating systems.

Secure shell protocol

Baspally Sai Anirudh

SSL

theekuchi

Secure Shell(ssh)

Pina Parmar

Alban Diquet, Data Theorem Thomas Sileo, Data Theorem Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS. We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings. First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are. Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found. Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...

BlueHat Security Conference

As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts: - Brief Introduction to Public Key Infrastructure (PKI) - Introduction to SSL/TLS Protocols - Practical Examples and Hints The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).

SSL/TLS Introduction with Practical Examples Including Wireshark Captures

SSL

SSH.ppt

Ssl in a nutshell

What's hot (20)

SSL Secure socket layer

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Sniffing SSL Traffic

TLS Interception considered harmful (Chaos Communication Camp 2015)

Ssh And Rlogin

SSl/TLS Analysis

Types of ssl commands and keytool

Secure shell

Ssh (The Secure Shell)

Secure SHell

SSL/TLS

SSH - Secure Shell

Secure shell protocol

SSL

Secure Shell(ssh)

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...

SSL/TLS Introduction with Practical Examples Including Wireshark Captures

SSL

SSH.ppt

Ssl in a nutshell

Similar to Managing SSH Acccess Without Managing SSH Keys

AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure. Learning Objectives: Common Internet of Things security issues AWS IoT Security and Access Control Mechanisms Build secure interactions with the AWS Cloud Who Should Attend: Developers, makers

February 2016 Webinar Series - Best Practices for IoT Security in the Cloud

Amazon Web Services

Secure Credential Management with CredHub - Eoghan Kelleher

VMware Tanzu

Securing Your Resources with Short-Lived Certificates!

All Things Open

Best Practices of IoT Security in the Cloud

Amazon Web Services

Introduction to distributed security concepts and public key infrastructure m...

Information Security Awareness Group

AWS IoT is a new managed service that enables Internet-connected things (sensors, actuators, devices, and applications) to easily and securely interact with each other and the cloud. This talk will introduce the security and access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure.

(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things

Amazon Web Services

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

VMware Tanzu

More and more IoT vulnerabilities are found and showcased at security events. From connected thermostats to power plants! Insecurity became the favorite subject for creating catchy IoT headlines: "Connected killer toaster", "Fridges changed into spamming machines","Privacy concerns around connected home". We will explore the five challenges one has to face when building a secure IoT solution: - hardware security: how to avoid rogue firmwares and keep your security keys safe? - upgrade strategy: you can't secure what you can't update! - secure transport: no security without secure transports. - security credentials distribution: how to distribute security keys to a fleet with millions of devices? - cloud vulnerability mitigation, how to keep your fleet of devices safe from the next Heartbleed? Current enterprise infrastructure provides solutions for handling application security but are they really matching the IoT challenge? Could running a PKI client on a low power wireless sensor node be an option? Despite those difficulties, we will show how a modern IoT device management standard like Lightweight M2M with DTLS is the way for building a secur-first IoT solutions. It provides a solution for upgrading your device, distributing your security keys and comes with a full range of cryptography cipher suites, from PSK algorithm for very constrained devices to high level of security using X.509 certificates. Furthermore for adding security to your solution we will present you ready to use opensource libraries for implementing secure IoT servers and devices. The way for quickly releasing your next catchy connected product.! Ultimately we will showcase Wakaama and Leshan, the Eclipse IoT Lightweight M2M implementation maybe your next best friend in the troubled water of Internet-Of-Things security!

The 5 elements of IoT security

Julien Vermillard

U2F/FIDO2 implementation of YubiKey

Haniyama Wataru

Addmi 14-discovery credentials

odanyboy

Securing Network Access with Open Source solutions

Nick Owen

Alternatives and Enhancements to CAs for a Secure Web

CASCouncil

Keystone - Openstack Identity Service

Prasad Mukhedkar

Configuring Secure Shell on Routers and Switches Running Cisco IO

Hoàng Hải Nguyễn

Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec

Sylvain Maret

Best Practices for IoT Security in the Cloud

Amazon Web Services

AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions. Learning Objectives: • Common IoT Thing Management Issues • Learn about AWS IoT Security and Access Control Mechanisms • Build Secure interactions with the AWS Cloud Who Should Attend: • Technical Decision Makers, Developers, Makers

Best Practices for IoT Security in the Cloud

Amazon Web Services

RSA SecurID Access

MarketingArrowECS_CZ

We want to make sure your company isn’t in the next headline news about a data breach. So Scylla includes multiple features that collectively provide a robust security model. Most recently we announced support for encryption-at-rest in Scylla Enterprise. This enables you to lock-down your data even in multi-tenant and hybrid deployments of Scylla. Join us for an overview of security in Scylla and to see how you can approach it holistically using the array of Scylla capabilities. We will review Scylla Security features, from basic to more advanced, including: - Reducing your attack surface - Authorization & Authentication - Role-Based Access Control - Encryption at Transit - Encryption at Rest, in 2019.1.1 and beyond

How to Bulletproof Your Scylla Deployment

ScyllaDB

How to increase security with SSH

Vitalii Sharavara

Similar to Managing SSH Acccess Without Managing SSH Keys (20)

February 2016 Webinar Series - Best Practices for IoT Security in the Cloud

Secure Credential Management with CredHub - Eoghan Kelleher

Securing Your Resources with Short-Lived Certificates!

Best Practices of IoT Security in the Cloud

Introduction to distributed security concepts and public key infrastructure m...

(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

The 5 elements of IoT security

U2F/FIDO2 implementation of YubiKey

Addmi 14-discovery credentials

Securing Network Access with Open Source solutions

Alternatives and Enhancements to CAs for a Secure Web

Keystone - Openstack Identity Service

Configuring Secure Shell on Routers and Switches Running Cisco IO

Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec

Best Practices for IoT Security in the Cloud

RSA SecurID Access

How to Bulletproof Your Scylla Deployment

How to increase security with SSH

Recently uploaded

The title is not connected to what is inside

shinachiaurasa2

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

Many specialized tools cater to distinct stages within the software development lifecycle (SDLC). These tools target various aspects of development, delivery, and operations, each with its unique strengths. Uniting these diverse testing needs into a single continuous testing platform presents several challenges. Such a platform must seamlessly integrate with various development tools and environments, accommodate different testing methodologies, and remain flexible to adapt to organizational processes and quality standards.

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

kalichargn70th171

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

HR Software Buyers Guide in 2024 - HRSoftware.com

Fatema Valibhai

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

KiaraTiradoMicha

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

Technology has taken up space all over the world. From generating content with a single command on ChatGPT to getting your food served by Robots at your favorite restaurant, artificial advancements have ruled every space. Every industry is set to develop top-notch technology in every sector; finance, IT, healthcare, gaming, and banking, with competitive market standards. One of these rapidly growing industries is Mobile App Development. According to the Straits Research report, it is expected to reach USD 583.03 billion at a CAGR OF 12.8% between (2022 and 2030). It clearly shows how mobile app development has become an integral part of the digital landscape and revolutionized technology.

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

ayushiqss

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

Software Quality Assurance Interview Questions

Arshad QA

MakeMyPass" Online Bus Pass Management System illustrates the flow of activities and actions that occur within the system to accomplish specific tasks or use cases. This type of diagram focuses on representing the sequence of activities and decision points involved in a particular process. Below is an example outline and description of key elements that could be included in an Activity Diagram for the system:

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

alwaysnagaraju26

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

Pharm-D Biostatistics and Research methodology

Anusha Are

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

Recently uploaded (20)

The title is not connected to what is inside

Optimizing AI for immediate response in Smart CCTV

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

A Secure and Reliable Document Management System is Essential.docx

HR Software Buyers Guide in 2024 - HRSoftware.com

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

Right Money Management App For Your Financial Goals

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

Define the academic and professional writing..pdf

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Unlocking the Future of AI Agents with Large Language Models

Software Quality Assurance Interview Questions

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

TECUNIQUE: Success Stories: IT Service provider

Pharm-D Biostatistics and Research methodology

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

Managing SSH Acccess Without Managing SSH Keys

1. Managing SSH Access Without Managing SSH Keys Niall Sheridan niall@intercom.com   Intercom Production Systems

2. - NIST IR 7966 Security of Interactive and Automated Access Management Using Secure Shell (SSH) "Many organizations don't even know how many SSH keys they have configured to grant access to their information systems or who has copies of those keys"

9. Bastion  SSH key + 2FA App Instances

10.

11.

12. SSH Certificates •Composed of: ssh key + signature + signing key + metadata •Only need to distribute 1 public key to machines - the signing key •Metadata allows for some nice properties to be set

13. Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:WHATEVER Signing CA: ED25519 SHA256:WHATEVER Key ID: "some identity string" Serial: 0 Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36 Principals: niall Critical Options: force-command /bin/date source-address 12.34.56.78/29 Extensions: permit-pty permit-port-forwarding permit-x11-forwarding

14. Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:WHATEVER Signing CA: ED25519 SHA256:WHATEVER Key ID: "some identity string" Serial: 0 Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36 Principals: niall Critical Options: force-command /bin/date source-address 12.34.56.78/29 Extensions: permit-pty permit-port-forwarding permit-x11-forwarding Certiﬁcate Type

15. Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:WHATEVER Signing CA: ED25519 SHA256:WHATEVER Key ID: "some identity string" Serial: 0 Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36 Principals: niall Critical Options: force-command /bin/date source-address 12.34.56.78/29 Extensions: permit-pty permit-port-forwarding permit-x11-forwarding Key ID

16. Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:WHATEVER Signing CA: ED25519 SHA256:WHATEVER Key ID: "some identity string" Serial: 0 Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36 Principals: niall Critical Options: force-command /bin/date source-address 12.34.56.78/29 Extensions: permit-pty permit-port-forwarding permit-x11-forwarding Certiﬁcate Lifetime

17. Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:WHATEVER Signing CA: ED25519 SHA256:WHATEVER Key ID: "some identity string" Serial: 0 Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36 Principals: niall Critical Options: force-command /bin/date source-address 12.34.56.78/29 Extensions: permit-pty permit-port-forwarding permit-x11-forwarding Username(s)

18. Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:WHATEVER Signing CA: ED25519 SHA256:WHATEVER Key ID: "some identity string" Serial: 0 Valid: from 2017-08-23T22:40:40 to 2017-08-24T22:45:36 Principals: niall Critical Options: force-command /bin/date source-address 12.34.56.78/29 Extensions: permit-pty permit-port-forwarding permit-x11-forwarding Certiﬁcate Restrictions

19. /etc/ssh/sshd_config:  # Required:  TrustedUserCAKeys /etc/ssh/ca.pub  # Optional, useful for shared accounts  AuthorizedPrincipalsFile %h/.ssh/auth_users    $ cat /etc/ssh/ca.pub  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAYZL32Emt4Ap......  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGmvJaFt37ZTz......  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWmdffJK0YR8z......  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBL2PHBRyIa7ok......

20.

21.

22.

23.

24.

25. SSH Key Authentication:  sshd[6382]: Accepted publickey for prod-user from 10.0.0.167 port 49562 ssh2: RSA bb:86:14:02:cf: 37:91:b9:4f:09:76:8f:e0:bc:52:77 SSH Certificate Authentication:  sshd[6382]: Accepted publickey for prod-user from 10.0.0.167 port 33984 ssh2: ED25519-CERT ID niall_1503934975 (serial 0) CA ED25519 bd:0b:55:9f: 84:be:ad:e9:eb:ac:7e:8c:83:ed:4d:cb

26. Bastion  SSH cert + 2FA App Instances

27. https://github.com/nsheridan/cashier Thank you! Niall Sheridan niall@intercom.com

Managing SSH Acccess Without Managing SSH Keys

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Managing SSH Acccess Without Managing SSH Keys

Similar to Managing SSH Acccess Without Managing SSH Keys (20)

Recently uploaded

Recently uploaded (20)

Managing SSH Acccess Without Managing SSH Keys