Fearless SSH: Short-lived certificates bring Zero Trust to infrastructure

Posted by mfrw 10/23/2024

Fearless SSH: Short-lived certificates bring Zero Trust to infrastructure(blog.cloudflare.com)

151 points | 160 commentspage 3

udev4096 10/24/2024||

> You no longer need to manage long-lived SSH keys

Well, now you are managing CAs. Sure, it's short lived but it's not different than having a policy for rotating your SSH keys

acdha 10/24/2024|

It’s really important to understand why those are different. CAs are organizational and tightly restricted: I don’t use or have access to my CA’s private key but my SSH key is on every client I use. If I leave the company, you have to check every authorized key file on every server to ensure my keys are no longer present. In contrast, the CA doesn’t need to rotate since I never had access to it and since the CA will set an expiration time on each of the keys I do get it’s probably unusable shortly after my departure even if you missed something.

INTPenis 10/24/2024||

Properly setup IaC, that treats Linux as an appliance instead, could get rid of SSH altogether.

I'm only saying this because after 20+ years as a sysadmin I feel like there have been no decent solutions presented. On the other hand, to protect my IaC and Gitops I have seen very decent and mature solutions.

otabdeveloper4 10/24/2024|

I don't know what exactly you mean by "IaC" here, but the ones I know use SSH under the hood somewhere. (Except with some sort of "bot admin" key now, which is strictly worse.)

INTPenis 10/24/2024||

I mean that you treat Linux servers as appliances, you do everything in IaC at provisioning and you never login over SSH.

otabdeveloper4 10/26/2024||

"IaC at provisioning" means (in practice) a webapp and an eternal root access token that does login over SSH for you behind the scenes.

That's sctrictly worse from a security point of view.

In an ideal world we would have private CAs and short-lived certificates that get bubbled through all the layers of the software stack. Going back to webapps and tokens is a step backwards.

INTPenis 10/28/2024||

That's a bad practice. I have better security experience from the infrastructure around IaC than SSH.

Because for IaC we used Gitlab, hidden by a Keycloak, or connected to an Azure AD, protected by a MFA VPN. And for provisioning we used containers, no SSH required there either.

The major revolution that allowed me to move away from SSH in server provisioning is container hosts, ignition (or cloud-init), and these days the cutting edge is bootc.

anilakar 10/24/2024||

Every now and then a new SSH key management solution emerges and every time it is yet another connection-terminating proxy and not a real PKI solution.

koutsie 10/24/2024||

How is trusting Cloudflare "zero-trust" ?

advael 10/24/2024||

You know you can just do this with keyauth and a cron job, right?

wmf 10/24/2024|

And Dropbox is a wrapper around rsync.

advael 10/24/2024||

Generally speaking a lot of "essential tools" in "cloud computing" are available as free, boring operating system utilities.

kkielhofner 10/24/2024||

It’s a joke from a famous moment in HN history:

https://news.ycombinator.com/item?id=9224

advael 10/24/2024||

That is pretty funny, and the whole idea that you can't make money packaging open-source software in a way that's more appealing to people is definitely funny given that this is the business model of a lot of successful companies

I do however think this leads to a lot of problems when those companies try to protect their business models, as we are seeing a lot of today

c-linkage 10/24/2024||

Welcome to Kerberos[0] over HTTP.

[0] https://www.geeksforgeeks.org/kerberos/

xyst 10/23/2024||

Underlying tech is “Openpubkey”.

https://github.com/openpubkey/openpubkey

BastionZero just builds on top of that to provide a “seamless” UX for ssh sessions and some auditing/fedramp certification.

Personally, not a fan of relying on CF. Need less centralization/consolidation into a few companies. It’s bad enough with MS dominating the OS (consumer) space. AWS dominating cloud computing. And CF filling the gaps between the stack.

aethros 10/24/2024||

The people at BastionZero built openpubkey. They are the paper authors. https://eprint.iacr.org/2023/296

They didn't "build on top of"--they built the thing.

lmz 10/24/2024|||

By "just builds on top of that" it sounds like the same people are building it https://news.ycombinator.com/item?id=41929483 (compare username against GH repo).

EthanHeilman 10/24/2024||

Can confirm, I am same person

ranger_danger 10/24/2024|||

Completely agree. I also don't want to trust certificate authorities for my SSH connections let alone CF. Would not be surprised if it/they were compromised.

looofooo0 10/24/2024|||

https://www.usenix.org/system/files/login/articles/105484-Gu... Well better than current run of things.

yjftsjthsd-h 10/24/2024|||

> I also don't want to trust certificate authorities for my SSH connections let alone CF. Would not be surprised if it/they were compromised.

OpenPubkey, or in general? Normal SSH CAs don't do PKI like browsers use, you make and trust your own CA(s). And if an attacker can compromise your CA private key, why can't they compromise your SSH private key directly?

looofooo0 10/24/2024||

https://www.usenix.org/system/files/login/articles/105484-Gu... + People just don't check ssh keys normally.

yjftsjthsd-h 10/24/2024||

That's about host keys, not user keys. And... I'm struggling to think of a threat model where that problem manifests in a compromise? Like, what's your threat model?

That said, CAs actually really help with that problem, because if a server has its host keys signed with a CA and then the user trusts that CA then they don't have to TOFU the host keys.

EthanHeilman 10/24/2024|||

Author of OpenPubkey here (now at Cloudflare). Happy to answer any OpenPubkey questions.

datadeft 10/24/2024|||

> BastionZero just builds on top of that to provide a “seamless” UX

Isn't this what many of the companies do?

debarshri 10/24/2024|||

I think teleport operates in similar style.

rdtsc 10/24/2024||

By “ValidPrinciples” did they mean “ValidPrincipals”?

And by ZeroTrust they really mean OneTrust: trust CF. A classic off-by-one error :-)

dangsux 10/24/2024|

[dead]