@justin.dynamicd has joined the channel
@Arkadiy has joined the channel
@tolstikov has joined the channel
@loweryr has joined the channel
That did the trick, thanks. Next question i’m afraid, I’m struggling to see how you get the github-authorized-keys container and the bastion container to work together. They’re both running and working independently, but the bastion container doesn’t seem to want to do anything with the keys (eg. if I ssh to
-p 1234, I get permission denied.) github-authorized-keys has synced the users and keys to the host machine (I can ssh fine to the host machine with a synced user), but via the bastion container it doesn’t detect any keys. Can’t see in the docs how the two work together
@adamstrawson has joined the channel
so in the bastion container, are you bind-mounting
/etc/passwd from the host machine?
the other thing to check is that the
github-authorized-keys command in the bastion container can talk to the host API
bastion - Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
you might need to change
localhost in the container is not equal to localhost of the node
(when we deployed this, we deployed the
github-authorized-keys container and
bastion container in the same
Pod in kubernetes - which allows them to talk over
@Andriy Knysh (Cloud Posse) has joined the channel
@loren has joined the channel
@melynda.hunter has joined the channel
@tarrall has joined the channel
@Dylan has joined the channel
@pericdaniel has joined the channel
@jylee has joined the channel
- this OSX feature lets users pick a high entropy passphrase and have
ssh-add -Kstore the phrases in Keychain.
- this also means we can’t easily type the passphrase (when requested) when geodesic shell starts
It seems that ssh-add -K ~/.ssh/id_rsa will load your key but will ask for the password each time you reboot. I am looking for a solution that would not require me to re-enter the key password bet…
all this makes me think that my ssh-agent should live on a secure device that prompts me on each use
yea, would be neat if the yubikeys could act as an SSH agent
Also, if adding
UseKeychain yes, recommend also adding
IgnoreUnknown UseKeychain because the
UseKeychain extension is not supported by alpine linux.
just found this: https://github.com/cyberark/summon-aws-secrets
summon-aws-secrets - Summon provider for AWS Secrets Manager
chamber but for aws secrets manager.
So, I had kind of written off secrets manager because of the ease of use of chamber.
but the automatic key rotation feature using lambdas seems pretty sweet from a compliance POV
Recently, we launched AWS Secrets Manager, a service that makes it easier to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. You can configure Secrets Manager to rotate secrets automatically, which can help you meet your security and compliance needs. Secrets Manager offers built-in integrations for MySQL, PostgreSQL, and […]
@Jeremy (Cloud Posse)
Heh, far from “turnkey”
The following is the source code that’s initially placed into the Lambda rotation function when you choose the SecretsManagerRDSMySQLRotationSingleUser template option from the AWS Serverless Application Repository. This template is automatically used to create the function when you enable rotation by using the Secrets Manager console. (In the console, you specify that the secret is for an Amazon RDS MySQL database, and that you want to rotate the secret using the credentials that are stored in the same secret.)
Who know rotating a secret was that involved, but makes sense looking over it.
yea, would be neat if the yubikeys could act as an SSH agent they can act as an SSH agent by acting as a GPG agent:
this too reads as very far from “turnkey” && has the same “how can I plumb my agent into docker” problems as the current ssh-agent
YubiKey-Guide - Guide to using YubiKey as a SmartCard for GPG and SSH
Then you pack your bags and prepare for rendition
This is something that is huge, and is hard to understand
It is as specific and specialist as anything we do
So I hope this channel helps us pull together the resources that help keep us all on tract for secure environments
Yea, it’s a never ending endeavor
We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed a…
Not a feature I was exactly asking for, but hey, why not!
That’s an alert that would freak me out.
if they already have a good signal detector, it’s pretty nice that they share
ahahah, so you get an alert saying a government is attacking you (does it includes the us gov? ;)) - then what ? you go to the police ?