SlideShare a Scribd company logo

DevOpsTO meetup 2018-08

Teleport
Teleport

Whilst Google's rockstar Staff Developer Advocates like to call kubectl "the new SSH" as they make light of procedural problem-solving skills applied to Kubernetes' decidedly declarative world, real-world cluster operations still requires low-level access beneath the almighty kubelet. In this talk we'll review legacy SSH patterns relative to new way teams manage, deploy, and troubleshoot their applications running on elastic infrastructure. Along the way, Kevin will demo Teleport (https://github.com/gravitational/teleport), an open source re-implementation of SSH using Google's golang crypto, and show how to cross the chasm from traditional SSH anti-patterns into fancy new orchestrated worlds with automatically expiring access certificates.

Technology
1 of 16
Download to read offline
Kevin Nisbet Gravitational Access to distributed systems
LET’S SOLVE A PROBLEM • Scenario • Production… • Elastic Infrastructure • Separate Networks • The database is slow…
WHAT JUST HAPPENED… source: https://www.gagcartoons.com/cartoons/87/
TSH LOGIN • Generates new cryptographic keys • Connects to CA via Proxy • Signs a certificate granting access to the cluster
SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
WHY CERTIFICATES? • Ever? • Lost a backup? • Run untrusted Software? • Rotated keys? • Sent the private key instead of the public? source: https://www.gagcartoons.com/cartoons/305/
• FreeBSD packaging servers hacked • http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons- on-SSH-Public-Key-Authentication.html • Malware & Hackers collect ssh keys • https://www.ssh.com/malware/ • Active attacks using stolen SSH keys (2008) • https://isc.sans.edu/forums/diary/ Active+attacks+using+stolen+SSH+keys+UPDATED/4937/ • New Attacker Scanning for SSH Private Keys on Websites • https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ • CIA malware can steal SSH Credentials • https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh- credentials-session-traffic/
• Large Database of Device Certificates, SSH keys published • https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys- published/ • Learning from the Expedia Heist • https://medium.com/starting-up-security/learning-from-the-expedia- heist-6cf8a0069ce0 • New ‘MASK’APT Campaign called most sophisticated yet • https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/ • Multi-billion dollar defence firm fails to protect private SSH keys • https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh- keys/ • The default OpenSSH key encryption is worse than plaintext • https://latacora.singles/2018/08/03/the-default-openssh.html
TSH LS • List all the servers in you’re infrastructure • New servers join the cluster, old ones leave • Labels • Automatically update as infra changes
TSH SSH • SSH to the Node • Or the Label(s) • Automatic Bastions • Auditable • and SCP
SESSION RECORDING • Record what happens in production • Proxy • Endpoint
ARCHITECTURE
KUBERNETES INTEGRATION • Short lived certificates • Multi-factor authentication • Audit all k8s actions • Session recording • Currently Alpha
QUESTIONS More Information https://gravitational.com/teleport https://github.com/gravitational/teleport We’re Hiring https://github.com/gravitational/careers jobs@gravitational.com

Recommended

Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH Keys
Niall Sheridan
 
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Radu Vunvulea
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
Nick Sullivan
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
Bletchley
BletchleyBletchley
Bletchley
Diogo Mónica
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
Big Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined BusinessBig Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined Business
BigDataExpo
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque
 

Recommended

Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH Keys
Niall Sheridan
 
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Azure Blockchain Service - myth or reality | Radu Vunvulea | ITCamp | Cluj-Na...
Radu Vunvulea
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
Nick Sullivan
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
Bletchley
BletchleyBletchley
Bletchley
Diogo Mónica
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
Big Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined BusinessBig Data Expo 2015 - SMT Ware The Age of Software Defined Business
Big Data Expo 2015 - SMT Ware The Age of Software Defined Business
BigDataExpo
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Diogo Mónica
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)
Valio Bonev
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
Diogo Mónica
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
Nick Sullivan
 
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Lothar Wieske
 
POA based Side-Chain Architecture
POA based Side-Chain ArchitecturePOA based Side-Chain Architecture
POA based Side-Chain Architecture
Luniverse Dunamu
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
hannob
 
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Дмитрий Плахов
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101
Hu Kenneth
 
Blockchain
BlockchainBlockchain
Blockchain
TinaGupta23
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Дмитрий Плахов
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - Jay
Luniverse Dunamu
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
Timbal Mayank
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related question
Lin Lin (Wendy)
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
Paperchain
 
2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype
Smals
 

More Related Content

What's hot

Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Diogo Mónica
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)
Valio Bonev
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
Diogo Mónica
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
Nick Sullivan
 
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Lothar Wieske
 
POA based Side-Chain Architecture
POA based Side-Chain ArchitecturePOA based Side-Chain Architecture
POA based Side-Chain Architecture
Luniverse Dunamu
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
hannob
 
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Дмитрий Плахов
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101
Hu Kenneth
 
Blockchain
BlockchainBlockchain
Blockchain
TinaGupta23
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Дмитрий Плахов
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - Jay
Luniverse Dunamu
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
Timbal Mayank
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related question
Lin Lin (Wendy)
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 

What's hot (20)

Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
 
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
Blockchains - Architecture Overview and Consenus Models - Apr 26th, 2017
 
POA based Side-Chain Architecture
POA based Side-Chain ArchitecturePOA based Side-Chain Architecture
POA based Side-Chain Architecture
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
 
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
Доклад разработчиков Exonum на третьем митапе сообщества блокчейн-разработчик...
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101
 
Blockchain
BlockchainBlockchain
Blockchain
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - Jay
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related question
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 

Similar to DevOpsTO meetup 2018-08

201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
Paperchain
 
2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype
Smals
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
Cristian Vat
 
Blockchain presentation for prudential
Blockchain presentation for prudentialBlockchain presentation for prudential
Blockchain presentation for prudential
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWS
atSistemas
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Multifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainMultifactor Authentication on the Blockchain
Multifactor Authentication on the Blockchain
Reza Ismail
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
Victor Morales
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
CDagata
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017
Lothar Wieske
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
PeteLind
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
Kai Zheng
 
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack SolutionWhy OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Elizabeth Sale
 
The Basic Theories of Blockchain
The Basic Theories of BlockchainThe Basic Theories of Blockchain
The Basic Theories of Blockchain
Sota Watanabe
 
Hacking QNX
Hacking QNXHacking QNX
Hacking QNX
ricardomcm
 
Blockchains 101
Blockchains 101Blockchains 101
Blockchains 101
Nikhil Krishna Nair
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 

Similar to DevOpsTO meetup 2018-08 (20)

201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
201811 Bitcoin, Blockchain and the Technology behind Cryptocurrencies
 
2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype2018 SAI workshop blockchain Kristof Verslype
2018 SAI workshop blockchain Kristof Verslype
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Blockchain presentation for prudential
Blockchain presentation for prudentialBlockchain presentation for prudential
Blockchain presentation for prudential
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWS
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Multifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainMultifactor Authentication on the Blockchain
Multifactor Authentication on the Blockchain
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017Blockchain IoT Night / 25th Oct 2017
Blockchain IoT Night / 25th Oct 2017
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack SolutionWhy OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
Why OpenStack on UCS? An Introduction to Red Hat and Cisco OpenStack Solution
 
The Basic Theories of Blockchain
The Basic Theories of BlockchainThe Basic Theories of Blockchain
The Basic Theories of Blockchain
 
Hacking QNX
Hacking QNXHacking QNX
Hacking QNX
 
Blockchains 101
Blockchains 101Blockchains 101
Blockchains 101
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 

More from Teleport

Top 10 Hacks of the Last Decade
Top 10 Hacks of the Last DecadeTop 10 Hacks of the Last Decade
Top 10 Hacks of the Last Decade
Teleport
 
Introducing Teleport cloud
Introducing Teleport cloudIntroducing Teleport cloud
Introducing Teleport cloud
Teleport
 
Teleport 5.0 release webinar
Teleport 5.0 release webinarTeleport 5.0 release webinar
Teleport 5.0 release webinar
Teleport
 
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Teleport
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
Teleport
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
Teleport
 

More from Teleport (7)

Top 10 Hacks of the Last Decade
Top 10 Hacks of the Last DecadeTop 10 Hacks of the Last Decade
Top 10 Hacks of the Last Decade
 
Introducing Teleport cloud
Introducing Teleport cloudIntroducing Teleport cloud
Introducing Teleport cloud
 
Teleport 5.0 release webinar
Teleport 5.0 release webinarTeleport 5.0 release webinar
Teleport 5.0 release webinar
 
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 

DevOpsTO meetup 2018-08

  • 2.
  • 3. LET’S SOLVE A PROBLEM • Scenario • Production… • Elastic Infrastructure • Separate Networks • The database is slow…
  • 4. WHAT JUST HAPPENED… source: https://www.gagcartoons.com/cartoons/87/
  • 5. TSH LOGIN • Generates new cryptographic keys • Connects to CA via Proxy • Signs a certificate granting access to the cluster
  • 6. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
  • 7. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
  • 8. WHY CERTIFICATES? • Ever? • Lost a backup? • Run untrusted Software? • Rotated keys? • Sent the private key instead of the public? source: https://www.gagcartoons.com/cartoons/305/
  • 9. • FreeBSD packaging servers hacked • http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons- on-SSH-Public-Key-Authentication.html • Malware & Hackers collect ssh keys • https://www.ssh.com/malware/ • Active attacks using stolen SSH keys (2008) • https://isc.sans.edu/forums/diary/ Active+attacks+using+stolen+SSH+keys+UPDATED/4937/ • New Attacker Scanning for SSH Private Keys on Websites • https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ • CIA malware can steal SSH Credentials • https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh- credentials-session-traffic/
  • 10. • Large Database of Device Certificates, SSH keys published • https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys- published/ • Learning from the Expedia Heist • https://medium.com/starting-up-security/learning-from-the-expedia- heist-6cf8a0069ce0 • New ‘MASK’APT Campaign called most sophisticated yet • https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/ • Multi-billion dollar defence firm fails to protect private SSH keys • https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh- keys/ • The default OpenSSH key encryption is worse than plaintext • https://latacora.singles/2018/08/03/the-default-openssh.html
  • 11. TSH LS • List all the servers in you’re infrastructure • New servers join the cluster, old ones leave • Labels • Automatically update as infra changes
  • 12. TSH SSH • SSH to the Node • Or the Label(s) • Automatic Bastions • Auditable • and SCP
  • 13. SESSION RECORDING • Record what happens in production • Proxy • Endpoint
  • 15. KUBERNETES INTEGRATION • Short lived certificates • Multi-factor authentication • Audit all k8s actions • Session recording • Currently Alpha