#bastion (2019-04)

https://github.com/cloudposse/bastion

Discuss cloudposse/bastion

2019-04-02

Paul Calabro avatar
Paul Calabro
07:43:00 PM

@Paul Calabro has joined the channel

Paul Calabro avatar
Paul Calabro

so erik, what are your thoughts on that?

Paul Calabro avatar
Paul Calabro

(from the other channel)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So I thought of somewhat interesting way that a bad actor could bypass 2FA and I’m curious if this of interest to anyone else.

Scenario:

A bad actor compromises a machine in an untrusted network and quietly imposes these SSH settings on a user (or maybe they’re already in place b/c the user put them there for a reason– e.g. Ansible):

Host *
  ControlMaster auto
  ControlPath ~/.ssh/control-sockets/%C
  ControlPersist yes
  ServerAliveCountMax 5
  ServerAliveInterval 60

…and then they wait for a user to connect to a host behind a bastion using 2FA. Once they do, the bad actor can then reuse that socket over and over again unbeknownst to the user to create sessions using that established connection. And then, course, pivot from there.

AFAIK, unless the bastion server modifies the MaxSessions value, the default number of sessions is 10.

What are your thoughts on this?

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So this would be a problem if the person’s workstation were compromised, no?

Paul Calabro avatar
Paul Calabro

correct

Paul Calabro avatar
Paul Calabro

with those kinds of settings in place, 2FA is only prompted on the first attempt

Paul Calabro avatar
Paul Calabro

i was trying to think of an fun analogy and the best i could come up with is someone using a door wedge, haha

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

True it is like a door wedge

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But the same thing exists with ssh agents

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And sockets

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am not averse to adding support to optionally disabling these settings

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Not sure what the default should be

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Often times, if the bad actor has control of the workstation all bets are off

Paul Calabro avatar
Paul Calabro

yeah, those are all good points. i think the bastion is a little unique though in that you’re not just using your keys you’ve already added to the ssh agent. you’re also using push notification/sms/etc as that second factor…however, those gets bypass completely in this scenario.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea true

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What if we had some SSH server config profiles? E.g. configs with an extension

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

When starting the container we install one of those config profiles

Paul Calabro avatar
Paul Calabro

yeah, i was thinking of that as well. i use configs in my docker compose file to mount files.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

One profile could be the one you suggest and maybe we make that default

Paul Calabro avatar
Paul Calabro

that works

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you want to open a PR for that we will promptly review

Paul Calabro avatar
Paul Calabro

i came across this accidentally and just thought i’d share b/c it seems like an interesting way to misuse an ssh feature

Paul Calabro avatar
Paul Calabro

sweet! thanks!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea makes sense

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s a very popular repo and #1 search result

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So we should make it as locked down as possible

Paul Calabro avatar
Paul Calabro

yeah, i’m a fan of this project

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Very cool!

Paul Calabro avatar
Paul Calabro

it’s good stuff!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you have a chance to audit our scripts in that project, that would be appreciated as well

Paul Calabro avatar
Paul Calabro

yeah, i’d be happy to take a look

1
Bruce avatar
Bruce
10:59:23 PM

@Bruce has joined the channel

mahmoudamindolah avatar
mahmoudamindolah
12:04:16 AM

@mahmoudamindolah has joined the channel

Vidhi Virmani avatar
Vidhi Virmani
06:01:10 AM

@Vidhi Virmani has joined the channel

kskewes avatar
kskewes
06:28:42 AM

@kskewes has joined the channel

2019-04-03

rontron avatar
rontron
06:46:46 PM

@rontron has joined the channel

2019-04-05

oscarsullivan_old avatar
oscarsullivan_old
01:32:29 PM

@oscarsullivan_old has joined the channel

oscarsullivan_old avatar
oscarsullivan_old

Do you install Bastion on to every machine or just your one jump host that connects to your internal machines on private subnets?

xluffy avatar

bastion is a jump host

oscarsullivan_old avatar
oscarsullivan_old

Thanks that’s what I thoght

oscarsullivan_old avatar
oscarsullivan_old

here’s an updated readme PR @Erik Osterman (Cloud Posse) https://github.com/cloudposse/bastion/pull/43

Improve README by osulli · Pull Request #43 · cloudposse/bastion

What Improves readme with the following: Fixes missing backslash in example Makes assumptions easier to read Restructures into a much more readable format Makes shell examples easier to copy and p…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

( I am out of town, will check on Monday! Thanks @oscarsullivan_old )

joshmyers avatar
joshmyers
09:23:47 PM

@joshmyers has joined the channel

2019-04-10

mohamed.naseer avatar
mohamed.naseer
04:35:57 AM

@mohamed.naseer has joined the channel

    keyboard_arrow_up