BLESS: SSH Certificate Authority for Ephemeral SSH Sessions

README.md

alt text

Build Status Join the chat at https://gitter.im/Netflix/bless

BLESS is an SSH Certificate Authority that runs as a AWS Lambda function and is used to sign ssh
public keys.

SSH Certificates are an excellent way to authorize users to access a particular ssh host,
as they can be restricted for a single use case, and can be short lived. Instead of managing the
authorized_keys of a host, or controlling who has access to SSH Private Keys, hosts just
need to be configured to trust an SSH CA.

BLESS should be run as an AWS Lambda in an isolated AWS account. Because BLESS needs access to a
private key which is trusted by your hosts, an isolated AWS account helps restrict who can access
that private key, or modify the BLESS code you are running.

AWS Lambda functions can use an AWS IAM Policy to limit which IAM Roles can invoke the Lambda
Function. If properly configured, you can restrict which IAM Roles can request SSH Certificates.
For example, your SSH Bastion (aka SSH Jump Host) can run with the only IAM Role with access to
invoke a BLESS Lambda Function configured with the SSH CA key trusted by the instances accessible
to that SSH Bastion.

Getting Started

These instructions are to get BLESS up and running in your local development environment.

Installation Instructions

Clone the repo:

$ git clone git@github.com:Netflix/bless.git

Cd to the bless repo:

$ cd bless

Create a virtualenv if you haven’t already:

$ virtualenv venv

Activate the venv:

$ source venv/bin/activate

Install package and test dependencies:

(venv) $ make develop

Run the tests:

(venv) $ make test

Deployment

To deploy an AWS Lambda Function, you need to provide a .zip with the code and all dependencies.
The .zip must contain your lambda code and configurations at the top level of the .zip. The BLESS
Makefile includes a publish target to package up everything into a deploy-able .zip if they are in
the expected locations.

Compiling BLESS Lambda Dependencies

AWS Lambda has some limitations, and to deploy code as a Lambda Function, you need to package up
all of the dependencies. AWS Lambda only supports Python 2.7 and BLESS depends on
Cryptography, which must be compiled. You will need to
compile and include your dependencies before you can publish a working AWS Lambda.

  • Deploy an Amazon Linux AMI
  • SSH onto that instance
  • Copy BLESS’ setup.py to the instance
  • Install BLESS’ dependencies:
$ sudo yum install gcc libffi-devel openssl-devel
$ virtualenv venv
$ source venv/bin/activate
(venv) $ pip install -e .
  • From that instance, copy off the contents of:

    • venv/lib/python2.7/site-packages/*
    • venv/lib64/python2.7/site-packages/*
  • put those files in: ./aws-linux-libs/

Protecting the CA Private Key

  • Generate a password protected RSA Private Key:
$ ssh-keygen -t rsa -b 4096 -f bless-ca- -C "SSH CA Key"
  • Use KMS to encrypt your password. You will need a KMS key per region, and you will need to
    encrypt your password for each region. You can use the AWS Console to paste in a simple lambda
    function like this:
import boto3
import base64
import os


def lambda_handler(event, context):
    region = os.environ['AWS_REGION']
    client = boto3.client('kms', region_name=region)
    response = client.encrypt(
    KeyId='alias/your_kms_key',
    Plaintext='Do not forget to delete the real plain text when done'
    )

    ciphertext = response['CiphertextBlob']
    return base64.b64encode(ciphertext)
  • Manage your Private Keys .pem files and passwords outside of this repo.
  • Update your bless_deploy.cfg with your Private Key’s filename and encrypted passwords.
  • Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing a new Lambda .zip

BLESS Config File

  • Refer to the the Example BLESS Config File and its
    included documentation.
  • Manage your bless_deploy.cfg files outside of this repo.
  • Provide your desired ./lambda_configs/bless_deploy.cfg prior to Publishing a new Lambda .zip
  • The required [Bless CA] option values must be set for your environment.

Publish Lambda .zip

  • Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing
  • Provide your desired BLESS Config File at
    ./lambda_configs/bless_deploy.cfg prior to Publishing
  • Provide the compiled dependencies at ./aws-linux-libs
  • run:
(venv) $ make publish
  • deploy ./publish/bless_lambda.zip to AWS via the AWS Console,
    AWS SDK, or
    S3
  • remember to deploy it to all regions.

Lambda Requirements

You should deploy this function into its own AWS account to limit who has access to modify the
code, configs, or IAM Policies. An isolated account also limits who has access to the KMS keys
used to protect the SSH CA Key.

The BLESS Lambda function should run as its own IAM Role and will need access to an AWS KMS Key in
each region where the function is deployed. The BLESS IAMRole will also need permissions to obtain
random from kms (kms:GenerateRandom) and permissions for logging to CloudWatch Logs
(logs:CreateLogGroup,logs:CreateLogStream,logs:PutLogEvents).

Using BLESS

After you have deployed BLESS you can run the sample BLESS Client
from a system with access to the required AWS Credentials.

(venv) $ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_username bastion_source_ip bastion_command  

Verifying Certificates

You can inspect the contents of a certificate with ssh-keygen directly:

$ ssh-keygen -L -f your-cert.pub

Enabling BLESS Certificates On Servers

Add the following line to /etc/ssh/sshd_config:

TrustedUserCAKeys /etc/ssh/cas.pub

Add a new file, owned by and only writable by root, at /etc/ssh/cas.pub with the contents:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an SSH CA
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an offline SSH CA
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an offline SSH CA 2

To simplify SSH CA Key rotation you should provision multiple CA Keys, and leave them offline until
you are ready to rotate them.

Additional information about the TrustedUserCAKeys file is here

Project resources


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/pULgUdXq7tg/bless

Original article

Guacamole

Apache Guacamole is a clientless remote desktop gateway. It supports
standard protocols like VNC, RDP, and SSH.

We call it clientless because no plugins or client software are required.

Thanks to HTML5, once Guacamole is installed on a server, all you need to
access your desktops is a web browser.


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/FO6D7_CnWQQ/

Original article

Our Week Without Slack

Last week, Motherboard made the decision to temporarily shut off Slack.

We announced this decision with a post on the site. We cover technology and the ways that it impacts daily life, so a story of how a tool for productivity can easily turn into a tool for distraction seemed appropriate. We also have some readers who are interested in how the sausage gets made.

Our announcement got a lot of attention—much more than we were expecting. Throughout the week, our friends, fellow media workers, and coworkers at VICE have been asking us how the experiment is going.

The short answer is, the experiment went well. We are learning what Slack is essential for, and in what ways it has been serving as a bandaid for what could be a more robust editorial structure.

Most staffers felt more productive and felt some relief from the distraction of Slack. However, remote workers and our UK and Canada offices felt more isolated.

“The longest I can go without checking it even if I’m incredibly busy is probably 10-15 minutes.”

We decided to extend the experiment another week, returning to Slack with only one room: a purely functional channel we call the Stories Room, where writers and editors update with what they are working on in a very strict format. We will also use Slack for direct messaging.

At the end of next week, we’ll assess our setup and make a decision about how to use Slack going forward.

For your Friday afternoon edification, here’s how the Motherboard team felt about the great Unslackening.

Emanuel Maiberg, weekend editor

It was good. I don’t miss it at all, at least not in terms of doing my job well. I miss the memes and the ~banter~.

I guess I should say that I don’t have a great sense of what everyone is doing all day, and what’s going up on the site. So like I have no idea that [Canada staff writer] Jordan is working on a bitcoin story, but I’m not sure I need to know? If I had a good tip for him I’d email him.

“I can’t tell you a single problem that Slack solves.”

I NEED it when working with freelancers on the weekend. With the exception of working with people remotely, I can’t tell you a single problem that Slack solves. I have no idea why it’s taking off. It’s just a watercooler app I guess.

Brian Anderson, features editor

It was delightful. The silence was golden. I got reporting done!

I did miss some of the link swapping, but overall it was a nice groove. It’s funny because Monday AM I instinctively logged into Slack and and said “morning folks.” Then I remembered. Flipped on GChat and got on with it.

Jason Koebler, staff writer

I felt a little bit like I was a freelancer again, which I think was kind of the point … a lot of us are writers who ended up weighing in on every single little thing in Slack because it felt like that was our job when really it probably isn’t. So it felt like I was doing my job again which was really refreshing.

I was incredibly productive this week and I loved it. I had so much free time which I spent tweeting which was good for my personal brand.

On two or three occasions I found fire links that I would have loved to drop in Slack. Can I share the link I wanted to share with you? It was really only one link.

http://www.smithsonianmag.com/smithsonian-institution/tweet-just-ritz-cracker-imax-film-steak-dinner-180959148/

Look at this headline. LOOK AT THIS HEADLINE. I know the person who wrote it so I couldn’t tweet about it.

Adrianne Jeffries

That is another thing with Slack, it encourages trash talk. It’s a good outlet for me to not get into dumb Twitter fights.

Jason Koebler

Yeah, I agree, I felt way more posi this week. And less stressed.

At my old job when I was a mere child I used to write like three reported stories a day and go home at 5:30 and I think it was because we had no Slack or chatroom. But also some of those stories were highly embarrassing and probably factually inaccurate.

Adrianne Jeffries

Do you want Slack back?

Jason Koebler

I am on team #NeverSlack. I don’t hate Slack, I just want to be able to write in peace.

I think enabling do not disturb is a false question, it’s kind of like encryption. You can’t trust the user to enable it. If something is happening in Slack i want to know what’s happening because I care about the site, so I read every message in Slack regardless of where it’s put or who says it. The longest I can go without checking it even if I’m incredibly busy is probably 10-15 minutes, which may be a personal attention problem but by design that’s how the service is made to work.

Something is ALWAYS going on in Slack and often I’ll like, come in and see that I missed some discussion and will disagree with where we left it or have something to add and it’s too late. Really I probably don’t NEED to weigh in but that’s kind of what chat apps train you to do, is to say things to the people who are saying things to the group.

“That is another thing with Slack, it encourages trash talk.”

By the way, that was my biggest complaint about Hedshack [the channel for vetting headlines]: everyone has a damn opinion about headlines and now that we’re like, trained to do them and most people can write a decent one, everyone wants to say something about them, and i think in the end you get too many opinions syndrome and end up with a watered down headline.

Slack trains you to distrust your coworkers because it’s made for you to say things. I haven’t gone to our site even once this week and felt like OH WOW WHY ARE WE DOING THIS STORY? or what a stupid headline. Everyone can function autonomously and is smart, especially under the supervision of really good editors.

Kate Lunau, Canada editor

So, I felt waaaaaay less frantic on Monday and Tuesday, ie the early days of no Slack. Like, there wasn’t a constant buzzing and humming behind me that needed my attention. But Jordan and I definitely felt sort of cut off from the rest of Motherboard.

My big hope was for more face-to-face communication, which Jordan and I did, but would have been even nicer if we were all in an office together. As a bureau, we’ll never have that with you guys. Wednesday through Thursday were very stressful and busy here. I think because, without Slack, there was no release valve. Like, if everything landed on me at once, nobody else could really step in who wasn’t busy in the moment, and pick up an edit for example.

“I definitely felt sort of cut off from the rest of Motherboard.”

So on Wednesday and Thursday, at times I felt myself really backlogged and struggling to keep up and missed Slack. Also missed Hedshack a lot. I cheated once and headshopped on the VICE Canada Slack. I also missed sharing links in the link channel.

Adrianne Jeffries

Do you think you will use Slack differently now?

Kate Lunau

I feel like… no? Because, you know, whenever you do a “detox” you make resolutions but they never actually work.

Jordan Pearson, staff writer, Canada

At first I had the same feeling in the pit of my stomach that I do when I listen to a bearded man talk about how he only writes with a typewriter. Sure, modern tech has probably introduced more problems than it’s solved, but we’re all still glad we’re not stuck in the 50s, right?

That being said, it wasn’t the catastrophe I thought it might be. I found that I was working much more closely with my editor Kate Lunau in Canada, so that was good. The team dynamic was much more focused and I thought that worked very well. We were bouncing a lot of ideas off of each other, and productivity was high by the end of the week.

“I don’t think I was more productive. Definitely more stressed.”

There were some problems though. Mostly, I felt very disconnected from higher-level planning on daily site business, which normally I think we’re all invited to contribute to on Slack. Without my colleagues all yammering in a public room I also had less of a sounding board to work through ideas with, so I felt a little bit adrift at times. It was a bit like trying to blog and report with one arm tied behind my back. I feel like my ideas are better when I can at least pass it by my colleagues casually.

I felt like I didn’t have direction. I don’t know if I was more or less productive. I don’t think I was more productive. Definitely more stressed.

Derek Mead, editor in chief

The biggest thing I’ve realized this week is how Slack is conducive to what I’ve dubbed “microwork” in my head. Like the first thing I do when I wake up in the morning is queue up Slack, talk to Vicki about the UK morning, read some chats, catch up on stories that have been discussed, and then I realize I’ve just been sitting in bed for 15 minutes staring at my phone for no reason and I’m already behind on my day. Like chatting with people and sharing input on things that don’t matter or don’t get done FEELS like work, but it isn’t useful, and sucks the day down.

I did have withdrawals the first couple days. One of my Monday notes was “I’m definitely understimulated.” But then life found a way and I spent the rest of the week running in circles. I sent more emails this week, which is a shock.

Adrianne Jeffries

Do you want Slack back?

Derek Mead

I want Hipchat back, which is what I said when we first went to Slack. I remember you being significantly more bullish. You don’t have to quote that in your revisionist history.

Adrianne Jeffries

Slack lets us scrap our history, which is necessary if we want to keep doing crimes.

Derek Mead

I found myself highly missing the ability to broadcast to the team at once, but I realized that with some email sanitation, we can be doing internal PSAs and shit through email way better, and then use Slack for actual necessary discussion. Talking more one and one with everyone has been highly highly useful and gratifying, versus FEELING like you’re talking to people when you’re actually just broadcasting in the commons.

“It makes limping along with a terrible hierarchy and structure possible, so you don’t have to solve inherent problems to your staff model.”

I’ve had more pointed, focused, and effective discussions with everyone on staff this week, and in less time than the constant thought stream.

Someone is definitely going to “no shit” this on Twitter.

Adrianne Jeffries

We need to do no Twitter week. The idea of no Twitter week makes me panic in a way no Slack week did not.

Derek Mead

I could not do my job without Twitter at this point.

Adrianne Jeffries

But you could do it without Slack, theoretically.

Derek Mead

Absolutely. I think Slack saves me time in certain instances, and I’d like to keep it.

The main point is that Motherboard for the longest time was a tiny team where everyone did everything, and our structure was a flat circle. We were time. But as we’ve grown, instead of building out a better workflow and staff structure of who’s reporting to whom, we’ve increased the effectiveness of each of our individual micromanaging abilities through productivity software, which is a hard spiral to jump out of and also entirely idiotic.

Stopping Slack has been a chance to reverse out of the cul-de-sac and say, hey, how does this system actually work? I think that’s probably the biggest allure of Slack and the reason people hate it so much. It makes limping along with a terrible hierarchy and structure possible, so you don’t have to solve inherent problems to your staff model. And then everyone has to pay attention to everything and they all go insane.

I will say that its mobile capabilities are highly useful. I didn’t realize how much I rely on my phone to keep up with things throughout the week and on weekends. I like getting push alerts for every Google doc draft that comes through. I would like those things back.

But yeah I’m happy that I don’t have to think about Slack at all, it’s been way nicer to have human interactions with our team.

What do you think? You are probably the most invested in the outcome of thisbecause you’re in the middle of a lot of convos.

Adrianne Jeffries

Amazing. I love the fact that our team put out more stories without me nagging them in Slack, by a significant margin. We hit post count by around 3 or 4 every day and started scheduling for the AM.

Derek Mead

Do you think that was the lack of Slack or because we had editors working with reporters in a more structured fashion?

Adrianne Jeffries

I think it was both.

Derek Mead

My favorite answer.

Adrianne Jeffries

The only things I missed were, Google Docs kind of sucks as a stories room, and I got scattered because my chats weren’t contained to one app.The other main problem was being cut off from UK and CA.

Vicki Turk, UK editor

In general, I think there was a greater focus on the writing and editing process this week (though if I were writing a scientific paper on this, I’d definitely caveat that this could easily be down to us making a pointed effort to focus on that, not just losing Slack!)

It was nice to get away from the constant chatter and I hadn’t realised quite how distracting it can be when you’re trying to focus on a story, until it was gone. The key thing I missed though, and it was more marked than I would have anticipated, was a forum to share story ideas or just to get that approval—a chance to say “I think this sounds cool, what do you think?” and getting an instant response.

The biggest thing for me was not feeling like a had a handle on what was going on with the rest of the team all the time. Stories would go on the site, and I’d only know about it if I constantly refreshed the homepage or our social feeds. I also missed our Slack check-ins where we catch up on what everyone’s working on—it’s funny how quickly you feel out of touch and, to be honest, a bit lonely!

Louise Matsakis, editorial fellow

At first, it was nice not to have the anxiety of checking it constantly. As a junior member of the staff, I felt like it was important to always be watching in case I could help out in some way

but then I felt really out of touch with everyone, and like it wasn’t even clear that I was there or could help, so it was alienating at times, but I think that level of constant communication isn’t normal. I definitely answered emails and got back to sources way faster and had to rely on my own gut instinct as opposed to always having someone to check in with.

“Not having it showed me that I’m pretty scared of face-to-face communication and that’s probably something I should work on.”

I think that having that kind of messaging available is definitely useful. When you have staff all over the place is preserves a sense of unity. Not having it showed me that I’m pretty scared of face-to-face communication and that’s probably something I should work on.

Kaleigh Rogers, staff writer

The pros were also the cons. I wasn’t distracted by constantly being in an ongoing communication loop with my colleagues, but that also made me feel kind of isolated.

I thought we would have more face-to-face conversations, which we did, but not as many as I thought. Also the Canada and UK offices basically ceased to exist in my world.

Overall, I think it was for the best. I’m not good at ignoring Slack and just ploughing through some work for an hour, I end up checking every five minutes and helping with a headline or photo selection. I think I’m much more productive without it.

It’s too distracting for me. The benefits do not outweigh the drawbacks.

Sarah Emerson, contributing writer

As someone who works remotely, it made me feel a little more isolated than I already am. Slack is probably 95 percent of my human interaction during the workday, so I found myself missing the background noise of people chatting.

I also missed the back-and-forth dialogue in rooms like [link-sharing room] Linkinpark or even the Hedshack. Being able to discuss the day’s stories with colleagues is helpful to me, and I felt sort of weird about pitching in isolation.

But no Slack was also peaceful. I didn’t feel nostalgic about desktop notifications constantly popping up on my screen, or the frenetic feeling of participating in multiple conversations going on at once. In the future, I’ll probably tailor my notifications to be the bare minimum.

Adrianne Jeffries

Do you think we should bring back Slack?

Sarah Emerson

Yes. I think we learned our lesson!


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/jEooui4miM4/an-oral-history-of-our-week-without-slack

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: