#bastion (2019-04)
Discuss cloudposse/bastion
2019-04-02
@Paul Calabro has joined the channel
so erik, what are your thoughts on that?
(from the other channel)
So I thought of somewhat interesting way that a bad actor could bypass 2FA and I’m curious if this of interest to anyone else.
Scenario:
A bad actor compromises a machine in an untrusted network and quietly imposes these SSH settings on a user (or maybe they’re already in place b/c the user put them there for a reason– e.g. Ansible):
Host *
ControlMaster auto
ControlPath ~/.ssh/control-sockets/%C
ControlPersist yes
ServerAliveCountMax 5
ServerAliveInterval 60
…and then they wait for a user to connect to a host behind a bastion using 2FA. Once they do, the bad actor can then reuse that socket over and over again unbeknownst to the user to create sessions using that established connection. And then, course, pivot from there.
AFAIK, unless the bastion server modifies the MaxSessions
value, the default number of sessions is 10.
What are your thoughts on this?
So this would be a problem if the person’s workstation were compromised, no?
correct
with those kinds of settings in place, 2FA is only prompted on the first attempt
i was trying to think of an fun analogy and the best i could come up with is someone using a door wedge, haha
True it is like a door wedge
But the same thing exists with ssh agents
And sockets
I am not averse to adding support to optionally disabling these settings
Not sure what the default should be
Often times, if the bad actor has control of the workstation all bets are off
yeah, those are all good points. i think the bastion is a little unique though in that you’re not just using your keys you’ve already added to the ssh agent. you’re also using push notification/sms/etc as that second factor…however, those gets bypass completely in this scenario.
Yea true
What if we had some SSH server config profiles? E.g. configs with an extension
When starting the container we install one of those config profiles
yeah, i was thinking of that as well. i use configs in my docker compose file to mount files.
One profile could be the one you suggest and maybe we make that default
that works
If you want to open a PR for that we will promptly review
i came across this accidentally and just thought i’d share b/c it seems like an interesting way to misuse an ssh feature
sweet! thanks!
Yea makes sense
It’s a very popular repo and #1 search result
So we should make it as locked down as possible
yeah, i’m a fan of this project
Very cool!
it’s good stuff!
If you have a chance to audit our scripts in that project, that would be appreciated as well
@Bruce has joined the channel
@mahmoudamindolah has joined the channel
@Vidhi Virmani has joined the channel
@kskewes has joined the channel
2019-04-03
@rontron has joined the channel
2019-04-05
@oscarsullivan_old has joined the channel
Do you install Bastion on to every machine or just your one jump host that connects to your internal machines on private subnets?
bastion is a jump host
Thanks that’s what I thoght
here’s an updated readme PR @Erik Osterman (Cloud Posse) https://github.com/cloudposse/bastion/pull/43
What Improves readme with the following: Fixes missing backslash in example Makes assumptions easier to read Restructures into a much more readable format Makes shell examples easier to copy and p…
( I am out of town, will check on Monday! Thanks @oscarsullivan_old )
@joshmyers has joined the channel
2019-04-10
@mohamed.naseer has joined the channel