aws ssh 证书配置_在AWS Lambda中运行netflix bless ssh证书颁发机构

aws ssh 证书配置

发出短期用户证书以进行SSH访问 (Issue Short Lived User Certs for SSH Access)

I found the following video posted on my company’s intranet the other week and really enjoyed Russell Lewis’ talk on how Netflix are using SSH Certificates and the dangers of mismanaging your SSH keys.

我在前一周的公司内部网上发布了以下视频，并且非常喜欢Russell Lewis关于Netflix如何使用SSH证书以及不正确使用SSH密钥的危险的演讲。

演示地址

I’d never really had much exposure to SSH Certificates, aside from my own personal reading about at home about a year ago.

除了大约一年前我自己在家中的个人读物外，我从来没有真正接触过SSH证书。

As a cloud user at home and at work, in particular Amazon Web Services (AWS), I was intrigued about trying out Netflix’s BLESS tool in AWS Lambda, to issue users with temporary (short lived) CA signed SSH Certificates to authenticate SSH access to servers.

作为在家和工作中的云用户，尤其是亚马逊网络服务(AWS)的云用户，我对在AWS Lambda中试用Netflix的BLESS工具，向用户颁发临时的(短期的)CA签名的SSH证书来验证对SSH的访问权限很感兴趣。服务器。

I spent some time looking into BLESS and what it can do, and setup up a mock environment of my own in AWS to see what it’s all about; and thought I’d log my initial findings here in a small post for others to read.

我花了一些时间研究BLESS及其功能，并在AWS中建立了自己的模拟环境以了解其全部内容。 并认为我会将我的最初发现记录在一个小文章中，以供其他人阅读。

先决条件 (Prerequisites)

1. AWS Account
   AWS账户
2. KMS Key
   KMS密钥
3. Python Lambda Function
   Python Lambda函数

You will need an account in AWS account with suitable permissions to set this up. Netflix recommend you have a completely isolated AWS account with just BLESS running inside to keep it away from other concerns. As this is just a mock setup, I have used the same account for both BLESS and other services.

您将需要在AWS账户中拥有一个具有适当权限的账户来进行设置。 Netflix建议您使用一个完全隔离的AWS帐户，并且内部仅运行BLESS，以使其免受其他问题的影响。 由于这只是一个模拟设置，因此我为BLESS和其他服务使用了相同的帐户。

You will also need a KMS key in the AWS Region(s) you want to operate in. As KMS is regional, you’ll have to create one in each region you want to use BLESS in. It will be needed later to encrypt your CA Certificate Key Pair Passphrase. The BLESS config file bless_deploy.cfg caters for multiple regions by being about to declare a base64 encoded string for each region.

您还需要在要操作的AWS区域中使用一个KMS密钥。由于KMS是区域性的，因此您必须在要使用BLESS的每个区域中创建一个。以后需要使用该密钥来加密您的AWS区域。 CA证书密钥对密码短语。 BLESS配置文件bless_deploy.cfg通过声明每个区域的base64编码字符串来满足多个区域的需要。

$ export BLESS_REGION=eu-west-2$ aws kms create-alias \
            --region $BLESS_REGION \
            --alias-name alias/bless \
            --target-key-id \
$(aws kms create-key --region $BLESS_REGION | jq -r .KeyMetadata.KeyId)

You will also need to setup an AWS Lambda function, to upload our deployment artifact to, with permissions to access your KMS key. It will be python runtime and for this post’s example the handler will be bless_lambda_user.lambda_handler_user

您还需要设置一个AWS Lambda函数，以将我们的部署工件上传到其中，并具有访问KMS密钥的权限。 它将是python运行时，对于此示例，处理程序将为bless_lambda_user.lambda_handler_user

设置环境 (Setting up your Environment)

下载BLESS代码 (Download the BLESS Code)

The official repository lives at Netflix/bless on GitHub.

官方存储库位于GitHub上的Netflix / bless 。

However in my initial setup, I was hit with errors, and later found there was an open Pull Request to address a bug with the latest version of marshmallow ; The PR is still open at time of writing.

但是在我的初始设置中，我遇到了错误，后来发现有一个开放的Pull Request来解决最新版本的marshmallow的错误； 在撰写本文时，PR仍处于打开状态。

As a quick temporary step, I cloned the official repository and added NeolithEra’s repo as another git remote and checked out their branch to work on.

作为一个快速的临时步骤，我克隆了官方存储库，并将NeolithEra的存储库添加为另一个git remote，并检查了它们的分支以进行工作。

$ git clone git@github.com:Netflix/bless.git

$ git clone git@github.com:Netflix/bless.git

$ git remote add NeolithEra git@github.com:NeolithEra/bless.git
$ git fetch NeolithEra
$ git checkout NeolithEra/master

设置Python venv和下载依赖项 (Setup Python venv and Download Dependancies)

The repository includes a Makefile to help users get setup quickly in a few simple commands.

该存储库包含一个Makefile，可帮助用户通过一些简单的命令快速进行设置。

Start by creating and activating a virtual environment to work from:

首先创建并激活一个虚拟环境以进行以下工作：

$ python3 -m venv venv
$ source venv/bin/activate

pip install all the code dependencies:

pip安装所有代码依赖项：

$ make develop

Run the tests:

运行测试：

$ make test

Hopefully all the tests pass for you…

希望所有测试都能通过...

打包依赖关系 (Package up Dependancies)

AWS Lambda requires the runtime code and its dependancies to be uploaded together in a single artifact. Run the lambda-deps make command to save all your python dependancies in a local directory.

AWS Lambda要求将运行时代码及其相关性一起上传到单个工件中。 运行lambda-deps make命令，将所有python相关性保存在本地目录中。

$ make lambda-deps

$ make lambda-deps

Behind the scenes the Makefile is spinning up a Docker container of amazonlinux:2 and pip installing all the requirements into the aws_lambda_libs folder.

在幕后， Makefile旋转了一个amazonlinux:2的Docker容器， amazonlinux:2将所有要求安装到aws_lambda_libs文件夹中。

设置您的证书颁发机构(CA) (Setting up your Certificate Authority (CA))

生成CA证书密钥对 (Generate a CA Certificate Key Pair)

Use ssh-keygen to generate a new key pair for you, and be sure to add a strong passphrase to protect it with.

使用ssh-keygen为您生成一个新的密钥对，并确保添加强密码短语来保护它。

We’ll make use of KMS later to encrypt the passphrase and allow only our lambda function to decrypt it on the fly when required.

稍后，我们将使用KMS加密密码短语，并仅允许我们的lambda函数在需要时即时解密它。

$ ssh-keygen -t rsa -b 4096 -m PEM -f cas -C "SSH CA Key"

使用AWS KMS密钥加密您的CA密钥对密码 (Encrypt your CA Key Pair Passphrase with AWS KMS Keys)

Get the KMS keyID for your region and use the AWS Cli to encrypt you CA passphrase that will be later used in your BLESS config file.

获取您所在区域的KMS keyID，并使用AWS Cli加密您的CA密码，稍后将在您的BLESS配置文件中使用该密码。

It needs to be base64 encoded in the config file.

它需要在配置文件中以base64编码。

$ aws kms encrypt \
    --key-id $(aws kms describe-key --region eu-west-2 --key-id alias/bless | jq -r .KeyMetadata.KeyId) \
    --plaintext Password123 \
    --region eu-west-2 | jq -r .CiphertextBlob | base64

配置，打包和部署Lambda函数 (Configure, Package up & Deploy your Lambda Function)

Create a directory for your BLESS config and key that will be bundled in the Lambda artifact.

为您的BLESS配置和密钥创建一个目录，该目录将捆绑在Lambda工件中。

There’s a sample configuration that you can use and edit for your setup available in the git repository.

您可以在git信息库中使用一个示例配置并对其进行设置进行编辑。

Copy your config and private CA key into the configs directory.

将您的配置和私有CA密钥复制到configs目录中。

$ mkdir lambda_configs
$ cp bless/config/bless_deploy_example.cfg lambda_configs/bless_deploy.cfg 
$ cp cas lambda_configs/cas.priv

使用您的CA密码短语和文件名更新Bless CA部分 (Update the Bless CA section with your CA Passphrase and Filename)

$ vim lambda_configs/bless_deploy.cfg

$ vim lambda_configs/bless_deploy.cfg

The region in the variable below is the same one(s) used to encrypt your passphrase with KMS above. If you have encrypted the passphrase with multiple KMS keys in multiple regions, you’ll need to add a variable for each.

以下变量中的区域与上面的KMS用于加密密码短语的区域相同。 如果您已使用多个区域中的多个KMS密钥加密了密码，则需要为每个密码添加一个变量。

[Bless CA]
eu-wast-2_password = <base64 encoded encrypted passphrase>
ca_private_key_file = cas.priv

捆绑您的Lambda神器 (Bundle up your Lambda Artifact)

$ make publish

$ make publish

$ ls -l publish
total 32024
drwxr-xr-x  50 keirwhitlock  staff      1600 24 Dec 19:36 bless_lambda
-rw-r--r--   1 keirwhitlock  staff  16165660 24 Dec 19:36 bless_lambda.zip

上载到AWS Lambda (Upload to AWS Lambda)

Upload the resulting bless_lambda.zip to your AWS Lambda function.

将生成的bless_lambda.zip上传到您的AWS Lambda函数。

1. Open the AWS Lambda console.
   打开AWS Lambda控制台。
2. Choose Functions on the navigation pane, and then open your function.
   在导航窗格上选择“功能”，然后打开您的功能。
3. In the Function code section, expand the Code entry type drop-down list, and then choose Upload a .ZIP file.
   在“功能代码”部分中，展开“代码输入类型”下拉列表，然后选择“上载.ZIP文件”。
4. Choose Upload, and then select your .zip file.
   选择上载，然后选择您的.zip文件。
5. Choose Save.
   选择保存。

服务器端配置 (Server Side Configuration)

Launch an instance to test your BLESS signed certs from. Any linux OS should do. I used Amazon Linux 2 AMI purely because it was top in the list.

启动实例以测试您的BLESS签名证书。 任何Linux操作系统都应该这样做。 我纯粹使用Amazon Linux 2 AMI是因为它在列表中排名第一。

信任服务器上的CA密钥 (Trust the CA Key on the Server)

Now you need to setup your server(s) to trust your CA certificate and if you wish, restrict with users can log in.

现在，您需要将服务器设置为信任您的CA证书，并且如果需要，可以限制用户登录。

Add the following line to your sshd_config :

sshd_config下行添加到您的sshd_config ：

TrustedUserCAKeys /etc/ssh/cas.pub

TrustedUserCAKeys /etc/ssh/cas.pub

Then scp a copy your CA’s public key to the server to /etc/ssh.

然后scp一个您的CA的公钥复制到服务器/etc/ssh 。

Be sure to restrict it to root privileges & restart sshd when done.

确保将其限制为root权限，并在完成后重新启动sshd 。

$ systemctl restart sshd.service

$ systemctl restart sshd.service

限制哪些用户可以登录 (Restrict which users can log on)

I created an additional local user to test with other than the default ec2-user

我创建了一个额外的本地用户来与默认ec2-user以外的其他用户进行测试

On the server create a file in /etc/ssh with the names of all the users allowed to log in via this method

在服务器上，在/etc/ssh创建一个文件，其中包含允许通过此方法登录的所有用户的名称

$ echo keirtest > /etc/ssh/auth_principals

$ echo keirtest > /etc/ssh/auth_principals

.. and refer to it in the /etc/ssh/sshd_config with the AuthorizedPrincipalsFile parameter:

..并在/etc/ssh/sshd_config使用AuthorizedPrincipalsFile参数进行引用：

AuthorizedPrincipalsFile /etc/ssh/auth_principals

AuthorizedPrincipalsFile /etc/ssh/auth_principals

Once added, restart sshd

添加后，重新启动sshd

$ systemctl restart sshd.service

$ systemctl restart sshd.service

测试您的BLESS设置 (Testing your BLESS Setup)

The Netflix team have included a bless_client.py script to allow you to test your lambda function is working correctly and generate your signed certificate from your local SSH key.

Netflix团队提供了一个bless_client.py脚本，可让您测试lambda函数是否正常运行并从本地SSH密钥生成签名证书。

If you watched the video I included at the start, you’ll see that Netflix use a Bastion host for their users to first connect to, and then jump from there to their desired destination, using BLESS to issue a short lived cert at that point.

如果您观看了我一开始收录的视频，您会发现Netflix使用堡垒主机让用户首先连接到该主机，然后从那里跳转到所需的目的地，然后使用BLESS颁发短暂的证书。

As such the client script is expecting some details on where you are coming from and going to, so that BLESS can log this information in AWS CloudWatch logs for auditing purposes.

因此，客户端脚本希望获得有关您来自何处以及去向的详细信息，以便BLESS可以将此信息记录在AWS CloudWatch日志中以进行审核。

Get your local public ssh key signed by your BLESS lambda function:

获取由BLESS lambda函数签名的本地公共 ssh密钥：

$ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_usernames bastion_ips bastion_command <id_rsa.pub to sign> <output id_rsa-cert.pub>

View your signed certificates details:

查看您签署的证书的详细信息：

$ ssh-keygen -L -f id_rsa-cert.pub

Now try and connect to your test instance via SSH, passing both your pub key and the signed pub key:

现在尝试通过SSH并通过您的发布密钥和签名的发布密钥来连接到您的测试实例：

$ ssh <REMOTE USERNAME>@<REMOTE IP> -i <output id_rsa-cert.pub> -i <id_rsa.pub to sign>

结论 (Conclusion)

I’ve only touched on what you can do with BLESS here in this post, but I’d encourage anyone interested in securing your systems in this manner to watch Russell’s YouTube video & give it a go.

在本文中，我仅谈到了BLESS的功能，但我鼓励有兴趣以这种方式保护系统的任何人观看Russell的YouTube 视频并尝试一下。

Next I’m going to explore some of the other abilities SSH Certificates & BLESS can give you. Such as:

接下来，我将探讨SSH证书和BLESS可以为您提供的其他功能。 如：

1. Create a bastion host to jump from and log the session details.
   创建一个堡垒主机以从中跳转并记录会话详细信息。
2. Setup host certificates; so you never get that unknown host warning on valid servers.
   设置主机证书； 因此您永远不会在有效服务器上收到未知主机警告。
3. Setup log auditing and alarms for improper SSH use.
   设置日志审核和警报，以防SSH使用不当。

进一步阅读 (Further Reading)

1. Creating SSH Certificates - Red Hat Docs
2. Netflix BLESS README.md
3. Blog by Mike Milone advocating the use of SSH Certificates

翻译自: https://medium.com/swlh/run-netflix-bless-ssh-certificate-authority-in-aws-lambda-f507a620e42

aws ssh 证书配置