Comments (7)
Nr18
commented on August 16, 2024
1
So after some playing around i got it working, i will write a step-by-step manual for internal purposes interested in a addition on README.md to get this working?
So i ended up using these commands:
#!/bin/bash
# Usage: bless_client.py \
# region \
# lambda_function_name \
# bastion_user bastion_user_ip \
# remote_username bastion_source_ip \
# bastion_command \
# <id_rsa.pub to sign> <output id_rsa-cert.pub
USER=`whoami`
FILE=my-key
rm -rf {${FILE},${FILE}.pub,${FILE}-cert}
source ./bless/venv/bin/activate
ssh-keygen -f ./${FILE} -N ""
./bless/bless_client/bless_client.py \
eu-west-1 \
SSHAccess \
${USER} 10.10.1.52 \
ec2-user 10.2.13.42 \
"" \
./${FILE}.pub ./${FILE}-cert.pub
chmod 0600 ./${FILE}*
ssh -i ./${FILE} [email protected] -v
from bless.
russell-lewis
commented on August 16, 2024
You are generating a cert, and the provided ssh connection log shows you trying to use it.
"debug1: Offering RSA-CERT public key: ./tempcert.pem"
Looking at your arguments, you swapped the remote_username and bastion_user arguments. Hopefully that is the only fix you'd need to make. The arguments are described here.
Take a look at that certificate:
ssh-keygen -L -f ./tempcert.pem
The Principals: field should be ec2-user for your ssh command to work.
Check the /var/log/auth.log of your instance that you tried to ssh to. It should provide additional context as to why the certificate was rejected. (e.g. wrong CA, invalid principal(user), etc.
Let me know if that fixes your issue.
from bless.
Nr18
commented on August 16, 2024
So i still have issues due to some documentation issues so the command prompts:
Usage: bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_username bastion_source_ip bastion_command <id_rsa.pub to sign> <output id_rsa-cert.pub>
The link you provided:
A BlessRequest must have the following key value pairs to be valid.
:param bastion_ip: The source IP where the SSH connection will be initiated from. This is enforced in the issued certificate.
:param bastion_user: The user on the bastion, who is initiating the SSH request.
:param bastion_user_ip: The IP of the user accessing the bastion.
:param command: Text information about the SSH request of the user.
:param public_key_to_sign: The id_rsa.pub that will be used in the SSH request. This is enforced in the issued certificate.
:param remote_username: The username on the remote server that will be used in the SSH request. This is enforced in the issued certificate.
To clarify
bastion_ip is this bastion_source_ip in the command?
bastion_user is the user that is used to connect from my laptop to the bastion host?
bastion_user_ip is the ip om for example my laptop?
command some free format text
public_key_to_sign Public key of one of the CA's?
remote_username The username that is used to setup the ssh connection?
because i still have issues connecting
Facts
- 10.2.9.159 = Target EC2 instance
- 10.2.13.42 = Bastion Host
- 10.10.1.52 = My Laptop
- Logged in as ec2-user on the bastion host and execute ./connect.sh and hit enter when the passphrase is asked.
connect.sh
#!/bin/bash
# Usage: bless_client.py \
# region \
# lambda_function_name \
# bastion_user bastion_user_ip \
# remote_username bastion_source_ip \
# bastion_command \
# <id_rsa.pub to sign> <output id_rsa-cert.pub>
source ./bless/venv/bin/activate
./bless/bless_client/bless_client.py \
eu-west-1 \
SSHAccess \
ec2-user 10.10.1.52 \
ec2-user 10.2.13.42 \
"" \
./bless/bless-ca-1.pub ./tempcert.pem
chmod 0600 ./tempcert.pem
ssh -i ./tempcert.pem [email protected] -v
Lambda Output
Issued a cert to bastion_ip[10.2.13.42] for the remote_username of [ec2-user] with the key_id[request[*****************] for[ec2-user] from[10.10.1.52] command[] ssh_key:[RSA 15:12:1a:c3:5f:fb:92:ab:f7:88:9d:17:65:73:ec:d6] ca:[arn:aws:lambda:eu-west-1:*************:function:SSHAccess] valid_to[2016/08/01 17:43:48]] and valid_from[2016/08/01 17:39:48])
SSH Output
OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 10.2.9.159 [10.2.9.159] port 22.
debug1: Connection established.
debug1: ssh_rsa_verify: signature correct
debug1: identity file ./tempcert.pem type 5
debug1: identity file ./tempcert.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 24:e8:c4:cb:5c:09:f2:e9:78:b5:b7:6e:de:89:6e:73
debug1: Host '10.2.9.159' is known and matches the ECDSA host key.
debug1: Found key in /home/ec2-user/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA-CERT public key: ./tempcert.pem
debug1: Server accepts key: pkalg [email protected] blen 2129
debug1: ssh_rsa_verify: signature correct
debug1: key_parse_private2: missing begin marker
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key './tempcert.pem':
debug1: No more authentication methods to try.
Permission denied (publickey).
In /var/log/audit/audit.log on 10.2.9.159 (Target Machine)
type=CRYPTO_KEY_USER msg=audit(1470073808.974:1640): pid=2037 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=2d:72:cf:3c:18:84:ed:9b:10:06:0f:60:2a:25:86:6a direction=? spid=2037 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1470073808.974:1641): pid=2037 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=24:e8:c4:cb:5c:09:f2:e9:78:b5:b7:6e:de:89:6e:73 direction=? spid=2037 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1470073808.974:1642): pid=2037 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=8e:3b:b2:3d:f8:76:db:b0:d5:f1:b0:b5:da:38:7e:a3 direction=? spid=2037 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1470073808.978:1643): pid=2036 uid=0 auid=500 ses=55 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 [email protected] [email protected] spid=2037 suid=74 rport=48808 laddr=10.2.9.159 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1470073808.978:1644): pid=2036 uid=0 auid=500 ses=55 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 [email protected] [email protected] spid=2037 suid=74 rport=48808 laddr=10.2.9.159 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1470073809.714:1645): pid=2036 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=8e:3b:b2:3d:f8:76:db:b0:d5:f1:b0:b5:da:38:7e:a3 direction=? spid=2037 suid=74 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1470073809.714:1646): pid=2036 uid=0 auid=500 ses=55 msg='op=destroy kind=session fp=? direction=both spid=2037 suid=74 rport=48808 laddr=10.2.9.159 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=USER_ERR msg=audit(1470073809.714:1647): pid=2036 uid=0 auid=500 ses=55 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=ip-10-2-13-42.eu-west-1.compute.internal addr=10.2.13.42 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1470073809.714:1648): pid=2036 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=2d:72:cf:3c:18:84:ed:9b:10:06:0f:60:2a:25:86:6a direction=? spid=2036 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1470073809.714:1649): pid=2036 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=24:e8:c4:cb:5c:09:f2:e9:78:b5:b7:6e:de:89:6e:73 direction=? spid=2036 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1470073809.714:1650): pid=2036 uid=0 auid=500 ses=55 msg='op=destroy kind=server fp=8e:3b:b2:3d:f8:76:db:b0:d5:f1:b0:b5:da:38:7e:a3 direction=? spid=2036 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=? res=success'
type=USER_LOGIN msg=audit(1470073809.714:1651): pid=2036 uid=0 auid=500 ses=55 msg='op=login acct="ec2-user" exe="/usr/sbin/sshd" hostname=? addr=10.2.13.42 terminal=ssh res=failed'
Certificate
./tempcert.pem:
Type: [email protected] user certificate
Public key: RSA-CERT 15:12:1a:c3:5f:fb:92:ab:f7:88:9d:17:65:73:ec:d6
Signing CA: RSA 15:12:1a:c3:5f:fb:92:ab:f7:88:9d:17:65:73:ec:d6
Key ID: "request[62f67a84-5810-11e6-87fd-fb9479abfc3b] for[ec2-user] from[10.10.1.52] command[] ssh_key:[RSA 15:12:1a:c3:5f:fb:92:ab:f7:88:9d:17:65:73:ec:d6] ca:[arn:aws:lambda:eu-west-1:************:function:SSHAccess] valid_to[2016/08/01 17:52:08]"
Serial: 0
Valid: from 2016-08-01T17:48:08 to 2016-08-01T17:52:08
Principals:
ec2-user
Critical Options:
source-address 10.2.13.42
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
from bless.
russell-lewis
commented on August 16, 2024
As an FYI, you'll want to look at /var/log/secure for sshd attempts on AWS Linux images.
I missed this earlier, but your last two arguments are off as well.
The 2nd to last argument is <id_rsa.pub to sign>. This should be the public key matching a private key you ephemerally generated for the request. These private keys should not be readable by other users on your bastion.
In your example, you passed in the public key of your CA to be signed by your CA. You don't want to have the CA private key on your bastion (as that defeats the point of storing it in the lambda w/KMS).
The last argument to bless_client.py should be what you want your certificate to be named.
From ssh's man page:
ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
If your ssh private key were something like: ~/.ssh-ephemeral/uuid# your certificate should be named ~/.ssh-ephemeral/uuid#-cert.pub.
Your SSH client wasn't able to find a private key to use with the certificate you provided.
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
The ssh -i argument must be a private key, not the cert itself.
from bless.
russell-lewis
commented on August 16, 2024
I've got an open issue to improve the docs: #11
and specifically we need to document how we intend for people to deploy/configure this tool.
I'd appreciate your input when those updates are made.
from bless.
russell-lewis
commented on August 16, 2024
Also, on your script, you might want to do something like:
FILE="$(mktemp)"
so that you don't have race conditions with multiple users and multiple keys in use.
Lastly, you'll want to prevent users on your bastion from having direct access to the AWS Credentials on the bastion (otherwise a user can issue a certificate with spoofed details). iptables can be used to block access 169.254.169.254. (further details will be included in the updated README.md)
from bless.
Nr18
commented on August 16, 2024
Great thanks!
from bless.
Related Issues (20)
- Is Marshmellow<3 required to function? HOT 4
- Invalid Key length when using gpg-agent
- Is this project still under development HOT 1
- Ability to sign SSH certificate with SHA2 HOT 4
- hope
- Nonstandard SSH port HOT 1
- Add optional parameters HOT 3
- Optional parameter [kmsauth token] cannot be passed in HOT 3
- Are you guys aware of anything similar to this for Google Cloud Platform? HOT 2
- How has to be the kmsauth token created? HOT 1
- Amazonlinux make bug HOT 2
- Unable to login with the cert got from lambda function HOT 1
- make test fails on deprecated warnings [linting] HOT 5
- document `-m PEM` option to ssh-keygen
- .travis.yml: The 'sudo' tag is now deprecated in Travis CI
- Authorization with BLESS? HOT 1
- Support authentication with OpenID Connect HOT 4
- How to make the bastion transparent for users
- Add the possibility to use encrypted private key with KMS HOT 2
- Potential dependency conflicts between bless and boto3 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bless.