Sullivan red october-oscon-2014
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a DevOpsTO meetup 2018-08 (20)
Mais de Teleport (7)
Mais recentes (20)
DevOpsTO meetup 2018-08
- 1. Kevin Nisbet Gravitational Access to distributed systems
- 2. LET’S SOLVE A PROBLEM • Scenario • Production… • Elastic Infrastructure • Separate Networks • The database is slow…
- 3. WHAT JUST HAPPENED… source: https://www.gagcartoons.com/cartoons/87/
- 4. TSH LOGIN • Generates new cryptographic keys • Connects to CA via Proxy • Signs a certificate granting access to the cluster
- 5. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
- 6. SHORT LIVED CERTIFICATES https://ssh-certificate-parser.gravitational.com Certificate Type: ssh-rsa-cert-v01@openssh.com Public Key: SHA256:DtwegGhmM6twU5IJYTj+Wc/zY7b1koIUC5B61qTpxyI Signing CA: SHA256:WCifMyKoyD5+5MLZFBYJMBmS/d4LeBK3iSLWwU36PTA Key ID: demo Principals: root,knisbet Valid After: effective immediatelly Valid Before: Jul 30 16:48:16 UTC Critical Options: none Extensions: permit-agent-forwarding permit-port-forwarding permit-pty teleport-roles: {"version":"v1","roles":["admin"]}
- 7. WHY CERTIFICATES? • Ever? • Lost a backup? • Run untrusted Software? • Rotated keys? • Sent the private key instead of the public? source: https://www.gagcartoons.com/cartoons/305/
- 8. • FreeBSD packaging servers hacked • http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons- on-SSH-Public-Key-Authentication.html • Malware & Hackers collect ssh keys • https://www.ssh.com/malware/ • Active attacks using stolen SSH keys (2008) • https://isc.sans.edu/forums/diary/ Active+attacks+using+stolen+SSH+keys+UPDATED/4937/ • New Attacker Scanning for SSH Private Keys on Websites • https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ • CIA malware can steal SSH Credentials • https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh- credentials-session-traffic/
- 9. • Large Database of Device Certificates, SSH keys published • https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys- published/ • Learning from the Expedia Heist • https://medium.com/starting-up-security/learning-from-the-expedia- heist-6cf8a0069ce0 • New ‘MASK’APT Campaign called most sophisticated yet • https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/ • Multi-billion dollar defence firm fails to protect private SSH keys • https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh- keys/ • The default OpenSSH key encryption is worse than plaintext • https://latacora.singles/2018/08/03/the-default-openssh.html
- 10. TSH LS • List all the servers in you’re infrastructure • New servers join the cluster, old ones leave • Labels • Automatically update as infra changes
- 11. TSH SSH • SSH to the Node • Or the Label(s) • Automatic Bastions • Auditable • and SCP
- 12. SESSION RECORDING • Record what happens in production • Proxy • Endpoint
- 13. ARCHITECTURE
- 14. KUBERNETES INTEGRATION • Short lived certificates • Multi-factor authentication • Audit all k8s actions • Session recording • Currently Alpha
- 15. QUESTIONS More Information https://gravitational.com/teleport https://github.com/gravitational/teleport We’re Hiring https://github.com/gravitational/careers jobs@gravitational.com
