SlideShare a Scribd company logo

Tatu: ssh as a service

Pino deCandia, profile picture
Pino deCandia

The document discusses 'Tatu', an SSH as a service solution for OpenStack that addresses security and access management issues, such as MITM vulnerabilities, public key management, and the efficient use of floating IPs. It introduces SSH certificates to enhance security and streamline access by integrating with various OpenStack components. Tatu automates the SSH setup, facilitates user certificate generation, and aims to improve the overall user experience in managing SSH access in OpenStack environments.

Software
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Tatu SSH as a Service for OpenStack February 2018
Some problems with SSH in OpenStack 1. MITM vulnerability on first connection. 2. No automated way to revoke user access. 3. Need a FloatingIP per instance (or manage bastions).
Problem 1: MITM vulnerability ECDSA key fingerprint is
. Are you sure you want to continue connecting (yes/no)? Does anyone check the fingerprint? How would we anyway? We don’t have password access.
Problem 2: Public key management OpenStack writes the user public key to the instance’s authorized_keys file. It’s definitely better than password authentication. But how do multiple users access the instance? ● Share the private key? ● Add more keys to authorized_keys file
 but who cleans up?
Problem 3: FloatingIP per instance - Wastes FloatingIP addresses. - Avoid waste by using some instances as bastions. ● Who manages the bastions and how? - Or you could SSH over IPv6. ● IPv6 readiness on client and server side?
Solution: SSH Certificates ● Available since OpenSSH 5.4 ● For both Users and Hosts ● SSH client trusts the Certificate Authority, not the host. ● Similarly, SSH host trusts the CA, not the user.
SSH HostSSH User SSH with Certificates Host CA (Green) vouches for hosts. User CA (Red) vouches for users. /home/user/.ssh/key.pub /home/user/.ssh/key /home/user/.ssh/known_hosts /home/user/.ssh/key-cert.pub /etc/ssh/rsa_key.pub /etc/ssh/rsa_key /etc/ssh/ca_user.pub /etc/ssh/rsa_key-cert.pub I trust hosts that the Green CA vouches for. sshd_config TrustedUserCAKeys sshd_config HostCertificate I trust users that the Red CA vouces for.
Ok, so what’s Tatu? ● SSH as a Service, named after author of SSH ● Introduces SSH Certificates to OpenStack ● OpenStack CLI and Horizon panels for users to: ○ Copy the Host CA public key to known_hosts file ○ Generate new certificates ○ Revoke old certificates ● Automates the SSH setup on instances ○ Using Nova (dynamic and static) vendor data + cloud-init. ● Manages SSH bastions and DNS for ease of use ● Integrates with Barbican, Designate, Keystone, Nova...
User certificate generation Tatu Barbican OpenStack DB (MySQL) Keystone 1) Please sign my public key? 2) Fetch the project’s User CA private key. 3) Fetch the user’s roles in the project. 4) Store the user and certificate metadata. 6) Customer served! 5. Run ssh-keygen in a temporary directory
User certificate details # ssh-keygen -Lf ~/.ssh/key22-cert.pub /root/.ssh/key22-cert.pub: Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:ZDsaPxjKHlBo6BWf3R0OKokrNU+T3TDy8MU5v1YOJAY Signing CA: RSA SHA256:LQ5ikXe8LybhCFiuWGuiVqagSIyy2eiYpRhhu9lWnfw Key ID: "testID" Serial: 22 Valid: from 2018-02-08T18:01:56 to 2019-02-09T18:01:56 Principals: admin root Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc In-progress: set principals by querying Keystone for user’s roles in project. Done: use serial numbers for certificate revocation. In-progress: set the Key ID to the user’s name.
New instance (host) certificate generation Tatu Barbican OpenStack DB (MySQL) Keystone 8) Fetch the project’s Host CA private key, then sign. 2) Fetch all the roles in the project. 5/9) Store host/cert metadata. Nova 1) Dynamic vendor data, please? ConfigDrive: - SSH setup scripts - One-time Password - User CA public key - User account names Dragonflow 3) Reserve ports for PAT bastion Designate 4) Create type SRV DNS records 6) Served! 7) Please sign my public key? MetaData Proxy 10) Served!
Instance periodically fetches CRL (cron job) Tatu Barbican OpenStack DB (MySQL) Keystone 2) Store revoked serial numbers per project. Dragonflow Designate 3) I need the latest CRL! MetaData Proxy 5) Served! 1) Please revoke certificates with serial numbers X, Y... 4) Fetch all the revoked user serial numbers for the project.
PAT (port address translation) bastions ● Real bastion VMs are better (planned for a future Tatu release). ● But PAT already allows us to avoid FloatingIP-per-instance. ● Like load-balancing: each VM is the single backend/target for a single port on a few (for redundancy) load-balancers. ● Currently only works with Dragonflow (TODO: use LBaaS API). robin goat hamster User A User B User C PAT 1 172.24.4.11 PAT 2 172.24.4.28 Port 50 Port 51 Port 52 Port 42 Port 43 Port 44
Integration with Designate ● Users shouldn’t have to remember bastion or instance IP addresses. ● They should just SSH to a URL composed of instance and project names. ● In the case of PAT bastions, we look up SRV records rather than A records. ### tatu/scripts/srvssh -i ~/.ssh/key root@goat.666a812a.tatuPAT.com. srv: '_ssh._tcp.goat.666a812a.tatuPAT.com has SRV record 10 50 52 bastion-172-24-4-11.tatuPAT.com.' srv: 'bastion-172-24-4-11.tatuPAT.com has address 172.24.4.11' After SRV lookup -- HOST: 172.24.4.11 PORT: 52 /usr/bin/ssh -v -i /root/.ssh/key22 -p 52 root@172.24.4.11 In the example, the instance name is ‘goat’; project ID prefix is ‘666a812a’; srvssh is a wrapper script that resolves the SRV record and then calls ssh.
Successful use of certificates looks like... /usr/bin/ssh -v -i /root/.ssh/key22 -p 52 root@172.24.4.11 OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016 ... debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:tobg2ZPvX45OpqQh9dHlRiZxkg9Vmv6gUQaV1T9dyss, serial 0 ID "testID" CA ssh-rsa SHA256:qS95+uo3KEzwxyrihHfe4NWqKTUX64bRSfCWuG5i5RM valid from 2018-02-07T18:26:19 to 2019-02-08T18:26:19 debug1: Host '[172.24.4.11]:52' is known and matches the RSA-CERT host certificate. debug1: Found CA key in /root/.ssh/known_hosts:1 ... debug1: Offering RSA public key: /root/.ssh/key22 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Offering RSA-CERT public key: /root/.ssh/key22-cert debug1: Server accepts key: pkalg ssh-rsa-cert-v01@openssh.com blen 1095 Client accepted host cert Server rejected user’s public key since it’s not in the authorized_keys file. Host accepted user cert
In the background... A Tatu daemon reacts to these oslo event notifications: ● Project creation: create new CA key pairs. ● User deletion: revoke all the user’s certificates. ● Host deletion: clean up PAT port entries in Dragonflow and DNS entries in Designate.
Recap of some details... ● Each OpenStack project has separate user and host CA. ● CA private keys are stored in Barbican. ● Tatu does not see user/host private keys. ○ Later we’ll consider generating high-quality private keys as an RFE. ● Puts a one-time password in the instance’s ConfigDrive; the instance uses it in its certificate generation request. ● Instance runs a cron job to periodically fetch the CRL. ● User accounts on instance correspond to Keystone roles.
Summary: OpenStack’s current user experience ● Generate SSH key pair (locally with ssh-keygen) ● Upload public key to OpenStack ● Launch VM - include key pair and assign Floating IP (or manage bastion) ● SSH into VM ○ ECDSA key fingerprint is
. Are you sure you want to continue connecting (yes/no)? ○ How do I verify the fingerprint? I’ll just cross my fingers. ● When multiple colleagues want access to same VMs, share private keys or add public keys to authorized_keys file. ● When colleagues leave wait weeks or months before getting around to remove they public keys or re-generate/rotate shared keys.
Summary: SSH user experience with Tatu ● Generate SSH key pair (locally with ssh-keygen) ● Get your key signed by your project’s CA ○ /home/pino/.ssh/key-cert.pub ● Put the CA’s host public key in the known_hosts file ○ @cert-authority <domain> ssh-rsa AAAAB3NzaC
 ● Launch VM without key pair and without Floating IP. ● SSH into VM via automatically assigned PAT IP+port and without MITM risk. ● Colleagues automatically have access without sharing keys. ● Access can be revoked with a click and is automatically revoked if the user is deleted.
Reference commands ● host -t SRV _ssh._tcp.<hostname>.<project_id>.tatuPAT.com. localhost ● dig @localhost -t SRV _ssh._tcp.fox.666a812a.tatuPAT.com. ● /opt/stack/tatu/scripts/srvssh -i ~/.ssh/key root@fox.666a812a.tatuPAT.com. ● ssh -i ~/.ssh/key -p 40 root@172.24.4.11 ● openstack sshca show -f value -c 'Host Public Key' <project_id> ● echo '@cert-authority *' `openstack sshca show -f value -c 'Host Public Key' 666a812a-3dd4-4a64-9855-2b8617813001` > /root/.ssh/known_hosts ● openstack usercert create -f value -c Certificate "`cat .ssh/key14.pub`" > .ssh/key14-cert.pub ● openstack usercert revoke <serial number>
Project Status ● Tatu code in OpenStack Github/Gerrit since early February. ● Tatu-dashboard in OpenStack Gerrit since Feb. 20. ● python-tatuclient not imported yet (as of Feb. 23) ● Demo-quality code - needs cleanup and hardening! ● Needs automated testing, installers, and more. ● In progress: ○ Devstack scripts ○ User accounts created for Keystone roles ● Outreach started in February. Looking for contributors and users!!!
Future work ● Bastion VM management ● Centralized SSH audit logs ● Use Uber’s PAM module to validate existing SSH sessions ○ https://github.com/uber/pam-ussh ● Rotation of CA keys ● Rotation of host certificates ● Ansible installer (and Kolla!) Ideas are welcome!
Resources ● https://github.com/openstack/tatu ● https://github.com/openstack/tatu-dashboard ● https://github.com/pinodeca/python-tatuclient ● https://launchpad.net/tatu Demo Video: https://youtu.be/y6ICCPO08d8 IRC: #openstack-tatu on freenode.net
Thanks! pino.decandia at huawei dot com giuseppe.decandia at gmail dot com @pino_deca on Twitter

More Related Content

PPTX
Passwords#14 - mimikatz
Benjamin Delpy
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PDF
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
PDF
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
PDF
Đ˜ŃĐżĐŸĐ»ŃŒĐ·ĐŸĐČĐ°ĐœĐžĐ” KASan ĐŽĐ»Ń Đ°ĐČŃ‚ĐŸĐœĐŸĐŒĐœĐŸĐłĐŸ гОпДрĐČĐžĐ·ĐŸŃ€Đ°
Positive Hack Days
 
PDF
A Year in the Empire
Will Schroeder
 
PDF
ХтатОчДсĐșĐžĐč Đ°ĐœĐ°Đ»ĐžĐ· ĐșĐŸĐŽĐ° ĐČ ĐșĐŸĐœŃ‚Đ”ĐșстД SSDL
Positive Hack Days
 
Passwords#14 - mimikatz
Benjamin Delpy
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
I hunt sys admins 2.0
Will Schroeder
 
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Đ˜ŃĐżĐŸĐ»ŃŒĐ·ĐŸĐČĐ°ĐœĐžĐ” KASan ĐŽĐ»Ń Đ°ĐČŃ‚ĐŸĐœĐŸĐŒĐœĐŸĐłĐŸ гОпДрĐČĐžĐ·ĐŸŃ€Đ°
Positive Hack Days
 
A Year in the Empire
Will Schroeder
 
ХтатОчДсĐșĐžĐč Đ°ĐœĐ°Đ»ĐžĐ· ĐșĐŸĐŽĐ° ĐČ ĐșĐŸĐœŃ‚Đ”ĐșстД SSDL
Positive Hack Days
 

What's hot (20)

PDF
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
PDF
Da APK al Golden Ticket
Giuseppe Trotta
 
PDF
Threat stack aws
Jen Andre
 
PDF
Veil-PowerView - NovaHackers
VeilFramework
 
PDF
HashiCorp Vault Workshopćč« Credentials æ‰Ÿć€‹çȘ©
smalltown
 
PPTX
Attacking Big Data Land
Jeremy Brown
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
PPTX
Practical non blocking microservices in java 8
Michal Balinski
 
PDF
КаĐș ĐŒŃ‹ ĐČĐ·Đ»ĐŸĐŒĐ°Đ»Đž Ń€Đ°ŃĐżŃ€Đ”ĐŽĐ”Đ»Đ”ĐœĐœŃ‹Đ” ŃĐžŃŃ‚Đ”ĐŒŃ‹ ĐșĐŸĐœŃ„ĐžĐłŃƒŃ€Đ°Ń†ĐžĐŸĐœĐœĐŸĐłĐŸ упраĐČĐ»Đ”ĐœĐžŃ
Positive Hack Days
 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PPTX
Unsecuring SSH
Jeremy Brown
 
PDF
Open Canary - novahackers
Chris Gates
 
PDF
DAST ĐČ CI/CD, ĐžĐ»ŃŒĐłĐ° ĐĄĐČĐžŃ€ĐžĐŽĐŸĐČĐ°
Mail.ru Group
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
PDF
Windows attacks - AT is the new black
Chris Gates
 
PDF
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
PPTX
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
PDF
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
PDF
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Da APK al Golden Ticket
Giuseppe Trotta
 
Threat stack aws
Jen Andre
 
Veil-PowerView - NovaHackers
VeilFramework
 
HashiCorp Vault Workshopćč« Credentials æ‰Ÿć€‹çȘ©
smalltown
 
Attacking Big Data Land
Jeremy Brown
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Practical non blocking microservices in java 8
Michal Balinski
 
КаĐș ĐŒŃ‹ ĐČĐ·Đ»ĐŸĐŒĐ°Đ»Đž Ń€Đ°ŃĐżŃ€Đ”ĐŽĐ”Đ»Đ”ĐœĐœŃ‹Đ” ŃĐžŃŃ‚Đ”ĐŒŃ‹ ĐșĐŸĐœŃ„ĐžĐłŃƒŃ€Đ°Ń†ĐžĐŸĐœĐœĐŸĐłĐŸ упраĐČĐ»Đ”ĐœĐžŃ
Positive Hack Days
 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Unsecuring SSH
Jeremy Brown
 
Open Canary - novahackers
Chris Gates
 
DAST ĐČ CI/CD, ĐžĐ»ŃŒĐłĐ° ĐĄĐČĐžŃ€ĐžĐŽĐŸĐČĐ°
Mail.ru Group
 
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Windows attacks - AT is the new black
Chris Gates
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Ad

Similar to Tatu: ssh as a service (20)

PPTX
Shutdown that bastion host!
MichaelLudvig
 
PPT
Presentation nix
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PPTX
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
PDF
Introducing Vault
Ramit Surana
 
PDF
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
PPTX
Owning computers without shell access dark
Royce Davis
 
PDF
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
PDF
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
PPTX
Dockerizing the Hard Services: Neutron and Nova
clayton_oneill
 
PDF
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
PDF
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
ODP
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios
 
PPTX
So you want to be a security expert
Royce Davis
 
PPTX
Introduction to InSpec and 1.0 release update
Alex Pop
 
PDF
Automating Complex Setups with Puppet
Kris Buytaert
 
PPTX
Introducing bastion hosts for oracle cloud infrastructure v1.0
maaz khan
 
PPTX
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PDF
NetDevOps Developer Environments with Vagrant @ SCALE16x
Hank Preston
 
Shutdown that bastion host!
MichaelLudvig
 
Presentation nix
fangjiafu
 
Presentation nix
fangjiafu
 
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Introducing Vault
Ramit Surana
 
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Owning computers without shell access dark
Royce Davis
 
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
Dockerizing the Hard Services: Neutron and Nova
clayton_oneill
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios
 
So you want to be a security expert
Royce Davis
 
Introduction to InSpec and 1.0 release update
Alex Pop
 
Automating Complex Setups with Puppet
Kris Buytaert
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
maaz khan
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
NetDevOps Developer Environments with Vagrant @ SCALE16x
Hank Preston
 
Ad

Recently uploaded (20)

PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
System and Network Administration Chapter 2
jaramharo
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Transform Your Business with a Software ERP System
Canada Software Company
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Introduction to Artificial Intelligence
lohedi9363
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 

Tatu: ssh as a service

  • 1. Tatu SSH as a Service for OpenStack February 2018
  • 2. Some problems with SSH in OpenStack 1. MITM vulnerability on first connection. 2. No automated way to revoke user access. 3. Need a FloatingIP per instance (or manage bastions).
  • 3. Problem 1: MITM vulnerability ECDSA key fingerprint is
. Are you sure you want to continue connecting (yes/no)? Does anyone check the fingerprint? How would we anyway? We don’t have password access.
  • 4. Problem 2: Public key management OpenStack writes the user public key to the instance’s authorized_keys file. It’s definitely better than password authentication. But how do multiple users access the instance? ● Share the private key? ● Add more keys to authorized_keys file
 but who cleans up?
  • 5. Problem 3: FloatingIP per instance - Wastes FloatingIP addresses. - Avoid waste by using some instances as bastions. ● Who manages the bastions and how? - Or you could SSH over IPv6. ● IPv6 readiness on client and server side?
  • 6. Solution: SSH Certificates ● Available since OpenSSH 5.4 ● For both Users and Hosts ● SSH client trusts the Certificate Authority, not the host. ● Similarly, SSH host trusts the CA, not the user.
  • 7. SSH HostSSH User SSH with Certificates Host CA (Green) vouches for hosts. User CA (Red) vouches for users. /home/user/.ssh/key.pub /home/user/.ssh/key /home/user/.ssh/known_hosts /home/user/.ssh/key-cert.pub /etc/ssh/rsa_key.pub /etc/ssh/rsa_key /etc/ssh/ca_user.pub /etc/ssh/rsa_key-cert.pub I trust hosts that the Green CA vouches for. sshd_config TrustedUserCAKeys sshd_config HostCertificate I trust users that the Red CA vouces for.
  • 8. Ok, so what’s Tatu? ● SSH as a Service, named after author of SSH ● Introduces SSH Certificates to OpenStack ● OpenStack CLI and Horizon panels for users to: ○ Copy the Host CA public key to known_hosts file ○ Generate new certificates ○ Revoke old certificates ● Automates the SSH setup on instances ○ Using Nova (dynamic and static) vendor data + cloud-init. ● Manages SSH bastions and DNS for ease of use ● Integrates with Barbican, Designate, Keystone, Nova...
  • 9. User certificate generation Tatu Barbican OpenStack DB (MySQL) Keystone 1) Please sign my public key? 2) Fetch the project’s User CA private key. 3) Fetch the user’s roles in the project. 4) Store the user and certificate metadata. 6) Customer served! 5. Run ssh-keygen in a temporary directory
  • 10. User certificate details # ssh-keygen -Lf ~/.ssh/key22-cert.pub /root/.ssh/key22-cert.pub: Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:ZDsaPxjKHlBo6BWf3R0OKokrNU+T3TDy8MU5v1YOJAY Signing CA: RSA SHA256:LQ5ikXe8LybhCFiuWGuiVqagSIyy2eiYpRhhu9lWnfw Key ID: "testID" Serial: 22 Valid: from 2018-02-08T18:01:56 to 2019-02-09T18:01:56 Principals: admin root Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc In-progress: set principals by querying Keystone for user’s roles in project. Done: use serial numbers for certificate revocation. In-progress: set the Key ID to the user’s name.
  • 11. New instance (host) certificate generation Tatu Barbican OpenStack DB (MySQL) Keystone 8) Fetch the project’s Host CA private key, then sign. 2) Fetch all the roles in the project. 5/9) Store host/cert metadata. Nova 1) Dynamic vendor data, please? ConfigDrive: - SSH setup scripts - One-time Password - User CA public key - User account names Dragonflow 3) Reserve ports for PAT bastion Designate 4) Create type SRV DNS records 6) Served! 7) Please sign my public key? MetaData Proxy 10) Served!
  • 12. Instance periodically fetches CRL (cron job) Tatu Barbican OpenStack DB (MySQL) Keystone 2) Store revoked serial numbers per project. Dragonflow Designate 3) I need the latest CRL! MetaData Proxy 5) Served! 1) Please revoke certificates with serial numbers X, Y... 4) Fetch all the revoked user serial numbers for the project.
  • 13. PAT (port address translation) bastions ● Real bastion VMs are better (planned for a future Tatu release). ● But PAT already allows us to avoid FloatingIP-per-instance. ● Like load-balancing: each VM is the single backend/target for a single port on a few (for redundancy) load-balancers. ● Currently only works with Dragonflow (TODO: use LBaaS API). robin goat hamster User A User B User C PAT 1 172.24.4.11 PAT 2 172.24.4.28 Port 50 Port 51 Port 52 Port 42 Port 43 Port 44
  • 14. Integration with Designate ● Users shouldn’t have to remember bastion or instance IP addresses. ● They should just SSH to a URL composed of instance and project names. ● In the case of PAT bastions, we look up SRV records rather than A records. ### tatu/scripts/srvssh -i ~/.ssh/key root@goat.666a812a.tatuPAT.com. srv: '_ssh._tcp.goat.666a812a.tatuPAT.com has SRV record 10 50 52 bastion-172-24-4-11.tatuPAT.com.' srv: 'bastion-172-24-4-11.tatuPAT.com has address 172.24.4.11' After SRV lookup -- HOST: 172.24.4.11 PORT: 52 /usr/bin/ssh -v -i /root/.ssh/key22 -p 52 root@172.24.4.11 In the example, the instance name is ‘goat’; project ID prefix is ‘666a812a’; srvssh is a wrapper script that resolves the SRV record and then calls ssh.
  • 15. Successful use of certificates looks like... /usr/bin/ssh -v -i /root/.ssh/key22 -p 52 root@172.24.4.11 OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016 ... debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:tobg2ZPvX45OpqQh9dHlRiZxkg9Vmv6gUQaV1T9dyss, serial 0 ID "testID" CA ssh-rsa SHA256:qS95+uo3KEzwxyrihHfe4NWqKTUX64bRSfCWuG5i5RM valid from 2018-02-07T18:26:19 to 2019-02-08T18:26:19 debug1: Host '[172.24.4.11]:52' is known and matches the RSA-CERT host certificate. debug1: Found CA key in /root/.ssh/known_hosts:1 ... debug1: Offering RSA public key: /root/.ssh/key22 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Offering RSA-CERT public key: /root/.ssh/key22-cert debug1: Server accepts key: pkalg ssh-rsa-cert-v01@openssh.com blen 1095 Client accepted host cert Server rejected user’s public key since it’s not in the authorized_keys file. Host accepted user cert
  • 16. In the background... A Tatu daemon reacts to these oslo event notifications: ● Project creation: create new CA key pairs. ● User deletion: revoke all the user’s certificates. ● Host deletion: clean up PAT port entries in Dragonflow and DNS entries in Designate.
  • 17. Recap of some details... ● Each OpenStack project has separate user and host CA. ● CA private keys are stored in Barbican. ● Tatu does not see user/host private keys. ○ Later we’ll consider generating high-quality private keys as an RFE. ● Puts a one-time password in the instance’s ConfigDrive; the instance uses it in its certificate generation request. ● Instance runs a cron job to periodically fetch the CRL. ● User accounts on instance correspond to Keystone roles.
  • 18. Summary: OpenStack’s current user experience ● Generate SSH key pair (locally with ssh-keygen) ● Upload public key to OpenStack ● Launch VM - include key pair and assign Floating IP (or manage bastion) ● SSH into VM ○ ECDSA key fingerprint is
. Are you sure you want to continue connecting (yes/no)? ○ How do I verify the fingerprint? I’ll just cross my fingers. ● When multiple colleagues want access to same VMs, share private keys or add public keys to authorized_keys file. ● When colleagues leave wait weeks or months before getting around to remove they public keys or re-generate/rotate shared keys.
  • 19. Summary: SSH user experience with Tatu ● Generate SSH key pair (locally with ssh-keygen) ● Get your key signed by your project’s CA ○ /home/pino/.ssh/key-cert.pub ● Put the CA’s host public key in the known_hosts file ○ @cert-authority <domain> ssh-rsa AAAAB3NzaC
 ● Launch VM without key pair and without Floating IP. ● SSH into VM via automatically assigned PAT IP+port and without MITM risk. ● Colleagues automatically have access without sharing keys. ● Access can be revoked with a click and is automatically revoked if the user is deleted.
  • 20. Reference commands ● host -t SRV _ssh._tcp.<hostname>.<project_id>.tatuPAT.com. localhost ● dig @localhost -t SRV _ssh._tcp.fox.666a812a.tatuPAT.com. ● /opt/stack/tatu/scripts/srvssh -i ~/.ssh/key root@fox.666a812a.tatuPAT.com. ● ssh -i ~/.ssh/key -p 40 root@172.24.4.11 ● openstack sshca show -f value -c 'Host Public Key' <project_id> ● echo '@cert-authority *' `openstack sshca show -f value -c 'Host Public Key' 666a812a-3dd4-4a64-9855-2b8617813001` > /root/.ssh/known_hosts ● openstack usercert create -f value -c Certificate "`cat .ssh/key14.pub`" > .ssh/key14-cert.pub ● openstack usercert revoke <serial number>
  • 21. Project Status ● Tatu code in OpenStack Github/Gerrit since early February. ● Tatu-dashboard in OpenStack Gerrit since Feb. 20. ● python-tatuclient not imported yet (as of Feb. 23) ● Demo-quality code - needs cleanup and hardening! ● Needs automated testing, installers, and more. ● In progress: ○ Devstack scripts ○ User accounts created for Keystone roles ● Outreach started in February. Looking for contributors and users!!!
  • 22. Future work ● Bastion VM management ● Centralized SSH audit logs ● Use Uber’s PAM module to validate existing SSH sessions ○ https://github.com/uber/pam-ussh ● Rotation of CA keys ● Rotation of host certificates ● Ansible installer (and Kolla!) Ideas are welcome!
  • 23. Resources ● https://github.com/openstack/tatu ● https://github.com/openstack/tatu-dashboard ● https://github.com/pinodeca/python-tatuclient ● https://launchpad.net/tatu Demo Video: https://youtu.be/y6ICCPO08d8 IRC: #openstack-tatu on freenode.net
  • 24. Thanks! pino.decandia at huawei dot com giuseppe.decandia at gmail dot com @pino_deca on Twitter