Comments (2)
You can use https://gitter.im/Netflix/bless for questions and discussions.
BLESS uses a private key for CA purposes that it must keep protected. You must provisioned manually, when you deploy the function. Your instances trust that CA's public key, enabling certificates issued by BLESS to authenticate users. BLESS signs SSH Certificate requests with that CA private key.
For us, the "BLESS clients" are our SSH bastions. The client is responsible for protecting the AWS credentials required to invoke BLESS. Anyone with those AWS credentials can call BLESS, and request certificates. For starters, you can use iptables to restrict SSH bastion users from accessing the AWS credentials directly via the Instance Metadata endpoint.
Clients make requests to BLESS to issue an SSH Certificate. That request contains the public key associated with the private the client will be using to authenticate into an instance. BLESS never needs access to the client's private key. The client is responsible for generating and protecting the private key. You can, and I'd recommend, using ephemeral RSA key pairs in addition to certificates. Thereby linking one client private key and one SSH certificate, and restricting the certificate to only be valid from one IP to one target, for a few minutes.
I hope that answers your question, but feel free to use our gitter channel.
from bless.
Thank you for the response, very helpful!
From: Russell Lewis [email protected]
Reply-To: Netflix/bless [email protected]
Date: Monday, August 15, 2016 at 1:07 PM
To: Netflix/bless [email protected]
Cc: Jason Richards [email protected], Author [email protected]
Subject: Re: [Netflix/bless] Question about existing user groups? (#26)
You can use https://gitter.im/Netflix/blesshttps://urldefense.proofpoint.com/v2/url?u=https-3A__gitter.im_Netflix_bless&d=DQMFaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=WZLYgoQbe765Dv0CIiXzgIY0jVhnr3hBkz2JDxKBuVE&m=IYibgX-jvttv_2rRW633mb4QzXCL1HyaIjj6kGoppfc&s=nwzcIPNpgdxYu0xySlWV0jk-bW1Zs1NWwXsryllWto8&e= for questions and discussions.
BLESS uses a private key for CA purposes that it must keep protected. You must provisioned manually, when you deploy the function. Your instances trust that CA's public key, enabling certificates issued by BLESS to authenticate users. BLESS signs SSH Certificate requests with that CA private key.
For us, the "BLESS clients" are our SSH bastions. The client is responsible for protecting the AWS credentials required to invoke BLESS. Anyone with those AWS credentials can call BLESS, and request certificates. For starters, you can use iptables to restrict SSH bastion users from accessing the AWS credentials directly via the Instance Metadata endpoint.
Clients make requests to BLESS to issue an SSH Certificate. That request contains the public key associated with the private the client will be using to authenticate into an instance. BLESS never needs access to the client's private key. The client is responsible for generating and protecting the private key. You can, and I'd recommend, using ephemeral RSA key pairs in addition to certificates. Thereby linking one client private key and one SSH certificate, and restricting the certificate to only be valid from one IP to one target, for a few minutes.
I hope that answers your question, but feel free to use our gitter channel.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Netflix_bless_issues_26-23issuecomment-2D239897288&d=DQMFaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=WZLYgoQbe765Dv0CIiXzgIY0jVhnr3hBkz2JDxKBuVE&m=IYibgX-jvttv_2rRW633mb4QzXCL1HyaIjj6kGoppfc&s=iI0G7-sq0WvIlxwImt0cLzoPEzyRrRYPpx-hr61Pppk&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFJFWO3eND9DWGhANwcMsvYOLjljyprVks5qgLjsgaJpZM4Jj0Om&d=DQMFaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=WZLYgoQbe765Dv0CIiXzgIY0jVhnr3hBkz2JDxKBuVE&m=IYibgX-jvttv_2rRW633mb4QzXCL1HyaIjj6kGoppfc&s=ZrtJM-0OYXnDPitpuBB-OnWYRL5yLS1onLfuDwYgX84&e=.
from bless.
Related Issues (20)
- Is Marshmellow<3 required to function? HOT 4
- Invalid Key length when using gpg-agent
- Is this project still under development HOT 1
- Ability to sign SSH certificate with SHA2 HOT 4
- hope
- Nonstandard SSH port HOT 1
- Add optional parameters HOT 3
- Optional parameter [kmsauth token] cannot be passed in HOT 3
- Are you guys aware of anything similar to this for Google Cloud Platform? HOT 2
- How has to be the kmsauth token created? HOT 1
- Amazonlinux make bug HOT 2
- Unable to login with the cert got from lambda function HOT 1
- make test fails on deprecated warnings [linting] HOT 5
- document `-m PEM` option to ssh-keygen
- .travis.yml: The 'sudo' tag is now deprecated in Travis CI
- Authorization with BLESS? HOT 1
- Support authentication with OpenID Connect HOT 4
- How to make the bastion transparent for users
- Add the possibility to use encrypted private key with KMS HOT 2
- Potential dependency conflicts between bless and boto3 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bless.