Bastion jump hosts with Teleport
0 likes2,074 views
The document discusses the implementation of a teleport bastion host for secure access between different security zones, focusing on IoT security and SSH management. It outlines the process of deploying a teleport solution in customer environments using Raspberry Pi devices, facilitating secure remote connections without exposing ports directly to the internet. Additionally, it covers integration with tools like Ansible and features such as session recording and RBAC for compliance and security purposes.
![WHO NEEDS ANOTHER SSHD?
WHY BOTHER USING TELEPORT?
▸ ssh CA out of the box, compatible with OpenSSHd
▸ 2FA out of the box (TOTP or U2F), no google_authenticator.pam
▸ ssh through-the-web out of the box
▸ Compliance Officer's dream: session recording jumphost.
▸ …and with "session_recording: proxy" it can do this for
legacy sshd implementations too! [caveat: Security Officer]
▸ Free OSS < $aa$_startup_pricing_model < enterpri$$$e
▸ $paid_editions feature include RBAC, LDAP/SASL integration](https://image.slidesharecdn.com/netmcr20180111-190624220654/85/Bastion-jump-hosts-with-Teleport-15-320.jpg)
Bastion jump hosts with Teleport
- 2. A BASTION IS A STRUCTURE PROJECTING OUTWARD FROM THE CURTAIN WALL OF A FORTIFICATION "Bastion" — Wikipedia, 2018-01-10 DEFINITION
- 3. HARDENED AND MONITORED DEVICE THAT SPANS TWO DISSIMILAR SECURITY ZONES AND PROVIDES A CONTROLLED MEANS OF ACCESS BETWEEN THEM "Jump Server" — Wikipedia, 2018-01-10 DEFINITION
- 4. SZILAS, PUBLIC DOMAIN, VIA WIKIMEDIA COMMONS
- 5. IOT SECURITY (NETMCR #11) @kooky_uk Tim Bray SHOUT OUT #1
- 6. SSH CERTIFICATES (NETMCR #13) @TimJDFletcher Tim Fletcher SHOUT OUT #2
- 7. IOT SECURITY WITH PI.PE (NETMCR #17) @steely_glint Tim Panton SHOUT OUT #3
- 8. RIPE ATLAS PROBE SECURITY (AQL IOT ROUNDTABLE) @kistel Robert Kisteleki SHOUT OUT #4
- 9. WHY WAS I LOOKING AT THESE PROBLEMS? THE TASK AT HAND ▸ Customers with "Internet access is slow". ▸ At first it seemed that NNI was in common… ▸ Then it seemed that last-mile provider was in common… ▸ Then we thought it might be web filtering solution… ▸ Is it carrier network congestion/loss… not that either… ▸ We need to test this from within the customer network!
- 10. WHY WAS I LOOKING AT THESE PROBLEMS? THE TASK AT HAND ▸ Put some probe devices in some customer networks ▸ …to be able to "ssh" into them, run measurements. ▸ Don't want customers to have to open ports on routers. ▸ Some sort of NAT-piercing required. ▸ Security is vital: ▸ Don't want probe to be an attack vector into customer. ▸ Team of staff need access.
- 11. STANDING ON THE SHOULDERS OF GIANTS RIPE ATLAS ▸ Plug it in, gets address/DNS by DHCP ▸ Connects to RIPE bastion hosts using ssh (with provisioning) ▸ Creates tunnels to itself for telemetry, read all about it: ▸ https://www.uknof.org.uk/uknof18/Kisteleki-Atlas.pdf ▸ Security rep is pretty good, e.g. ▸ https://www.mdsec.co.uk/2015/09/an-introduction-to- hardware-hacking-the-ripe-atlas-probe/
- 12. STANDING ON THE SHOULDERS OF GIANTS SSH BASTION HOSTS, WITH SSH CA ▸ The big players are doing it: ▸ https://code.facebook.com/posts/365787980419535/ scalable-and-secure-access-with-ssh/ ▸ https://github.com/Netflix/bless ▸ How to apply this pattern to our "IoT" probe project?
- 13. A LONGER TALK, MAYBE AT UKNOF, WILL HAVE MORE INFORMATION… THE SOLUTION ▸ Ansible script #1: ▸ Deploys Teleport on a VM (or cluster for HA) ▸ Ansible script #2: ▸ Installs Teleport on a Raspberry Pi ▸ Preconfigures Teleport (outbound connection to bastion host) ▸ Bunch of Raspberry Pi / case / SD card combos ▸ Ship to customers with instructions about placement ▸ Within few days of shipping: RCA = vendor firewall config issue
- 14. TELEPORT USING
- 15. WHO NEEDS ANOTHER SSHD? WHY BOTHER USING TELEPORT? ▸ ssh CA out of the box, compatible with OpenSSHd ▸ 2FA out of the box (TOTP or U2F), no google_authenticator.pam ▸ ssh through-the-web out of the box ▸ Compliance Officer's dream: session recording jumphost. ▸ …and with "session_recording: proxy" it can do this for legacy sshd implementations too! [caveat: Security Officer] ▸ Free OSS < $aa$_startup_pricing_model < enterpri$$$e ▸ $paid_editions feature include RBAC, LDAP/SASL integration
- 16. cluster of stuff
- 19. tsh login --proxy teleport.example.com --user networkmoose ssh-key -A LOGGING IN
- 20. tsh login --proxy teleport.example.com --user networkmoose ssh-key -A LOGGING IN THE BASTION HOST
- 21. tsh ssh root@example.com -L 8080:localhost:80 ssh LOGGING IN
- 23. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding.
- 24. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding. PROBABLY WANT A SCRIPT
- 25. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding. PROBABLY WANT A SCRIPT AUTOMATION
- 26. SSH FEATURES BAKED IN ON THE COMMAND-LINE ▸ Remote VM doesn't have ssh open to Internet. ▸ All access is going via tsh.fulcrm.org bastion. ▸ Can do port-forwarding. PROBABLY WANT A SCRIPT AUTOMATION PLAYS NICELY WITH ANSIBLE (RTFM)
- 27. THE JESUS AND SSH-KEYCHAIN MIX AND MATCH OPENSSHD AND TELEPORT ▸ Host blah.example.com User salt Port 3022 ProxyCommand ssh -p 3023 %r@teleport.example.com -s proxy:%h:%p ▸ ln -snf /usr/local/bin/tsh /usr/bin/ssh ln -snf /usr/local/bin/tsh /usr/bin/scp ▸ …while using Ansible? ▸ scp_if_ssh = True
- 28. THE JESUS AND SSH-KEYCHAIN TELEPORT AS CA FOR OPENSSHD ▸ tctl auth sign --host=yourhost.example.com --format=openssh ▸ HostKey /etc/ssh/ca_ssh_host_rsa_key HostCertificate /etc/ssh/ca_ssh_host_rsa_key.pub ▸ You might have to… ▸ tsh login --compat=oldssh --proxy=teleport.example.com ▸ tsh ssh -p 22 root@yourhost.example.com
- 29. LABEL YOUR NODES (MASS COMMANDS)
- 34. you! proxy auth node client (tsh or https)
- 35. you! proxy auth node client (tsh or https) all-in-one
- 36. you! proxy auth node client (tsh or https) bastion node(s)
- 37. you! proxy auth node client (tsh or https) all separated
- 38. you! proxynode client (tsh or https) RBAC ("enterprise") auth LDAP SAML etc
- 39. you! proxies auth node client (tsh or https) HA auth etcd / dynamodb load bal
- 40. you! auth + proxy & trusted cluster auth node trusting cluster client (tsh or https) bastionanother node
- 42. READ THE FINE MANUAL, MAKE A PLAYBOOK OR SALT STATE, DONE. INSTALLATION ▸ Download binary, run installer (or compile your own) ▸ examples directory has systemd service file ▸ Create a user, let them login as root on any nodes: ▸ tctl users add marek root,postgres,www-data,… ▸ Follow enrolment link, set password, scan the QR code
- 43. ENROLMENT PROCESS YOUR FIRST USER
- 44. ENROLMENT PROCESS YOUR FIRST USER ▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
- 45. ENROLMENT PROCESS YOUR FIRST USER ▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
- 47. GETTING DEEPER MORE CONFIGURATION ▸ Limit your ciphersuites ▸ TLS cert for HTTPS
- 48. GETTING DEEPER MORE CONFIGURATION ▸ Limit your ciphersuites ▸ TLS cert for HTTPS ▸ Static labels from config
- 49. GETTING DEEPER MORE CONFIGURATION ▸ Limit your ciphersuites ▸ TLS cert for HTTPS ▸ Static labels from config ▸ Dynamic values from running commands periodically
- 50. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 51. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 52. GETTING DEEPER POOR MAN'S ORCHESTRATION tsh ssh root@debian=8.7
- 53. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 54. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 55. GETTING DEEPER POOR MAN'S ORCHESTRATION
- 56. THANKS FOR LISTENING! ANY QUESTIONS? e: marek@faelix.net t: @maznu w: https://faelix.net/ https://faelix.link/netmcr19