SweetOps #bastion for April, 2019

Discuss cloudposse/bastion

2019-04-02

Paul Calabro

07:43:00 PM

@Paul Calabro has joined the channel

Paul Calabro

07:43:44 PM

so erik, what are your thoughts on that?

Paul Calabro

07:44:20 PM

(from the other channel)

Erik Osterman (Cloud Posse)

08:01:49 PM

https://sweetops.slack.com/archives/CB3579ZM3/p1554233634025100

So I thought of somewhat interesting way that a bad actor could bypass 2FA and I’m curious if this of interest to anyone else.

Scenario:

A bad actor compromises a machine in an untrusted network and quietly imposes these SSH settings on a user (or maybe they’re already in place b/c the user put them there for a reason– e.g. Ansible):

Host *
  ControlMaster auto
  ControlPath ~/.ssh/control-sockets/%C
  ControlPersist yes
  ServerAliveCountMax 5
  ServerAliveInterval 60

…and then they wait for a user to connect to a host behind a bastion using 2FA. Once they do, the bad actor can then reuse that socket over and over again unbeknownst to the user to create sessions using that established connection. And then, course, pivot from there.

AFAIK, unless the bastion server modifies the MaxSessions value, the default number of sessions is 10.

What are your thoughts on this?

Erik Osterman (Cloud Posse)

08:03:17 PM

So this would be a problem if the person’s workstation were compromised, no?

Paul Calabro

08:03:30 PM

correct

Paul Calabro

08:03:57 PM

with those kinds of settings in place, 2FA is only prompted on the first attempt

Paul Calabro

08:05:52 PM

i was trying to think of an fun analogy and the best i could come up with is someone using a door wedge, haha

Erik Osterman (Cloud Posse)

08:10:19 PM

True it is like a door wedge

Erik Osterman (Cloud Posse)

08:10:36 PM

But the same thing exists with ssh agents

Erik Osterman (Cloud Posse)

08:10:40 PM

And sockets

Erik Osterman (Cloud Posse)

08:11:03 PM

I am not averse to adding support to optionally disabling these settings

Erik Osterman (Cloud Posse)

08:11:10 PM

Not sure what the default should be

Erik Osterman (Cloud Posse)

08:11:38 PM

Often times, if the bad actor has control of the workstation all bets are off

Paul Calabro

08:19:10 PM

yeah, those are all good points. i think the bastion is a little unique though in that you’re not just using your keys you’ve already added to the ssh agent. you’re also using push notification/sms/etc as that second factor…however, those gets bypass completely in this scenario.

Erik Osterman (Cloud Posse)

08:19:52 PM

Yea true

Erik Osterman (Cloud Posse)

08:20:17 PM

What if we had some SSH server config profiles? E.g. configs with an extension

Erik Osterman (Cloud Posse)

08:20:32 PM

When starting the container we install one of those config profiles

Paul Calabro

08:20:53 PM

yeah, i was thinking of that as well. i use configs in my docker compose file to mount files.

Erik Osterman (Cloud Posse)

08:20:54 PM

One profile could be the one you suggest and maybe we make that default

Paul Calabro

08:21:05 PM

that works

Erik Osterman (Cloud Posse)

08:21:25 PM

If you want to open a PR for that we will promptly review

Paul Calabro

08:21:32 PM

i came across this accidentally and just thought i’d share b/c it seems like an interesting way to misuse an ssh feature

Paul Calabro

08:21:41 PM

sweet! thanks!

Erik Osterman (Cloud Posse)

08:21:43 PM

Yea makes sense

Erik Osterman (Cloud Posse)

08:22:00 PM

It’s a very popular repo and #1 search result

Erik Osterman (Cloud Posse)

08:22:16 PM

So we should make it as locked down as possible

Paul Calabro

08:22:26 PM

yeah, i’m a fan of this project

Erik Osterman (Cloud Posse)

08:22:36 PM

Very cool!

Paul Calabro

08:22:38 PM

it’s good stuff!

Erik Osterman (Cloud Posse)

08:23:35 PM

If you have a chance to audit our scripts in that project, that would be appreciated as well

Paul Calabro

08:24:39 PM

yeah, i’d be happy to take a look

Bruce

10:59:23 PM

@Bruce has joined the channel

mahmoudamindolah

12:04:16 AM

@mahmoudamindolah has joined the channel

Vidhi Virmani

06:01:10 AM

@Vidhi Virmani has joined the channel

kskewes

06:28:42 AM

@kskewes has joined the channel

2019-04-03

rontron

06:46:46 PM

@rontron has joined the channel

2019-04-05

oscarsullivan_old

01:32:29 PM

@oscarsullivan_old has joined the channel

oscarsullivan_old

01:46:08 PM

Do you install Bastion on to every machine or just your one jump host that connects to your internal machines on private subnets?

xluffy

02:10:04 PM

bastion is a jump host

oscarsullivan_old

02:27:28 PM

Thanks that’s what I thoght

oscarsullivan_old

02:27:34 PM

here’s an updated readme PR @Erik Osterman (Cloud Posse) https://github.com/cloudposse/bastion/pull/43

Improve README by osulli · Pull Request #43 · cloudposse/bastion

What Improves readme with the following: Fixes missing backslash in example Makes assumptions easier to read Restructures into a much more readable format Makes shell examples easier to copy and p…

Erik Osterman (Cloud Posse)

03:15:44 PM

( I am out of town, will check on Monday! Thanks @oscarsullivan_old )

joshmyers

09:23:47 PM

@joshmyers has joined the channel

2019-04-10

mohamed.naseer

04:35:57 AM

@mohamed.naseer has joined the channel