Hacker News new | ask | show | jobs
by spydum 3689 days ago
You linked right to it.. what do you mean? $ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_username bastion_source_ip bastion_command <id_rsa.pub to sign> <output id_rsa-cert.pub>

If successful, I imagine it signs the pub key "id_rsa-cert.pub" which you then can use to SSH as you please (until the cert expires).
1 comments
bazzargh 3689 days ago
That isn't the workflow described in the slides. They talk about signing in via SSO to generate the cert, so it looks like this client is just an example of what would be run at the back end of the web interface you sign into (with 2FA etc), to drop the cert. Look at that as a UI as well, it expects the bastion user to know their own IP to put into the command? Nope. That's a command to be run by something else.

But that just brings up more questions. Generally you want as little as possible running on the bastion; it really is just that choke point. So I presume the SSO front end is also not running on the bastion, but in another subnet, then pokes the key back out...somehow?

link
russell_h 3689 days ago
Author of the blog post here.

I wasn't at the talk, but had the same question.

BLESS, as released, appears to be intended to drop onto an AWS bastion host and recommends an AWS IAM role to authenticate the bastion to the Lambda function that acts as the CA. Like you mention, there are a lot of limitations to that, but its still a neat demonstration of using ephemeral client certificates without having to spin up a bunch of infrastructure.

At ScaleFT we're building a solution on the same principles that offers some of what you're talking about out of the box:

  1. Authenticating users against a variety of SSO systems
  2. Treating bastions as nothing more than an untrusted TCP proxy
For me the critical takeaway though, is that whatever automation you're layering on top, client certificates make great ephemeral access tokens and they're increasingly catching on. Its just a matter of building the right automation, integrations, and tooling on the client to make the experience good.
link