SSH Product Overview

Size: px

Start display at page:

Download "SSH Product Overview"

Alexis Robbins
5 years ago
Views:

1 SSH Product Overview

3 Where is SSH used? File Transfer & Remote Script Execution SSH (SCP or SFTP) Jupiter TLS SSH Customers Partners Employees Admins with Root Access Application Owners System Admins

4 Where is SSH used? File Transfer & Remote Script Execution SSH (SCP or SFTP) Simple rule of thumb: If it s not Windows or a Mainframe, SSH is Jupiter probably used to login into it. TLS SSH Customers Partners Employees Admins with Root Access Application Owners System Admins

5 SSH Basics User Access 1 Server Keys A A 1 21 User Keys User Keys Host Keys Server1 Host Keys Server2 Server1 Authorized Server Keys Keys A1 Alice Server1 2 A Server Keys Authorized Keys Alice Alice Server2

6 SSH Basics Server-to-Server Access A Client Keys C 1 Trusted Server1 Keys 12 User Keys Host Keys Server1 Server2 1 1 A A2 Server Keys Server Keys Authorized Keys Alice Authorized Keys Server2 Alice Server1 2 2 Authorized Server Keys Keys A2 Authorized Host Keys Keys A1 Server Keys User Keys Alice Server1 Alice Alice Server2

7 The State of SSH in Most Organizations No inventory No key rotation Weak keys Terminated employees still have access Potential backdoor keys Pivoting opportunities for attackers

8 SSH Discovery and Remediation Venafi Products can discover and report back to Venafi server crucial details about SSH keys. Discovery is a critical part of identifying the status of your SSH key environment across all of your systems.

9 SSH Discovery and Remediation Identifying orphaned public keys and resolving them quickly can help to avoid potentially serious vulnerabilities, particularly when an orphaned key is found in a root or administrative account on a server. Venafi Products allow us to add/remove SSH keys.

10 Agentless SSH TPP server(s) will SSH to target systems to perform scans and remediation Work performed at the time of User UI action Discussed in detail in it s own module

11 Agent Based SSH Requires installation of Agent software Supports wide range of OS types Can gather SSH Key Usage info Agents call home for work Discussed in detail in it s own module

12 Agent vs. Agentless Considerations Network traffic direction Agent: Key usage logging Agent: Better support for intermittent systems (e.g., user laptops) Agent: Support for Windows Agentless: More platform independent (e.g., mainframe, etc.) Agentless: Credential management for our own agentless access

13 Review 1. What are SSH Keys used for? 2. What is the purpose of authorized_keys file? 3. What is default expiration for an SSH key?

14 Agentless SSH

16 Agentless SSH Overview SSH discovery can find SSH keys on devices that do not have agents installed on them SSH Remediation can add and remove SSH keys TPP uses a remote SSH connection to connect to the systems or servers TPP will scan per configured work and create keysets in Aperture

17 Configuring Agentless SSH Create Credential Objects Create Device Objects Configure SSH Work Allow scheduled work to happen View Results in Aperture

18 Create Credential Objects Password (Aperture or WebAdmin) SSH Private Key (WebAdmin)

19 Create Device Objects Done in WebAdmin Supports sudo Set Temp Directory if using sudo

20 Device Objects Device Inventory See status of Devices Use filters Can be created using Network Discovery

21 View Device Objects Shows status info Test Connection

22 Edit Device Objects

23 Configure Agentless SSH Work Enable folders for Agentless

24 Configure Agentless SSH Work Add a Group Group Purpose = Agentless SSH

25 Configure Agentless SSH Work Hardcodes Membership Criteria

26 Configure Agentless SSH Work Work Types: SSH Discovery SSH Remediation Work explained in upcoming module

27 Run Agentless SSH Scan Runs per schedule Can be triggered on demand

28 Lab: Agentless SSH Lab coming up after next module

29 Review 1. What are benefits of Agentless SSH? 2. Can we mix and match Agent and Agentless SSH? 3. Can Agentless SSH typically be used with Windows Servers?

30 Configuring SSH Work

32 Configuring SSH Work Overview SSH work can apply to Agents and Agentless SSH Done on the Group under Groups & Work > Work Specify what to scan Specify where to scan Specify when to scan Enable Remediation

33 Enabling SSH Discovery Work Work items are created under Groups & Work Unique Name Type

34 SSH Discovery Work Settings Enable work item Scan interval is similar to Agent check-in time options are: Daily Weekly Monthly Hourly On Receipt Every 30 Minutes Randomization to not over load VMs

35 SSH Discovery Work Settings Default scan paths for SSH server information and keys

36 SSH Discovery Work Settings Specify folder where agent will look for: Host Keys User Keys Host Keys and User Keys Supports wildcards Specify where to not scan

37 SSH Discovery Work Settings Should the agent scan Network File System (NFS) mount points Minimize the impact of discovery

38 SSH Discovery Work Settings Select a file size threshold after which the agent should ignore files By setting this limit to 1mb, all keystore files larger than 1mb are ignored during SSH discovery.

39 SSH Discovery Work Settings Logging level detail Default is Info Written to System logs

40 SSH Remediation Work SSH Remediation > Remediate SSH Work = Yes

41 Enabling SSH Discovery Work Work items are created under Groups & Work Unique Name Type

42 Creating SSH Remediation Work

43 SSH Remediation Work How often Agents check for Remediation work Interval between Monthly and 1min Randomization Start time Agentless SSH performs work immediately

44 SSH Remediation Work Logging level detail Default is Info Agent Writes to: Syslog Event Logs

45 SSH Key Usage Work SSH Key Usage > SSH Key Usage Enabled = Yes

46 SSH Key Usage Work How often Agents Deliver SSH Key Usage data Interval between daily and 1min Randomization

47 SSH Key Usage Work Cache size on Agent side Agent logging for SSH Key Usage

48 SSH Key Usage Agent side Only Venafi Agent can gather SSH Key Usage! Steps required on Venafi Agent side:

49 Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH Configuring Agent SSH Work Lab Agent SSH configuration Enable Discovery and Remediation Configuring Agentless SSH Lab Agentless Based SSH configuration Enable Discovery and Remediation

50 Review 1. Where are SSH Discovery results placed? 2. How often will the Agents scan for SSH Keys? 3. How often will Agentless SSH scan run? 4. Where does the Agent log SSH discovery information?

51 SSH Policy Creating and Configuring

53 Working with SSH Key Policies Lock or suggest values* Settings inherited down the tree Agents represented in Policy structure Permission assignment Find policy violations *Unlike Certificate Policy, some locked values are just for reporting. For example multiple private key instances when locked to not allowed.

54 Configuring SSH Policy Done in Aperture Configuration > Policies Opens Policy tree view Click on folder icon to expand

55 SSH Policy - General

56 SSH Policy - General

57 SSH Policy - General

58 SSH Policy - General Let's you allow or deny user access to one or more remote IP addresses or host names Setting will be added to authorized_keys

59 SSH Policy - General Using forced commands, you can limit user accounts SSH access and usage Instead of the client's deciding which command will run, the Policy forces the command

60 SSH Policy - General Login options in authorized_keys for example: no-user-rc no-x11-forwarding no-agent-forwarding More found in documentation

61 SSH Policy Device Connection

62 Dashboard

63 Dashboard

64 SSH Keysets Inventory > SSH Keys

65 Orphan keys SSH Keys > Orphans Shows keysets where we don t know about the matching private or public key We can see that some one has root access to multiple systems

66 Keyset details

67 Keyset details

68 Devices Inventory > Devices View Device status, no need to check each keyset separately

69 Looking at a Device Overview SSH Client info SSH Host info Permissions

70 SSH Client Outgoing Access Shows client keyset instances on this host Show a warning when something is out of compliance

71 SSH Client Trusted Server Shows discovered known_hosts keys

72 SSH Server Authorized Clients Shows keys that grant access to the system

73 SSH Server Host Keysets Shows Host Keysets

74 SSH Server Configuration Shows SSHd Configuration info

75 Lab: SSH Policy Lab Configure Policies for SSH View SSH Key Discovery results

76 Review 1. What can we do through SSH Policy? 2. Can SSH Policy be configured through WebAdmin? 3. What is the difference between SSH Host and Client keyset?

77 SSH Remediation Responding to SSH Key Threats

79 SSH Remediation In order to prevent lateral attacks on your critical servers and related network resources, you must be able to find, identify, organize, and renew your SSH key assets. Remediation allows us to rotate existing keys and provision new ones.

80 Enable Remediation Configuration > Folders Only available through Policy (not on specific keyset)

81 Remediation - Workflow Approved on Key Instance in Aperture Define Approver through SSH Policy or specific Approver per Workflow object Stage Code Friendly Name Description SSH Key Provisioning Before the key is added on the device SSH Key Edit Before the key is edited on the device SSH Key Removal Before the key is removed from the device Venafi. All Rights Reserved. 81

82 Remediation Enabled Private Keys

83 Remediation Enabled Auth Keys

84 Working with Keysets Inventory > SSH Keys Create New Keyset

85 Creating New Keysets

86 Creating New Keysets

87 Adding Key Instances Adding a Public Key instance to a Keyset Adding a Private Key instance to a Keyset

88 Removing Key Instances Removing a key instance

89 Add Public Key instance

90 Making changes to Key instances Editing a Public key instance

91 Making changes to Key instances Make changes and click Save

92 Rotating Keys Start key rotation

93 Rotating Keys Host Key rotation will pause and go into a Reconfigure stage Chance to manually restart/reconfigure SSHd if needed

94 Changes To Keys Outside TPP Detect Remote Add: - Detect: Add to TPP - Remediate: Add to TPP Remote Delete: - Detect: Delete from TPP - Remediate: Restore on remote Remediate Remote Edit: - Detect: Edit in TPP - Remediate: Restore on remote

95 Resolving Common SSH Key Risks Resolving Orphans Track the status of Orphan Keys Resolving Shared Private Keys Weak Keys

96 Resolving Orphans Mapping to an External Key No corresponding private key instance Creates proxy of the private key Deleting Orphans Would allow administrator or root access to system Cannot discover or verify the owner of a key Use Mark As feature if not 100% sure

97 Tracking the status of orphans To keep track of the work we have done with each keyset, we can use the Mark As option Mark As lets us set the status of each keyset to either Reviewed As OK or Reviewed Needs Action Lets you identify which keysets have already been reviewed

98 Mark As Reviewed As OK Indicates that you have already resolved an orphan Reviewed Needs Action Unauthorized User Trust Rogue Suspect Owned by Former Employee Generates an event

99 Resolving Shared Private Keys Compliant shared keys No needed Non-compliant Remove non-compliant instances

100 Resolving Accessible Root Accounts Root accounts at the server level are typically to be avoided or kept to a minimum Remove Public Key instance from authorized_keys Add a User-access only public key

101 Weak Key Lenghts Small key length keys introduce risk Rotate keys to comply with policy, typically to RSA 2048 or DSA 1024 keys (suggested minimum sizes per algorithm)

102 Lab: SSH Remediation Lab Reviewing a keyset and mark as External key access Rotate a Private Key Remove a Key instance Provision a new Keyset to grant alice access from ServerA to ServerB

103 Review 1. Why would you create a new Keyset? 2. Can you set SSH keys to auto-renew? 3. Can keys be downloaded from Aperture? 4. Can you upload an SSH Private Key to Aperture?

Venafi Server Agent Agent Overview

Venafi Server Agent Agent Overview Venafi Server Agent Agent Intro Agent Architecture Agent Grouping Agent Prerequisites Agent Registration Process What is Venafi Agent? The Venafi Agent is a client/server