CA SIGNED ISSUES / BASTION

[ErmisCat]

Few complex ssh usage issues. 1.) signing an RSA cert with CA has problems, trying to sign the id_krypton.pub fails when it is sent to the app's private key, it's format is unknown / not supported. This would be a huge win to support CA.

2.) Using a bastion host proxying with different users/identityfile's for the bastion and ec2 instance. EG:

Host *.ec2.internal
    IdentitiesOnly yes
    Identityfile ~/.ssh/id_rsa
    User ec2-user
    ProxyCommand ssh bastion-sbox -W %h:%p

Host bastion-sbox
    IdentitiesOnly yes
    Hostname sandboxbastion.test
    User sandboxuser
    IdentityFile ~/.ssh/sandbox

part of the problem is the proxycommand here, it doesn't play nice with your required proxycommand to krssh for the krypton key on the phone. I will just leave this in your hands and let you guys figure out how to make this work, it probably requires krssh to be recoded to support multiple proxying requests, one to the phone, one to a bastion host server.

To make this even more complex, sandbox key for bastion-sbox is actually a BLESS-CA signed key (netflix bless) to reach the bastion host, and id_rsa (would preferably be your krypton key) agent forwarded through the bastion host to access the ec2 instance.

So, without krypton, all of this works just fine, I am trying to implement your product into my environment to reduce a vector.

• opt1

[kcking]

Thanks for bringing up these use cases! (I just edited the format of your comment slightly)

Signing openssh certs is not yet supported by Krypton. Out of curiosity, how are you using openssh certs in your environment? If there's enough interest we'll look into adding this in the future.

As for proxying through a bastion, we support this, you just need to wrap your ProxyCommand in krssh. Check out our docs on this here. The BLESS-ed key should work just fine (just make sure it's added to your agent). Setting it up in the way shown in our docs is also more secure because you are not doing any agent forwarding (more details in the docs).

Let us know if that helps!

[ErmisCat]

For the OpenSSH cert's, the user gets his RSA cert signed from the Bless CA, and then uses that to login to the ssh server. The server /etc/ssh/sshd_config has a copy of the CA's public key to check the incoming connection, but it does not have a copy of the RSA public key in ~/.ssh/authorized_keys.

Right now this is working with an ephemeral ssh key to hit the bastion host which is regenerated on every connection / CA Signing, then we proxy through it to the ec2 instances using a static RSA key. The Bastion hosts have nothing on them except a copy of the public CA key. I will look at wrapping our proxycommand with krssh to be able to use our Krypt key's for the tunneling, this would add an extra layer of wanted security.

Thanks.

[ErmisCat]

This way works better. I would rather have my ec2 instances accept the Krypt key in my phones enclave, and have an empty bastion host accept the signed keys. Thanks

[kcking]

Good to hear the bastion proxying is working well.

As for (1) in your first comment, were you trying to sign another SSH public key using your Krypton private key, or were you trying to have your Krypton public key signed by an OpenSSH CA i.e. BLESS? I was under the impression the second case already works.

[ErmisCat]

second case. I couldn't get that working.

[kcking]

I see, I think we can modify krd to fix this issue. Where are you storing the signed krypton pubkey, in ~/.ssh/id_krypton-cert.pub?

[ErmisCat]

yes.

[nzspambot]

@kcking is there any updates on this? Has started to affect me as we also use BLESS for internal access