Post on 11-Mar-2021
TELEPORTBASTION JUMP-HOSTS WITH
https://faelix.link/netmcr19 — 5Mb
A BASTION IS A STRUCTURE PROJECTING OUTWARD FROM THE
CURTAIN WALL OF A FORTIFICATION
"Bastion" — Wikipedia, 2018-01-10
DEFINITION
HARDENED AND MONITORED DEVICE THAT SPANS TWO DISSIMILAR SECURITY ZONES AND PROVIDES A CONTROLLED MEANS OF ACCESS BETWEEN THEM
"Jump Server" — Wikipedia, 2018-01-10
DEFINITION
SZILAS, PUBLIC DOMAIN, VIA WIKIMEDIA COMMONS
IOT SECURITY
(NETMCR #11)
@kooky_uk Tim Bray
SHOUT OUT #1
SSH CERTIFICATES
(NETMCR #13)
@TimJDFletcher Tim Fletcher
SHOUT OUT #2
IOT SECURITY WITH PI.PE
(NETMCR #17)
@steely_glint Tim Panton
SHOUT OUT #3
RIPE ATLAS PROBE SECURITY
(AQL IOT ROUNDTABLE)
@kistel Robert Kisteleki
SHOUT OUT #4
WHY WAS I LOOKING AT THESE PROBLEMS?
THE TASK AT HAND
▸ Customers with "Internet access is slow".
▸ At first it seemed that NNI was in common…
▸ Then it seemed that last-mile provider was in common…
▸ Then we thought it might be web filtering solution…
▸ Is it carrier network congestion/loss… not that either…
▸ We need to test this from within the customer network!
WHY WAS I LOOKING AT THESE PROBLEMS?
THE TASK AT HAND
▸ Put some probe devices in some customer networks
▸ …to be able to "ssh" into them, run measurements.
▸ Don't want customers to have to open ports on routers.
▸ Some sort of NAT-piercing required.
▸ Security is vital:
▸ Don't want probe to be an attack vector into customer.
▸ Team of staff need access.
STANDING ON THE SHOULDERS OF GIANTS
RIPE ATLAS
▸ Plug it in, gets address/DNS by DHCP
▸ Connects to RIPE bastion hosts using ssh (with provisioning)
▸ Creates tunnels to itself for telemetry, read all about it:
▸ https://www.uknof.org.uk/uknof18/Kisteleki-Atlas.pdf
▸ Security rep is pretty good, e.g.
▸ https://www.mdsec.co.uk/2015/09/an-introduction-to-hardware-hacking-the-ripe-atlas-probe/
STANDING ON THE SHOULDERS OF GIANTS
SSH BASTION HOSTS, WITH SSH CA
▸ The big players are doing it:
▸ https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/
▸ https://github.com/Netflix/bless
▸ How to apply this pattern to our "IoT" probe project?
A LONGER TALK, MAYBE AT UKNOF, WILL HAVE MORE INFORMATION…
THE SOLUTION
▸ Ansible script #1:
▸ Deploys Teleport on a VM (or cluster for HA)
▸ Ansible script #2:
▸ Installs Teleport on a Raspberry Pi
▸ Preconfigures Teleport (outbound connection to bastion host)
▸ Bunch of Raspberry Pi / case / SD card combos
▸ Ship to customers with instructions about placement
▸ Within few days of shipping: RCA = vendor firewall config issue
TELEPORTUSING
WHO NEEDS ANOTHER SSHD?
WHY BOTHER USING TELEPORT?
▸ ssh CA out of the box, compatible with OpenSSHd
▸ 2FA out of the box (TOTP or U2F), no google_authenticator.pam
▸ ssh through-the-web out of the box
▸ Compliance Officer's dream: session recording jumphost.
▸ …and with "session_recording: proxy" it can do this for legacy sshd implementations too! [caveat: Security Officer]
▸ Free OSS < $aa$_startup_pricing_model < enterpri$$$e
▸ $paid_editions feature include RBAC, LDAP/SASL integration
clusterof stuff
teleportbastion
clusterof stuff
you!
teleportbastion
clusterof stuff
tsh login --proxy teleport.example.com --user networkmoose
ssh-key -A
LOGGING IN
tsh login --proxy teleport.example.com --user networkmoose
ssh-key -A
LOGGING IN THE BASTION HOST
tsh ssh root@example.com -L 8080:localhost:80
ssh
LOGGING IN
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPT
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPTAUTOMATION
SSH FEATURES BAKED IN
ON THE COMMAND-LINE
▸ Remote VM doesn't have ssh open to Internet.
▸ All access is going via tsh.fulcrm.org bastion.
▸ Can do port-forwarding.
PROBABLY WANT A SCRIPTAUTOMATION
PLAYS NICELY WITH ANSIBLE (RTFM)
THE JESUS AND SSH-KEYCHAIN
MIX AND MATCH OPENSSHD AND TELEPORT
▸ Host blah.example.com User salt Port 3022 ProxyCommand ssh -p 3023 %r@teleport.example.com -s proxy:%h:%p
▸ ln -snf /usr/local/bin/tsh /usr/bin/ssh ln -snf /usr/local/bin/tsh /usr/bin/scp
▸ …while using Ansible?
▸ scp_if_ssh = True
THE JESUS AND SSH-KEYCHAIN
TELEPORT AS CA FOR OPENSSHD
▸ tctl auth sign --host=yourhost.example.com --format=openssh
▸ HostKey /etc/ssh/ca_ssh_host_rsa_keyHostCertificate /etc/ssh/ca_ssh_host_rsa_key.pub
▸ You might have to…
▸ tsh login --compat=oldssh --proxy=teleport.example.com
▸ tsh ssh -p 22 root@yourhost.example.com
LABEL YOUR NODES (MASS COMMANDS)
SEE PREVIOUS SESSIONS
"TWITCH FOR TERMINALS"
CO-OPERATIVE MULTIPLAYER MODE!
TELEPORTUNDERSTANDING
you!
proxy
auth
node client(tsh or https)
you!
proxy
auth
node client(tsh or https)
all-in-one
you!
proxy
auth
node client(tsh or https)
bastion
node(s)
you!
proxy
auth
node client(tsh or https)
allseparated
you!
proxynode client(tsh or https)
RBAC("enterprise")
auth
LDAPSAML
etc
you!proxies
auth
node client(tsh or https)
HA auth
etcd /dynamodb
load bal
you!
auth + proxy& trusted cluster
auth
nodetrusting cluster
client(tsh or https)
bastionanother node
TELEPORTADMINISTERING
READ THE FINE MANUAL, MAKE A PLAYBOOK OR SALT STATE, DONE.
INSTALLATION
▸ Download binary, run installer (or compile your own)
▸ examples directory has systemd service file
▸ Create a user, let them login as root on any nodes:
▸ tctl users add marek root,postgres,www-data,…
▸ Follow enrolment link, set password, scan the QR code
ENROLMENT PROCESS
YOUR FIRST USER
ENROLMENT PROCESS
YOUR FIRST USER
▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
ENROLMENT PROCESS
YOUR FIRST USER
▸ "netmcr" in teleport can now login on nodes as local "totallyunprivilegeduser"
GOT ROOT?
"WE'RE IN!"
GETTING DEEPER
MORE CONFIGURATION
▸ Limit your ciphersuites
▸ TLS cert for HTTPS
GETTING DEEPER
MORE CONFIGURATION
▸ Limit your ciphersuites
▸ TLS cert for HTTPS
▸ Static labels from config
GETTING DEEPER
MORE CONFIGURATION
▸ Limit your ciphersuites
▸ TLS cert for HTTPS
▸ Static labels from config
▸ Dynamic values from running commands periodically
GETTING DEEPER
POOR MAN'S ORCHESTRATION
GETTING DEEPER
POOR MAN'S ORCHESTRATION
GETTING DEEPER
POOR MAN'S ORCHESTRATION
tsh ssh root@debian=8.7
GETTING DEEPER
POOR MAN'S ORCHESTRATION
GETTING DEEPER
POOR MAN'S ORCHESTRATION
GETTING DEEPER
POOR MAN'S ORCHESTRATION
THANKS FOR LISTENING! ANY QUESTIONS?e: marek@faelix.net t: @maznu w: https://faelix.net/
https://faelix.link/netmcr19