SSH Product Overview - training.venafi.com · •Rotate keys to comply with policy, typically to...

SSH Product Overview

Understanding SSH

SSH Discovery and Remediation

Agentless SSH

Agent Based SSH

SSH Product Overview

© 2018 Venafi. All Rights Reserved. 2

Where is SSH used?

SSHTLS

Customers

Partners

EmployeesAdmins with Root Access

ApplicationOwners

SystemAdmins

SSH (SCP or SFTP)

File Transfer & Remote Script

Execution

Jupiter

Where is SSH used?

SSHTLS

Customers

Partners

EmployeesAdmins with Root Access

ApplicationOwners

SystemAdmins

SSH (SCP or SFTP)

File Transfer & Remote Script

Execution

Jupiter

Simple rule of thumb:

If it’s not Windows or a Mainframe, SSH is

probably used to login into it.

SSH Basics – User Access

Host Keys

Server11

User Keys

A

Host Keys

Server11

Server Keys

1

Server1

Server2

Alice

Server Keys

1

Authorized Keys

AliceA Server Keys

2

Authorized Keys

AliceA

User Keys

A

Host Keys

Server11

Server22

SSH Basics – Server-to-Server Access

Trusted Keys

Server11

Client Keys

C

Trusted Keys

Server11

Server1

Server2

Alice

Server Keys

1

Authorized Keys

AliceA Server Keys

2

Authorized Keys

AliceA

User Keys

A

Host Keys

Server11

Server22

Server Keys

1

Authorized Keys

AliceA

Server22

Server Keys

2

User Keys

2

Authorized Keys

AliceAHost Keys

Server11

The State of SSH in Most Organizations

• No inventory

• No key rotation

• Weak keys

• Terminated employees still have access

• Potential backdoor keys

• Pivoting opportunities for attackers


Venafi Products can discover and report back to Venafi server crucial details about SSH keys.

Discovery is a critical part of identifying the status of your SSH key environment across all of your systems.


Identifying orphaned public keys and resolving them quickly can help to avoid potentially serious vulnerabilities, particularly when an orphaned key is found in a root or administrative account on a server.

Venafi Products allow us to add/remove SSH keys.

Agentless SSH

• TPP server(s) will SSH to target systems to perform scans and remediation

• Work performed at the time of User UI action

• Discussed in detail in it’s own module

Agent Based SSH

• Requires installation of Agent software

• Supports wide range of OS types

• Can gather SSH Key Usage info

• Agents call home for work

• Discussed in detail in it’s own module

Agent vs. Agentless Considerations

• Network traffic direction

• Agent: Key usage logging

• Agent: Better support for “intermittent” systems (e.g., user laptops)

• Agent: Support for Windows

• Agentless: More platform independent (e.g., mainframe, etc.)

• Agentless: Credential management for our own agentless access

Review

1. What are SSH Keys used for?

2. What is the purpose of authorized_keys file?

3. What is default expiration for an SSH key?

Agentless SSH

Agentless SSH Overview

Configuring Agentless SSH Group

Agentless SSH


Agentless SSH Overview

• SSH discovery can find SSH keys on devices that do not have agents installed on them

• SSH Remediation can add and remove SSH keys

• TPP uses a remote SSH connection to connect to the systems or servers

• TPP will scan per configured work and create keysets in Aperture

Configuring Agentless SSH

• Create Credential Objects

• Create Device Objects

• Configure SSH Work

• Allow scheduled work to happen

• View Results in Aperture

Create Credential Objects

• Password (Aperture or WebAdmin)

• SSH Private Key (WebAdmin)

Create Device Objects

• Done in WebAdmin

• Supports sudo

• Set Temp Directory if using sudo

Device Objects

• Device Inventory

• See status of Devices

• Use filters

• Can be created using Network Discovery

View Device Objects

• Shows status info

• Test Connection

Edit Device Objects

Configure Agentless SSH Work

• Enable folders for Agentless


• Add a Group

• Group Purpose = Agentless SSH


• Hardcodes Membership Criteria


• Work Types:• SSH Discovery

• SSH Remediation

• Work explained in upcoming module

Run Agentless SSH Scan

• Runs per schedule

• Can be triggered on demand

Lab: Agentless SSH

• Lab coming up after next module

Review

1. What are benefits of Agentless SSH?

2. Can we mix and match Agent and Agentless SSH?

3. Can Agentless SSH typically be used with Windows Servers?

Configuring SSH Work

Configuring SSH Work Overview

SSH Discovery Work Settings

SSH Discovery Work

SSH Remediation Work

Configuring SSH Work


Configuring SSH Work Overview

• SSH work can apply to Agents and Agentless SSH

• Done on the Group under “Groups & Work” > Work

• Specify what to scan

• Specify where to scan

• Specify when to scan

• Enable Remediation

Enabling SSH Discovery Work

• Work items are created under “Groups & Work”

• Unique Name

• Type


• Enable work item

• Scan interval is similar to Agent check-in time options are:• Daily

• Weekly

• Monthly

• Hourly

• On Receipt

• Every 30 Minutes

• Randomization to not over load VMs


Default scan paths for SSH server information and keys


• Specify folder where agent will look for:• Host Keys

• User Keys

• Host Keys and User Keys

• Supports wildcards

• Specify where to not scan


• Should the agent scan Network File System (NFS) mount points

• Minimize the impact of discovery


• Select a file size threshold after which the agent should ignore files

• By setting this limit to 1mb, all keystore files larger than 1mb are ignored during SSH discovery.


• Logging level detail

• Default is Info

• Written to System logs


• SSH Remediation > Remediate SSH Work = Yes

Enabling SSH Discovery Work

• Work items are created under “Groups & Work”

• Unique Name

• Type

Creating SSH Remediation Work


• How often Agents check for Remediation work

• Interval between Monthly and 1min

• Randomization

• Start time

• Agentless SSH performs work immediately


• Logging level detail

• Default is Info

• Agent Writes to:• Syslog

• Event Logs

SSH Key Usage Work

• SSH Key Usage > SSH Key Usage Enabled = Yes

SSH Key Usage Work

• How often Agents Deliver SSH Key Usage data

• Interval between daily and 1min

• Randomization

SSH Key Usage Work

• Cache size on Agent side

• Agent logging for SSH Key Usage

SSH Key Usage – Agent side

• Only Venafi Agent can gather SSH Key Usage!

• Steps required on Venafi Agent side:

https://support.venafi.com/hc/en-us/articles/215911487

https://support.venafi.com/hc/en-us/articles/215911487

Lab: Configuring SSH Work

SSH labs can be done with Agentless or Agent Based SSH

• Configuring Agent SSH Work Lab• Agent SSH configuration

• Enable Discovery and Remediation

• Configuring Agentless SSH Lab • Agentless Based SSH configuration

• Enable Discovery and Remediation

Review

1. Where are SSH Discovery results placed?

2. How often will the Agents scan for SSH Keys?

3. How often will Agentless SSH scan run?

4. Where does the Agent log SSH discovery information?

SSH PolicyCreating and Configuring

Working with SSH Key Policies

Configuring SSH Policy

SSH Policy Settings

Viewing Devices

SSH Policy


Working with SSH Key Policies

• Lock or suggest values*

• Settings inherited down the tree

• Agents represented in Policy structure

• Permission assignment

• Find policy violations

*Unlike Certificate Policy, some locked values are just for reporting. For example multiple private key instances when locked to not allowed.

Configuring SSH Policy

• Done in Aperture

• Configuration > Policies

• Opens Policy tree view

• Click on folder icon to expand

SSH Policy - General


• Let's you allow or deny user access to one or more remote IP addresses or host names

• Setting will be added to authorized_keys


• Using forced commands, you can limit user accounts SSH access and usage Instead of the client's deciding which command will run, the Policy forces the command


• Login options in authorized_keys for example:• no-user-rc

• no-X11-forwarding

• no-agent-forwarding

• More found in documentation

SSH Policy – Device Connection

Dashboard

SSH Keysets

• Inventory > SSH Keys

Orphan keys

• SSH Keys > Orphans

• Shows keysets where we don’t know about the matching private or public key

• We can see that some one has root access to multiple systems

Keyset details

Devices

• Inventory > Devices

• View Device status, no need to check each keyset separately

Looking at a Device

• Overview

• SSH Client info

• SSH Host info

• Permissions

SSH Client – Outgoing Access

• Shows client keyset instances on this host

• Show a warning when something is out of compliance

SSH Client – Trusted Server

• Shows discovered known_hosts keys

SSH Server – Authorized Clients

• Shows keys that grant access to the system

SSH Server – Host Keysets

• Shows Host Keysets

SSH Server – Configuration

• Shows SSHd Configuration info

Lab: SSH Policy Lab

• Configure Policies for SSH

• View SSH Key Discovery results

Review

1. What can we do through SSH Policy?

2. Can SSH Policy be configured through WebAdmin?

3. What is the difference between SSH Host and Client keyset?

SSH Remediation

Responding to SSH Key Threats

SSH Remediation Overview

Enabling SSH Remediation

Working With Keysets

Resolving Key Risks

SSH Remediation


SSH Remediation

In order to prevent lateral attacks on your critical servers and related network resources, you must be able to find, identify, organize, and renew your SSH key assets.

Remediation allows us to rotate existing keys and provision new ones.

Enable Remediation

• Configuration > Folders

• Only available through Policy (not on specific keyset)

Remediation - Workflow

Stage Code Friendly Name Description

10100 SSH Key Provisioning Before the key is added on the device.

10200 SSH Key Edit Before the key is edited on the device.

10900 SSH Key Removal Before the key is removed from the device.


• Approved on Key Instance in Aperture• Define Approver through SSH Policy or specific Approver per

Workflow object

Remediation Enabled – Private Keys

Remediation Enabled – Auth Keys

Working with Keysets

• Inventory > SSH Keys

• Create New Keyset

Creating New Keysets

Adding Key Instances

• Adding a Public Key instance to a Keyset

• Adding a Private Key instance to a Keyset

Removing Key Instances

• Removing a key instance

Add Public Key instance

Making changes to Key instances

• Editing a Public key instance

Making changes to Key instances

• Make changes and click Save

Rotating Keys

• Start key rotation

Rotating Keys

• Host Key rotation will pause and go into a “Reconfigure” stage

• Chance to manually restart/reconfigure SSHd if needed

Changes To Keys Outside TPP

Detect

Remediate

Remote Add:

Remote Delete:

Remote Edit:

- Detect: Add to TPP

- Detect: Delete from TPP

- Detect: Edit in TPP

- Remediate: Add to TPP

- Remediate: Restore on remote

- Remediate: Restore on remote

Resolving Common SSH Key Risks

• Resolving Orphans

• Track the status of Orphan Keys

• Resolving Shared Private Keys

• Weak Keys

Resolving Orphans

▪ Mapping to an External Key• No corresponding private key instance

• Creates proxy of the private key

▪ Deleting Orphans• Would allow administrator or root access to system

• Cannot discover or verify the owner of a key

• Use Mark As feature if not 100% sure

Tracking the status of orphans

• To keep track of the work we have done with each keyset, we can use the Mark As option

• Mark As lets us set the status of each keyset to either Reviewed As OK or Reviewed Needs Action

• Lets you identify which keysets have already been reviewed

Mark As

• Reviewed As OK• Indicates that you have already resolved an orphan

• Reviewed Needs Action• Unauthorized User Trust

• Rogue

• Suspect

• Owned by Former Employee

• Generates an event

Resolving Shared Private Keys

• Compliant shared keys• No needed

• Non-compliant• Remove non-compliant instances

Resolving Accessible Root Accounts

• Root accounts at the server level are typically to be avoided or kept to a minimum• Remove Public Key instance from authorized_keys

• Add a User-access only public key

Weak Key Lenghts

• Small key length keys introduce risk• Rotate keys to comply with policy, typically to RSA 2048 or DSA 1024 keys (suggested

minimum sizes per algorithm)

Lab: SSH Remediation Lab

• Reviewing a keyset and mark as External key access

• Rotate a Private Key

• Remove a Key instance

• Provision a new Keyset to grant alice access from ServerA to ServerB

Review

1. Why would you create a new Keyset?

2. Can you set SSH keys to auto-renew?

3. Can keys be downloaded from Aperture?

4. Can you upload an SSH Private Key to Aperture?

SSH Product Overview - training.venafi.com · •Rotate keys to comply with policy, typically to...

Documents

Transcript of SSH Product Overview - training.venafi.com · •Rotate keys to comply with policy, typically to...