Fearless SSH: Short-lived certificates bring Zero Trust to infrastructure

151 点作者 mfrw7 个月前

28 条评论

Why does the title say "Zero Trust", when the article explains that this only works as long as every involved component of the Cloudflare MitM keylogger and its CA can be trusted? If hosts keys are worthless because you do not know in advance what key the proxy will have.. than this scheme is back to trusting servers merely because they are in Cloudflare address space, no?

评论 #41931363 未加载

评论 #41930622 未加载

评论 #41933470 未加载

评论 #41932315 未加载

评论 #41930201 未加载

评论 #41933679 未加载

评论 #41930355 未加载

评论 #41934264 未加载

tptacek7 个月前

I'm a fan of SSH certificates and cannot understand why anyone would set up certificate authentication with an external third-party CA. When I'm selling people on SSH CA's, the first thing I usually have to convince them of is that I'm not saying they should trust some third party. You know where all your servers are. External CAs exist to solve the counterparty introduction problem, which is a problem SSH servers do not have.

评论 #41934348 未加载

评论 #41931686 未加载

评论 #41930293 未加载

mdaniel7 个月前

I really enjoyed my time with Vault's ssh-ca (back when it had a sane license) but have now grown up and believe that any ssh access is an antipattern. For context, I'm also one of those "immutable OS or GTFO" chaps because in my experience the next thing that happens after some rando ssh-es into a machine is they launch vi or apt-get or whatever and now it's a snowflake with zero auditing of the actions taken to itI don't mean to detract from this, because short-lived creds are always better, but for my money I hope I never have sshd running on any machine again

评论 #41931890 未加载

评论 #41931158 未加载

评论 #41934588 未加载

评论 #41931321 未加载

评论 #41929593 未加载

评论 #41929548 未加载

评论 #41929580 未加载

TechnicalVault7 个月前

The whole MITM just makes me deeply uncomfortable, it's introducing a single point of trust with the keys to the kingdom. If I want to log what someone is doing, I do it server side e.g. some kind of rsyslog. That way I can leverage existing log anomaly detection systems to pick up and isolate the server if we detect any bad behaviour.

评论 #41934668 未加载

antoniomika7 个月前

I wrote a system that did this >5 years ago (luckily was able to open source it before the startup went under[0]). The bastion would record ssh sessions in asciicast v2 format and store those for later playback directly from a control panel. The main issue that still isn't solved by a solution like this is user management on the remote (ssh server) side. In a more recent implementation, integration with LDAP made the most sense and allows for separation of user and login credentials. A single integrated solution is likely the holy grail in this space.[0] <a href="https://github.com/notion/bastion">https://github.com/notion/bastion</a>

评论 #41929991 未加载

shermantanktop7 个月前

I didn’t understand the marketing term “zero trust” and I still don’t.In practice, I get it - a network zone shouldn’t require a lower authn/z bar on the implicit assumption that admission to that zone must have required a higher bar.But all these systems are built on trust, and if it isn’t based on network zoning, it’s based on something else. Maybe that other thing is better, maybe not. But it exists and it needs to be understood.An actual zero trust system is the proverbial unpowered computer in a bunker.

评论 #41931163 未加载

评论 #41930474 未加载

评论 #41930365 未加载

评论 #41936652 未加载

blueflow7 个月前

Instead of stealing your password/keypair, the baddies will now have to spoof your authentication with cloudflare. If thats just a password, you gained nothing. If you have 2FA set up for that, you could equally use that for SSH directly, using a ssh key on a physical FIDO stick. OpenSSH already has native support for that (ecdsa-sk and ed25519-sk key formats).The gain here is minimal.

keepamovin7 个月前

Does this give CloudFlare a backdoor to all your servers? That would not strictly be ZT, as some identify in the comments here.

评论 #41934215 未加载

评论 #41932697 未加载

评论 #41934023 未加载

johnklos7 个月前

So... don't trust long lived ssh keys, but trust Cloudflare's CA. Why? What has Cloudflare done to earn trust?If that alone weren't reason enough to dismiss this, the article has marketing BS throughout. For instance, "SSH access to a server often comes with elevated privileges". Ummm... Every authentication system ever has whatever privileges that come with that authentication system. This is the kind of bull you say / write when you want to snow someone who doesn't know any better. To those of us who do understand this, this is almost AI level bullshit.The same is true of their supposed selling points:> Author fine-grained policy to govern who can SSH to your servers and through which SSH user(s) they can log in as.That's exactly what ssh does. You set up precisely which authentication methods you accept, you set up keys for exactly that purpose, and you set up individual accounts. Do Cloudflare really think we're setting up a single user account and giving access to lots of different people, and we need them to save us? (now that I think about it, I bet some people do this, but this is still a ridiculous selling point)> Monitor infrastructure access with Access and SSH command logsSo they're MITM all of our connections? We're supposed to trust them, even though they have a long history of not only working with scammers and malicious actors, but protecting them?I suppose there's a sucker born every minute, so Cloudflare will undoubtedly sell some people on this silliness, but to me it just looks like yet another way that Cloudflare wants to recentralize the Internet around them. If they had their way, then in a few years, were they to go down, a majority of the Internet would literally stop working. That should scare everyone.

评论 #41934239 未加载

EthanHeilman7 个月前

I'm a member of the team that worked on this happy to answer any questions.We (BastionZero) recently got bought by Cloudflare and it is exciting bringing our SSH ideas to Cloudflare.

评论 #41929927 未加载

评论 #41929523 未加载

WesolyKubeczek6 个月前

I can’t wait for a bug to happen when you authenticate correctly but unexpectedly slide into someone else’s network.

nonameiguess7 个月前

Basic summary seems to be:* This has nothing to do with zero-trust. If you already require pubkey auth to every connection made to a server regardless of origin, that's already meeting the definition of zero trust.* What this actually gives you is a solution to the problem of centrally revoking long-lived keys by not having any and instead using certificate auth. Now the CA is the only long-lived key.* This is a reasonable thing large orgs should probably do. There is no reason the CA should be an external third-party like Cloudflare, however.* This also integrates with existing SSO providers so human users can be granted short-lived session certs based on whatever you use to authenticate them to the SSO provider. Also reasonable, also no reason this should be offered as a service from Cloudflare as opposed to something you can self-host like Kerberos.* This also provides ssh command logging by proxying the session and capturing all commands as they get relayed. Arguably not a bad idea in principle, but a log collector like rsyslogd sending to an aggregator accomplishes the same thing in practice, and again, I would think you'd want to self-host a proxy if you choose to go that route, not rent it from Cloudflare.All in all, good things a lot of orgs should do, but they should probably actually do. I get the "well, it's hard" angle, but you're usually looking at large, well-funded orgs when you're talking things like SOC and FedRamp compliance. If you want to be a bank or whatever, yeah, that's hard. It's supposed to be. As I understand it, at least part of the spirit of SOC and FedRamp and the like is your organization has processes, plans, procedures, and personnel in place with the expertise and care to take security seriously, not "we have no idea what any of this means, why it matters, and don't have the time, but we pay a subscription fee to Cloudflare and they say they take care of it."

andriosr7 个月前

hoopdev here. Zero trust for SSH is just table stakes these days. Real challenge is getting devs to actually adopt better practices without the tooling getting in their way.Found in practice that certs > keys but you need to think beyond just SSH. Most teams have a mix of SSH, K8s, DBs etc. Using separate tools for each just creates more headache.Haven't tried Boundary but Teleport/hoop/Tailscale all handle the mixed protocol issue decently. Main difference is hoop focuses more on protocol-level DLP and automated reviews vs pure network access. Horses for courses though, they're all valid approaches.Key is picking something devs will actually use vs work around. Nothing worse than a "secure" solution that drives people to create workarounds.

curben7 个月前

Cloudflare has been offering SSH CA-based authentication for more than 2 years [1], I wrote a guide back in feb '23 [2]. The announcement is more about offering new features, such as more granular user control.[1]:<a href="https://web.archive.org/web/20210418143636/https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates" rel="nofollow">https://web.archive.org/web/20210418143636/https://developer...</a>[2]: <a href="https://mdleom.com/blog/2023/02/13/ssh-certificate-cloudflare-tunnel/" rel="nofollow">https://mdleom.com/blog/2023/02/13/ssh-certificate-cloudflar...</a>

singhrac7 个月前

I get that HN does not like Cloudflare and does not like the term “Zero Trust”, but geez these comments are repetitive. Can anyone compare to Tailscale SSH? Are they basically offering an (even more) enterprise version of Tailscale’s product line?

cyberax7 个月前

Hah. I did pretty much all the same stuff in my previous company.One thing that we did a bit better: we used AWS SSM to provision our SSH-CA certificates onto the running AWS EC2 instances during the first connection.It would be even better if AWS allowed to use SSH CA certs as keys, but alas...

评论 #41931539 未加载

dmuth7 个月前

Using CAs and signed certificates in SSH is definitely the way.If anyone wants to play around with that, without the risk of locking themselves out of a server, I built a little "playground" awhile back whihc is a series of Docker containers that can SSH to each other. Give it a try at <a href="https://github.com/dmuth/ssh-principal-and-ca-playground">https://github.com/dmuth/ssh-principal-and-ca-playground</a>(I haven't touched the project in awhile, so if there are any issues, please open an Issue and I'll gladly look at it!)

arianvanp7 个月前

Zero trust. But they don't solve the more interesting problem: host key authentication.Would be nice if they can replace TOFU access with SSH CA as well. Ideally based on device posture of the server (e.g. TPM2 attestation)

评论 #41931264 未加载

评论 #41932902 未加载

amar0c7 个月前

Is there anything similar ("central point of SSH access/keys management" ) that is not Cloudflare ? I know about Tailscale and it's SSH but recently it introduced so much latency (even tho they say it's P2P between A and B) that is unusable.Ideally something self hosted but not hard requirement

评论 #41934334 未加载

nanis7 个月前

> the SSH certificates issued by the Cloudflare CA include a field called ValidPrinciplesHaving implemented similar systems before, I was interested to read this post. Then I see this. Now I have to find out if that really is the field, if this was ChatGPT spellcheck, or something else entirely.

评论 #41934330 未加载

udev40967 个月前

> You no longer need to manage long-lived SSH keysWell, now you are managing CAs. Sure, it's short lived but it's not different than having a policy for rotating your SSH keys

评论 #41936711 未加载

INTPenis7 个月前

Properly setup IaC, that treats Linux as an appliance instead, could get rid of SSH altogether.I'm only saying this because after 20+ years as a sysadmin I feel like there have been no decent solutions presented. On the other hand, to protect my IaC and Gitops I have seen very decent and mature solutions.

评论 #41933239 未加载

anilakar7 个月前

Every now and then a new SSH key management solution emerges and every time it is yet another connection-terminating proxy and not a real PKI solution.

koutsie7 个月前

How is trusting Cloudflare "zero-trust" ?

advael7 个月前

You know you can just do this with keyauth and a cron job, right?

评论 #41931160 未加载

c-linkage7 个月前

Welcome to Kerberos[0] over HTTP.[0] <a href="https://www.geeksforgeeks.org/kerberos/" rel="nofollow">https://www.geeksforgeeks.org/kerberos/</a>

xyst7 个月前

Underlying tech is “Openpubkey”.<a href="https://github.com/openpubkey/openpubkey">https://github.com/openpubkey/openpubkey</a>BastionZero just builds on top of that to provide a “seamless” UX for ssh sessions and some auditing/fedramp certification.Personally, not a fan of relying on CF. Need less centralization/consolidation into a few companies. It’s bad enough with MS dominating the OS (consumer) space. AWS dominating cloud computing. And CF filling the gaps between the stack.

评论 #41931415 未加载

评论 #41930877 未加载

评论 #41930633 未加载

评论 #41935865 未加载

评论 #41933106 未加载

评论 #41932862 未加载

评论 #41933425 未加载

rdtsc7 个月前

By “ValidPrinciples” did they mean “ValidPrincipals”?And by ZeroTrust they really mean OneTrust: trust CF. A classic off-by-one error :-)

评论 #41933428 未加载