Using YubiKey Neo
For managing SSH private key
June 2017 AWS Bangalore Meetup
Thinking about security
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Entity is abstract concept - It can be human (user), an item (machine or instance), service (EC2) or resource
Identity is a set of attributes related to an Entity
Entity is also known as - Principal (AWS IAM), Subject (RBAC)
Set of attributes is also known as - “factors” (two factor, multi factor)
Set of attributes can be - userid/password, driver license, passport, SSH private/public key, OTP hardware token, IAM access key/secret key, etc.,
Entity
Identity
Set of attributes
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Authentication is the process of verifying the set of attributes
Bad News - If your authentication process fails (usually due to attribute theft or misuse), you are pretty much toast!
Good News - There is always a context in which authentication happens. Use different subsets of attributes for each context. Also have an extremely robust audit layer and use least-privilege
With YubiKey Neo we can prevent attribute theft, but not attribute misuse!
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Actions are set of operations that are allowed on a Resource
In REST terminology actions are known as “verbs”. Sometimes “verb + resource” is also used as “actions”.
Actions is the primitive that enables us to build a system that has useful security properties such as - secure by default, least-privilege and defence-in-depth
It is hard to secure a system where actions are coupled.
Coupling can happen either at actions or in the resources. So, REST style APIs are not magic pixie dust!
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Actions
Set of Operations
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Authorization is the process of allowing or denying an authenticated entity to perform an action on a resource
Authorization assumes Authentication process has verified the set of attributes for the entity
When set of attributes is empty, the AuthN layer can send an anonymous authenticated entity to AuthZ layer
For e.g., AWS IAM - “*” principal, “system:anonymous” in Kubernetes
Secure by default, least-privilege and defence-in-depth are emergent properties of having a good AuthZ layer combined with an AuthN layer
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Actions
Set of Operations
AuthZ
Allow or Deny an Action
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Resource is also abstract concept. It is something on which you can perform actions.
Resource is also known as - Object (RBAC)
Resource can be Entities and vice-versa
Resource usually provides value to users in a different dimension referred to as “data plane”
For example - EC2 Instance, RDS Database etc.,
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Actions
Set of Operations
AuthZ
Allow or Deny an Action
Resource
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Audit takes the results of Authentication and Authorization and records them into an audit log
Audit is also referred to as accounting
AuthN and AuthZ are used to prevent unauthorized access, Audit is a reactive system
Pay special attention to non-anonymous AuthZ failures
Examples include - Linux Audit subsystem, CloudWatch Logs, CloudTrail etc.,
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Actions
Set of Operations
AuthZ
Allow or Deny an Action
Resource
Audit
Audit
Overview of Entity, Identity, AuthN, Actions, AuthZ, Resource, Audit, SoD
Separation of Duties (SoD) is the idea distributing privileges in order to limit the blast radius of any of internal compromise or developer/operator error
The arrows in the following picture provide a natural boundary where SoD can be implemented
You can create additional SoD boundaries in each of the boxes as required when the size of your teams or complexity of your system grows
Without SoD, we simply cannot securely scale engineering teams and give them full freedom to innovate. Also please don’t confuse SoD with Microservices
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Actions
Set of Operations
AuthZ
Allow or Deny an Action
Resource
Audit
Audit
YubiKey Neo Demo
In our YubiKey demo, we are giving an example of a small, but a critical part of overall security process
It's super important to see things from the perspective of your security process, and then use products and services that fits your process - Not the other way round!
Learn from how companies that have a high bar for opsec (AWS, Facebook, Google, etc.,) actually do things, even though some aspects might not be applicable to you immediately
Entity
Identity
Set of attributes
AuthN
Verifying the set of attributes
Actions
Set of Operations
AuthZ
Allow or Deny an Action
Resource
Audit
Audit
YubiKey Neo Demo
YubiKey Neo has a secure element and provides functionality around this secure element
There are two ways to use YubiKey Neo with SSH - Using PIV applet and PKCS#11 or OpenPGP applet
For systems with more than a handful of instances (or machines), PKI certificate based authentication (PIV/PKCS#11) is the recommended way to do things
With OpenPGP applet, we can use the more familiar key based authentication and use secure element to store our private key
Key based authentication is easy to get started, but is not a scalable solution
OpenPGP Keys
There are three kinds of GPG keys that you can store on YubiKey Neo OpenPGP Applet
1. Authentication Key
2. Encryption Key
3. Signature Key
GPG Agent
GPG Agent is the backend daemon that communicates with YubiKey Neo OpenPGP Applet
We need to tell GPG Agent to let us use authentication key for SSH login
# ~/.gnupg/gpg-agent.conf�pinentry-program /usr/local/.../pinentry-mac�default-cache-ttl 600�max-cache-ttl 7200�enable-ssh-support�write-env-file�
# ~/.zshrc�if [ -f "${HOME}/.gpg-agent-info" ]; then� . "${HOME}/.gpg-agent-info"� export GPG_AGENT_INFO� export SSH_AUTH_SOCK� export SSH_AGENT_PID�fi��
SSH Agent
Once the SSH Agent is configured, you can use the following commands to get SSH fingerprints and public key from authentication private key stored on YubiKey
$ ssh-add -l
$ ssh-add -L
$ gpgkey2ssh AABBCCBB
Two Demos
YubiKey Neo
Macbook
EC2 Instance
YubiKey Neo
Macbook
EC2 Instance
VirtualBox
Docker Container
1. Login from Macbook into the Docker container
2. Docker Container acts as “bastion host”
3. Forward SSH key to Docker Container
4. Login from Docker container into our EC2 Instance
Thank you!
Rajiv M Ranganath
Twitter: @lambda_linux
https://lambda-linux.io