Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Russell Lewis
    @russell-lewis
    ssh with a -v would help confirm the cert is being accepted and you just need to unlock the private key
    and of course i'd recommend you disable password auth if it isn't already.
    Nicholas J. Parks
    @nparks-kenzan
    Thanks, the keypair generated for use with the bless client did not have a password on it. Good'le enter twice at ssh-keygen prompt. I will check the password auth.
    Ben
    @benjwdev
    I've managed to get Bless working for accessing a server, is it possible to use AuthorizedPrincipalsFile setting along side the TrustedUserCAKeys in the sshd_config?
    I'm signing the cert with a principal e.g. test, then want to allow a user to ssh to an instance as a user e.g. ec2-user@ip-address, however I want to block access if "test" isn't a principal in the cert
    I've tried setting AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u then creating a file "ec2-user" in the auth_principals directory which contains the allowed principals e.g. test. However, every time I try to ssh as ec2-user@ip-address with test as a principal in the cert I get the error: Certificate does not contain an authorized principal. Any ideas?
    Ben
    @benjwdev
    (I'd rather not have to create a new user for each principal)
    Nicholas J. Parks
    @nparks-kenzan
    ...sigh parameters. @russell-lewis I stepped away all day came back and it was just a simple parameter thing. I do see Netflix/bless#11 . I guess I can be brave..fork...branch..PR
    jaymed
    @jaymed
    Can anyone out there help me understand how the '[KMS Auth]' kmsauth_key_id is different from the KMS key used by the Lambda function to decrypt the private key password?
    I'm using @crielly 's terraform scripts (https://github.com/crielly/bless) to create the Lambda/KMS and I'm finding that after the initial deployment, I have to update the bless_deploy.cfg with the generated KMS key info and re-publish the bless_lambda.zip and push it out again using terraform. I might not be be understanding the 'KMS Auth' part correctly.
    Hugh Topping
    @hughtopping

    Hi @jaymed! The KMS Auth stuff is optional and isn't related to the KMS key used to decrypt the private key password.

    The Lyft team added it because rather than invoking the Bless lambda function from a bastion server, they wanted to be able to do it from engineers' laptops directly. KMS auth is used to prove that the user authenticated with AWS at a given time. There's some more details in the README here: https://github.com/lyft/python-blessclient

    jaymed
    @jaymed
    Thanks @hughtopping . The Lyft model is what where going for. Now that I understand the use of the kms keys, I think it would be best to create a separate kms key that's used for the kms auth part. I was previously using the same kms key for both things.
    Hugh Topping
    @hughtopping
    @jaymed yes, I think that's definitely the right way to go about it
    merlin
    @IshaqSharief_twitter
    Hi all. Im testing out the bless setup and going as per @crielly 's blog post. When I run blessclient.run --region WEST I get prompted for an MFA token. We dont use MFAs at our organization. Is there a way to bypass this , atlest for this testing phase ?
    Connor Rielly
    @crielly
    Not sure, but the right thing to do is use MFA at your organization!
    merlin
    @IshaqSharief_twitter
    assuming I use google authenticator. Im not sure how this ties in with the app. Usually I have to scan a barcode...
    Connor Rielly
    @crielly
    Every IAM user has the option to associate a virtual MFA device which should give you a barcode and a long string, either can be used to setup an authenticator. I actually use authy instead of Google but whatever works
    merlin
    @IshaqSharief_twitter
    I was able to set that up and ran into Could not connect to BLESS in any configured region. . Going thru the config files to see what might be amiss . Any pointers ?
    merlin
    @IshaqSharief_twitter
    I have the domain_regex configured as domain_regex: (.*\.amazonaws\.com|.*\.example\.net|\A10\.100(?:\.[0-9]{1,3}){2}\Z)$ which I am pretty sure is not right
    merlin
    @IshaqSharief_twitter
    Jason Myers
    @jasonamyers
    good morning, is there a way to hand out grandular access via bless?
    we have a few accounts and we'd like to give access to some accounts but not others for particular users
    Jason Myers
    @jasonamyers
    I was gonna setup different bless lambdas in the different accounts to handle it
    Hugh Topping
    @hughtopping

    @jasonamyers you may want to have a look at my PR as I had a similar requirement:
    Netflix/bless#62

    It lets you grant access to generate certs for specific accounts using IAM group membership.

    Jason Myers
    @jasonamyers
    thank you @hughtopping
    Jeremy Stott
    @stoggi
    Hello, I really like this project and am excited to try it out. I've noticed that generating the private key used for the CA is done with ssh-keygen, kind of out-of-scope of the project. I'd like to automate this process: to generate, and encrypt, the private key in a lambda function using the python cryptography module (including seeding /dev/urandom from kms like BLESS). That way I can rotate CA certificates quickly, and easily. Since I'm already trusting AWS lambda with the CA and key, it seems like the appropriate place to generate the private key too.
    1. Is this a good idea?
    2. Would anyone be interested in a PR that adds private key generation to BLESS?
    MUA
    @msuzoagu
    This message was deleted
    MUA
    @msuzoagu

    @crielly @russell-lewis. hello! I am struggling to understand how to BLESS works on the bastion and would appreciate some guidance.

    Thus far been ablet to deploy BLESS Lambda function.

    Stuck at the actual authentication process though.

    So a user ssh' into Bastion.

    • What public key is the bastion presenting to BLESS lambda? The user's own public key? How does Bastion get access to that information/Where do I get this information?
    zues23
    @zues23
    @russell-lewis @crielly@here I have deployed the BLESS and the client is able to run the lambda, I am having this error in cloudwatch and I cannot seem to figure out why. No Region Specific And No Default Password Provided.: ValueError
    Traceback (most recent call last):
    File "/var/task/bless_lambda.py", line 58, in lambda_handler
    config_file=config_file)
    File "/var/task/bless/config/bless_config.py", line 100, in init
    raise ValueError("No Region Specific And No Default Password Provided.")
    ValueError: No Region Specific And No Default Password Provided . All the configuration is also according to the documentation. Can anyone of you help me out? thanks
    Russell Lewis
    @russell-lewis
    Assuming you aren't importing your own KMS key value, you need to encrypt your private key password individually in each AWS region you deploy.
    zues23
    @zues23

    @russell-lewis yes i am using the same format. This is the config file:

    This section and its options are optional

    [Bless Options]

    Number of seconds +/- the issued time for the certificate to be valid

    certificate_validity_after_seconds = 120
    certificate_validity_before_seconds = 120

    Minimum number of bits in the system entropy pool before requiring an additional seeding step

    entropy_minimum_bits = 2048

    Number of bytes of random to fetch from KMS to seed /dev/urandom

    random_seed_bytes = 256

    Set the logging level

    logging_level = DEBUG

    Comma separated list of the SSH Certificate extensions to include. Not specifying this uses the ssh-keygen defaults:

    certificate_extensions = permit-X11-forwarding,permit-agent-forwarding,permit-port-forwarding,permit-pty,permit-user-rc

    Username validation options are described in bless_request.py:USERNAME_VALIDATION_OPTIONS

    Configure how bastion_user names are validated.

    username_validation = useradd

    Configure how remote_usernames names are validated.

    remote_usernames_validation = principal

    These values are all required to be modified for deployment

    [Bless CA]
    eu-central-1_password = xxxx

    Or you can set a default password. Region specific password have precedence over the default

    default_password = <KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>

    Specify the file name of your SSH CA's Private Key in PEM format.

    ca_private_key_file = bless-ca-
    [KMS Auth]

    Enable kmsauth, to ensure the certificate's username matches the AWS user

    use_kmsauth = True

    One or multiple KMS keys, setup for kmsauth (see github.com/lyft/python-kmsauth)

    kmsauth_key_id = xxxxxxxxx

    kmsauth_key_id = arn:aws:kms:eu-central-1:xxxx:key/da3636a5-4f23-4a45-b7b0-312ce7bb9fd7

    If using kmsauth, you need to set the kmsauth service name. Users need to set the 'to'

    context to this same service name when they create a kmsauth token.

    This is done in the blessclient.cfg when using the Lyft blessclient

    kmsauth_serviceid = bless`

    Russell Lewis
    @russell-lewis
    Take a look at: https://github.com/Netflix/bless/blob/master/bless/config/bless_config.py#L99 You could try setting default_password to you eu-central-1. Also you should take a look at what the lambda thinks its deployed region is: https://github.com/Netflix/bless/blob/master/bless/aws_lambda/bless_lambda.py#L54
    zues23
    @zues23
    @russell-lewis ok thanks for the information. I will take a look at it.
    Russell Lewis
    @russell-lewis
    And you should be able to actually test things out locally. Add a test like the following with your own config, and you can set regions as you'd like. https://github.com/Netflix/bless/blob/master/tests/config/test_bless_config.py#L34
    zues23
    @zues23
    @russell-lewis ok I will do so, I do appreciate your time.
    Russell Lewis
    @russell-lewis
    @msuzoagu So I briefly discussed it during my OSCON talk, but we have our own bastions in place that provide a few features you'll need on your own. Our bastion tooling is a bit too netflix specific right now. The bastions AuthN developers. The bastion needs to prevent developers from accessing its AWS credentials. We have a daemon that developers make IPC calls to. That daemon is responsible for determining who the user is, if they are authorized to make the SSH request, use the AWS creds to call the BLESS lambda, and returns the certificate to the developer.
    The sample bless client really is just an example of how your daemon could invoke the lambda. It does not provide an example of how you map a developers ssh request into useful things like usernames and ip addresses, or how you do authZ on those requests.
    zues23
    @zues23
    @russell-lewis @here: Thanks I got the lambda up and running and i am able to execute the lambda .
    When I run the client I get this error :
    {u'stackTrace': [[u'/var/task/bless_lambda.py', 167, u'lambda_handler', u'ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)'], [u'/var/task/bless/ssh/certificate_authorities/ssh_certificate_authority_factory.py', 21, u'get_ssh_certificate_authority', u'return RSACertificateAuthority(private_key, password)'], [u'/var/task/bless/ssh/certificate_authorities/rsa_certificate_authority.py', 30, u'__init__', u'default_backend())'], [u'/var/task/cryptography/hazmat/backends/__init__.py', 15, u'default_backend', u'from cryptography.hazmat.backends.openssl.backend import backend'], [u'/var/task/cryptography/hazmat/backends/openssl/__init__.py', 7, u'<module>', u'from cryptography.hazmat.backends.openssl.backend import backend'], [u'/var/task/cryptography/hazmat/backends/openssl/backend.py', 49, u'<module>', u'from cryptography.hazmat.bindings.openssl import binding'], [u'/var/task/cryptography/hazmat/bindings/openssl/binding.py', 13, u'<module>', u'from cryptography.hazmat.bindings._openssl import ffi, lib']], u'errorMessage': u"/lib64/libcrypto.so.10: version `OPENSSL_1.0.2' not found (required by /var/task/cryptography/hazmat/bindings/_openssl.so)", u'errorType': u'ImportError'}
    zues23
    @zues23
    @russell-lewis @here: Thanks I got the lambda up and running and i am able to execute the lambda .
    When I run the client I get this error, there is the requirement for openssl_1.0.2 during certificate creation. Am I doing something wrong or how can I fix it, help needed:
    {u'stackTrace': [[u'/var/task/bless_lambda.py', 167, u'lambda_handler', u'ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)'], [u'/var/task/bless/ssh/certificate_authorities/ssh_certificate_authority_factory.py', 21, u'get_ssh_certificate_authority', u'return RSACertificateAuthority(private_key, password)'], [u'/var/task/bless/ssh/certificate_authorities/rsa_certificate_authority.py', 30, u'__init__', u'default_backend())'], [u'/var/task/cryptography/hazmat/backends/__init__.py', 15, u'default_backend', u'from cryptography.hazmat.backends.openssl.backend import backend'], [u'/var/task/cryptography/hazmat/backends/openssl/__init__.py', 7, u'<module>', u'from cryptography.hazmat.backends.openssl.backend import backend'], [u'/var/task/cryptography/hazmat/backends/openssl/backend.py', 49, u'<module>', u'from cryptography.hazmat.bindings.openssl import binding'], [u'/var/task/cryptography/hazmat/bindings/openssl/binding.py', 13, u'<module>', u'from cryptography.hazmat.bindings._openssl import ffi, lib']], u'errorMessage': u"/lib64/libcrypto.so.10: version `OPENSSL_1.0.2' not found (required by /var/task/cryptography/hazmat/bindings/_openssl.so)", u'errorType': u'ImportError'}
    Jeremy Stott
    @stoggi
    @zues23, how did you create the .zip file for the lambda? That error looks like you may be missing some dependencies. Did you follow the instructions at https://github.com/netflix/bless#deployment
    zues23
    @zues23
    @stoggi I followed the same thing. I actually can see the openssl there in the zip file but I suspect it is not of the correct version . So I was wondering if it has to do with the Mac laptop I used or the Redhat instance because both resulted in the same error.
    zues23
    @zues23
    @stoggi got it signing certificate now. I recreated the zip on amazon linux and it worked. Thanks.
    zues23
    @zues23
    @nparks-kenzan @here I am getting this paraphrase issue but im not sure what paraphrase it meant, any idea if there is some parameter issue : debug1: Offering RSA-CERT public key: ./mktemp-cert.pub debug1: Server accepts key: pkalg ssh-rsa-cert-v01@openssh.com blen 1876 debug1: sign_and_send_pubkey: no separate private key for certificate "./mktemp-cert.pub" Enter passphrase for key './mktemp-cert.pub':
    Dhrumil Anandjiwala
    @da2709
    @russell-lewis Can you please help me with this Error.
    '''ERROR: certificate signing error: ValueError("did not receive a certificate from lambda, received: {u'stackTrace': [[u'/var/task/bless_lambda.py', 164, u'lambda_handler', u'ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)'],
    ........
    [u'/var/task/cryptography/x509/extensions.py', 20, u'<module>', u'from cryptography.hazmat.primitives import constant_time, serialization'],
    [u'/var/task/cryptography/hazmat/primitives/constant_time.py', 9, u'<module>', u'from cryptography.hazmat.bindings._constant_time import lib']],
    u'errorMessage': u'/var/task/cryptography/hazmat/bindings/_constant_time.so: invalid ELF header', u'errorType': u'ImportError'}",)'''
    PastNullInfinity
    @PastNullInfinity

    I'm getting a weird error on BLESS v0.4.0:

    All tests go fine, file permissions, configuration files and all of that seems to be correct, but when I run the client I get this error:

    [ERROR] TypeError: __init__() got an unexpected keyword argument 'strict'
    Traceback (most recent call last):
      File "/var/task/bless_lambda.py", line 13, in lambda_handler
        return lambda_handler_user(*args, **kwargs)
      File "/var/task/bless/aws_lambda/bless_lambda_user.py", line 68, in lambda_handler_user
        schema = BlessUserSchema(strict=True)

    Does anyone have any clue on what it could be?

    Jeremy Stott
    @stoggi
    Looks like the strict keyword argument was removed in a newer version of one of the marshmallow dependency How are you packaging the python zip file for your lambda? The version of marshmallow should be pinned to an older version
    Jeremy Stott
    @stoggi

    Hmm, I just tried it on master and even though your virtual environment gets the correct (old?) version of marshmallow, make lambda-deps ends up fetching the latest one. This is because lambda_compile.sh just ends up running pip install -e .and installing the latest dependency here https://github.com/Netflix/bless/blob/c03b8d1bf0a4addef43a5dead85820904fe35123/setup.py#L24

    To get things working, you could try requesting an older version of marshmallow in your setup.py file like so 'marshmallow<3',

    PastNullInfinity
    @PastNullInfinity
    Ok, I've rebuilt and redeployed the lambda with that change and now at least it seems to run fine, thanks! I'll open up an issue about it.