Question about existing user groups? about bless HOT 2 CLOSED

You can use https://gitter.im/Netflix/bless for questions and discussions.

BLESS uses a private key for CA purposes that it must keep protected. You must provisioned manually, when you deploy the function. Your instances trust that CA's public key, enabling certificates issued by BLESS to authenticate users. BLESS signs SSH Certificate requests with that CA private key.

For us, the "BLESS clients" are our SSH bastions. The client is responsible for protecting the AWS credentials required to invoke BLESS. Anyone with those AWS credentials can call BLESS, and request certificates. For starters, you can use iptables to restrict SSH bastion users from accessing the AWS credentials directly via the Instance Metadata endpoint.

Clients make requests to BLESS to issue an SSH Certificate. That request contains the public key associated with the private the client will be using to authenticate into an instance. BLESS never needs access to the client's private key. The client is responsible for generating and protecting the private key. You can, and I'd recommend, using ephemeral RSA key pairs in addition to certificates. Thereby linking one client private key and one SSH certificate, and restricting the certificate to only be valid from one IP to one target, for a few minutes.

I hope that answers your question, but feel free to use our gitter channel.

from bless.

Thank you for the response, very helpful!

From: Russell Lewis [email protected]
Reply-To: Netflix/bless [email protected]
Date: Monday, August 15, 2016 at 1:07 PM
To: Netflix/bless [email protected]
Cc: Jason Richards [email protected], Author [email protected]
Subject: Re: [Netflix/bless] Question about existing user groups? (#26)

You can use https://gitter.im/Netflix/blesshttps://urldefense.proofpoint.com/v2/url?u=https-3A__gitter.im_Netflix_bless&d=DQMFaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=WZLYgoQbe765Dv0CIiXzgIY0jVhnr3hBkz2JDxKBuVE&m=IYibgX-jvttv_2rRW633mb4QzXCL1HyaIjj6kGoppfc&s=nwzcIPNpgdxYu0xySlWV0jk-bW1Zs1NWwXsryllWto8&e= for questions and discussions.

BLESS uses a private key for CA purposes that it must keep protected. You must provisioned manually, when you deploy the function. Your instances trust that CA's public key, enabling certificates issued by BLESS to authenticate users. BLESS signs SSH Certificate requests with that CA private key.

For us, the "BLESS clients" are our SSH bastions. The client is responsible for protecting the AWS credentials required to invoke BLESS. Anyone with those AWS credentials can call BLESS, and request certificates. For starters, you can use iptables to restrict SSH bastion users from accessing the AWS credentials directly via the Instance Metadata endpoint.

Clients make requests to BLESS to issue an SSH Certificate. That request contains the public key associated with the private the client will be using to authenticate into an instance. BLESS never needs access to the client's private key. The client is responsible for generating and protecting the private key. You can, and I'd recommend, using ephemeral RSA key pairs in addition to certificates. Thereby linking one client private key and one SSH certificate, and restricting the certificate to only be valid from one IP to one target, for a few minutes.

I hope that answers your question, but feel free to use our gitter channel.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Netflix_bless_issues_26-23issuecomment-2D239897288&d=DQMFaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=WZLYgoQbe765Dv0CIiXzgIY0jVhnr3hBkz2JDxKBuVE&m=IYibgX-jvttv_2rRW633mb4QzXCL1HyaIjj6kGoppfc&s=iI0G7-sq0WvIlxwImt0cLzoPEzyRrRYPpx-hr61Pppk&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFJFWO3eND9DWGhANwcMsvYOLjljyprVks5qgLjsgaJpZM4Jj0Om&d=DQMFaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=WZLYgoQbe765Dv0CIiXzgIY0jVhnr3hBkz2JDxKBuVE&m=IYibgX-jvttv_2rRW633mb4QzXCL1HyaIjj6kGoppfc&s=ZrtJM-0OYXnDPitpuBB-OnWYRL5yLS1onLfuDwYgX84&e=.

from bless.