xingluw
commented
2 years ago Hi @chifu1234, this feature is already being considered for the roadmap, but I will leave this post open so that the community can show interest with their upvotes.
Closed chifu1234 closed 2 years ago
xingluw
commented
2 years ago Hi @chifu1234, this feature is already being considered for the roadmap, but I will leave this post open so that the community can show interest with their upvotes.
karras
commented
2 years ago @xingluw Is my understanding correct that a first iteration of this feature request was implemented in 0.10.0 with "Credential Injection"? Any plans to include this in the OSS version as this seems to be solely available in HCP Boundary at the moment or am I mistaken? :)
Thanks!
xingluw
commented
2 years ago Hi @karras, that is correct, it will only be available in HCP Boundary and there are no plans to implement this in OSS at this time.
sandstrom
commented
2 years ago I get that you want to make money to pay back all investors.
But pushing for HCP (hosted cloud) of an auth-tool doesn't make sense to me.
When you get hacked (will happen) or are down (will also happen) we'll have a big problem. I honestly don't see any benefit to HCP here.
Is there a paid offering where the injection feature is available?
We're a ~10 people company and pay for several "pro" versions of open-source products.
For "boundary pro" a fee per user and month would make sense for us.
It should still be OS and we'd manage/host it, but there would be a license requirement and telemetry could report number of users back to HashiCorp for billing.
Any plans for such a thing?
covetocove
commented
2 years ago @sandstrom first off thank you for the interest in Boundary and for giving feedback to drive the product's direction. _[Update] there is now a self-managed Enterprise offering of Boundary available that includes enterprise support and premium features such as credential injection, multi-hop sessions, and session recording. Learn more about Boundary Enterprise here._
Moving forward we will continue to invest in all editions of Boundary: Boundary OSS, HCP Boundary (Boundary's cloud service), and Boundary Enterprise. This includes:
Investing in HCP Boundary security and availability One of our top priorities for HCP Boundary is ensuring the managed surface is consumable even in secure environments. Self-managed workers already help limit access to customer environments and we are working on new features that will improve the security posture of accessing a highly secure private network. In addition, we will continue to improve the managed service with functions such as backup workflows, disaster recovery, and platform outage fallbacks. We will have some announcements in this vein at next week's HashiConf Global conference.
Continuing to build a compelling Boundary OSS offering We remain as committed to building a compelling and secure open source offering of Boundary. The use of single-use credentials instead of static, long-lived credentials, is one of the ways Boundary can help improve an organization’s security posture. Even without credential injection, the use of credential brokering with single-use credentials is a significant improvement in security posture vs other forms of credential management because the attack vector is so limited. We are continuing to improve the user experience for credential brokering to expand to a variety of dynamic credentials and these will be coming to open source Boundary as well as HCP Boundary.
sandstrom
commented
2 years ago Thanks for answering @PPacent!
For us to choose hosted Boundary, it would likely need to be engineered in such a way that even if you are hacked, the hacker wouldn't get access to our systems.
Not an impossible engineering challenge, but not a super-easy one either and would likely require us to spin up nodes that does the actual auth, signs them and passes them along to your hosted stuff. At which point there is little use in spreading out the service across components hosted both by you and by us.
For example, we do use hosted 1Password since it's E2E. But doing a zero-trust auth-service is going to be trickier 😄
We love hosted stuff in general, but I'd say that server access is probably one of very few things that we prefer to maintain our selves.
I looked around a bit more, and found this blog post of yours from about a year ago: https://www.hashicorp.com/blog/managing-ssh-access-at-scale-with-hashicorp-vault
Something like that, but with Boundary, would also work for us. In that case we could use brokered credentials, since they are short-lived.
I also found this open issue, which I think may be the blocker to unlocking the solution described in that blog post: https://github.com/hashicorp/boundary/issues/1768
simonfelding
commented
2 years ago You should really reconsider your stance on this issue. I'm sure there's lots of money to be made on support contracts like what oracle does.
I work in a large IT company (7000 employees or so) that currently has a somewhat unpleasant UX for the auth process. Boundary with credential injection would be really great, but there's just no chance of convincing anyone to do a transition to a cloud based service - it's on-prem or nothing.
JannikZed
commented
1 year ago For us, it was also a big shock now, that we invested a few days setting up Boundary OSS (as our customer is not allowing hosted services from US corps..), after evaluating everything with HCP and to realize now, that all needed features don't work. We would need to switch from SSH certs back to SSH passwords in order for boundary to be able to broker it .. an awful experience.
jory3
commented
1 year ago Same here: Only after setting up a test environment I found out, that "credential injection", something I considered as the core feature of boundary, doesn't work on premise. Currently, the OSS version of boundary is not much more than a password manager with team capabilities, combined with an SSH client - but much more complicated to setup, use and maintain.
covetocove
commented
1 year ago Hi all - @chifu1234, to your original request on this thread, Boundary now supports credential injection in HCP Boundary as well as Boundary Enterprise (customer-hosted version of Boundary). With credential injection, the user never sees the credential required to authenticate to the target. This provides a passwordless experience for the user, as the worker does both session establishment and authentication to the target on behalf of the user. We currently support credential injection for SSH credentials and plan to expand to other types of protocols in the future. You can learn more about credential injection here.
@jory3, @JannikZed, @simonfelding, @sandstrom - there is now self-managed edition of Boundary that supports credential injection. Boundary Enterprise is now available which includes all premium features of Boundary - including credential injection, multi-hop sessions, and session recording. You can learn more here.
simonfelding
commented
1 year ago That's nice, thank you for listening!
Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: PPacent @.> Sent: Wednesday, August 2, 2023 4:47:59 PM To: hashicorp/boundary @.> Cc: simonfelding @.>; Mention @.> Subject: Re: [hashicorp/boundary] Feature: zerotrust with credentials (Issue #2119)
Hi all - @chifu1234https://github.com/chifu1234, to your original request on this thread, Boundary now supports credential injection in HCP Boundary as well as Boundary Enterprise (customer-hosted version of Boundary). With credential injection, the user never sees the credential required to authenticate to the target. This provides a passwordless experience for the user, as the worker does both session establishment and authentication to the target on behalf of the user. We currently support credential injection for SSH credentials and plan to expand to other types of protocols in the future. You can learn more about credential injection herehttps://developer.hashicorp.com/boundary/docs/concepts/credential-management#credential-injection-hcp-ent.
@jory3https://github.com/jory3, @JannikZedhttps://github.com/JannikZed, @simonfeldinghttps://github.com/simonfelding, @sandstromhttps://github.com/sandstrom - there is now self-managed edition of Boundary that supports credential injection. Boundary Enterprise is now available which includes all premium features of Boundary - including credential injection, multi-hop sessionshttps://www.hashicorp.com/blog/boundary-0-12-introduces-multi-hop-sessions-and-ssh-certificate-injection, and session recording. You can learn more herehttps://www.hashicorp.com/blog/boundary-0-13-introduces-ssh-session-recording-boundary-enterprise-and-more?ajs_aid=617143ca-c122-4daf-a7b1-5aa551a27a8a&product_intent=boundary.
— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/boundary/issues/2119#issuecomment-1662350785, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKYOW75KXAHGQYCEQUQ2R2TXTJSB7ANCNFSM5XQWX4MA. You are receiving this because you were mentioned.Message ID: @.***>
Is your feature request related to a problem? Please describe. Today the user has full access(read) to the cred store & thus knows all credentials. This mechanism sometimes leaks some vulnerable information to the end-user & it reduces the user experience as they have to enter the credentials to the session.
Describe the solution you'd like Boundary acts as ssh or RDP proxy. The admin can set propriety to a credential that the end-user does not have read or write access to these credential. If a user tries to connect to a system with ssh/RDP, the boundary proxy (worker) performs the authentication and then proxies the session back to the end-user.
Describe alternatives you've considered