#security (2018-08)

Archive: https://archive.sweetops.com/security/

2018-08-28

justin.dynamicd avatar
justin.dynamicd
05:18:19 PM

@justin.dynamicd has joined the channel

Arkadiy avatar
Arkadiy
06:21:56 PM

@Arkadiy has joined the channel

2018-08-27

tolstikov avatar
tolstikov
11:17:38 AM

@tolstikov has joined the channel

loweryr avatar
loweryr
03:12:37 PM

@loweryr has joined the channel

2018-08-23

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


@adamstrawson says:
That did the trick, thanks. Next question i’m afraid, I’m struggling to see how you get the github-authorized-keys container and the bastion container to work together. They’re both running and working independently, but the bastion container doesn’t seem to want to do anything with the keys (eg. if I ssh to -p 1234, I get permission denied.) github-authorized-keys has synced the users and keys to the host machine (I can ssh fine to the host machine with a synced user), but via the bastion container it doesn’t detect any keys. Can’t see in the docs how the two work together

adamstrawson avatar
adamstrawson
10:55:36 PM

@adamstrawson has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so in the bastion container, are you bind-mounting /etc/passwd from the host machine?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the other thing to check is that the github-authorized-keys command in the bastion container can talk to the host API

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/bastion

bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you might need to change API_URL

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

since localhost in the container is not equal to localhost of the node

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(when we deployed this, we deployed the github-authorized-keys container and bastion container in the same Pod in kubernetes - which allows them to talk over localhost)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
10:59:41 PM

@Andriy Knysh (Cloud Posse) has joined the channel

loren avatar
loren
12:45:22 AM

@loren has joined the channel

2018-08-22

melynda.hunter avatar
melynda.hunter
04:18:02 AM

@melynda.hunter has joined the channel

2018-08-21

tarrall avatar
tarrall
01:46:17 AM

@tarrall has joined the channel

2018-08-15

Dylan avatar
Dylan
07:39:13 PM

@Dylan has joined the channel

2018-08-08

pericdaniel avatar
pericdaniel
03:06:32 PM

@pericdaniel has joined the channel

2018-08-05

jylee avatar
jylee
04:29:28 PM

@jylee has joined the channel

2018-08-04

tamsky avatar
tamsky

https://apple.stackexchange.com/questions/48502/how-can-i-permanently-add-my-ssh-private-key-to-keychain-so-it-is-automatically

  • this OSX feature lets users pick a high entropy passphrase and have ssh-add -K store the phrases in Keychain.
  • this also means we can’t easily type the passphrase (when requested) when geodesic shell starts
How can I permanently add my SSH private key to Keychain so it is automatically available to ssh?

It seems that ssh-add -K ~/.ssh/id_rsa will load your key but will ask for the password each time you reboot. I am looking for a solution that would not require me to re-enter the key password bet…

tamsky avatar
tamsky

all this makes me think that my ssh-agent should live on a secure device that prompts me on each use

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, would be neat if the yubikeys could act as an SSH agent

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, if adding UseKeychain yes, recommend also adding IgnoreUnknown UseKeychain because the UseKeychain extension is not supported by alpine linux.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cyberark/summon-aws-secrets

summon-aws-secrets - Summon provider for AWS Secrets Manager

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cyberark/summon

summon - CLI that provides on-demand secrets access for common DevOps tools

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it’s like chamber but for aws secrets manager.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So, I had kind of written off secrets manager because of the ease of use of chamber.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but the automatic key rotation feature using lambdas seems pretty sweet from a compliance POV

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Rotate Amazon RDS database credentials automatically with AWS Secrets Manager | Amazon Web Services attachment image

Recently, we launched AWS Secrets Manager, a service that makes it easier to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. You can configure Secrets Manager to rotate secrets automatically, which can help you meet your security and compliance needs. Secrets Manager offers built-in integrations for MySQL, PostgreSQL, and […]

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Heh, far from “turnkey”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Secrets Manager Lambda Rotation Template: RDS MySQL Single User - AWS Secrets Manager

The following is the source code that’s initially placed into the Lambda rotation function when you choose the SecretsManagerRDSMySQLRotationSingleUser template option from the AWS Serverless Application Repository. This template is automatically used to create the function when you enable rotation by using the Secrets Manager console. (In the console, you specify that the secret is for an Amazon RDS MySQL database, and that you want to rotate the secret using the credentials that are stored in the same secret.)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Who know rotating a secret was that involved, but makes sense looking over it.

tamsky avatar
tamsky


yea, would be neat if the yubikeys could act as an SSH agent
they can act as an SSH agent by acting as a GPG agent:

https://github.com/drduh/YubiKey-Guide

this too reads as very far from “turnkey” && has the same “how can I plumb my agent into docker” problems as the current ssh-agent

drduh/YubiKey-Guide

YubiKey-Guide - Guide to using YubiKey as a SmartCard for GPG and SSH

2018-08-03

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Then you pack your bags and prepare for rendition

2018-08-02

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:30:58 PM
jamie avatar
jamie

This is something that is huge, and is hard to understand

jamie avatar
jamie

It is as specific and specialist as anything we do

jamie avatar
jamie

So I hope this channel helps us pull together the resources that help keep us all on tract for secure environments

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, it’s a never ending endeavor

jamie avatar
jamie

100

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Control government-backed attack alerts in G Suite

We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed a…

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Not a feature I was exactly asking for, but hey, why not!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That’s an alert that would freak me out.

tamsky avatar
tamsky

if they already have a good signal detector, it’s pretty nice that they share

pmuller avatar
pmuller

ahahah, so you get an alert saying a government is attacking you (does it includes the us gov? ;)) - then what ? you go to the police ?

    keyboard_arrow_up