#security (2018-09)
Archive: https://archive.sweetops.com/security/
2018-09-02
![mbarrien avatar](https://secure.gravatar.com/avatar/a99207eb3777b2015dfd857f865b3376.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
@mbarrien has joined the channel
2018-09-07
![endofcake avatar](https://avatars.slack-edge.com/2018-10-10/452404548993_bd29a395d20767858367_72.png)
@endofcake has joined the channel
2018-09-11
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Anyone using alpine as a base image should consider enabling TLS on repos to avoid MITM attacks
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Surprised it’s not enabled by default
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
what Switch to the HTTPS alpine apk repositories why #249
![tamsky avatar](https://avatars.slack-edge.com/2019-10-31/817094217669_6e765cea39b456597957_72.jpg)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea, it is. Surprised me too.
2018-09-12
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@justin.dynamicd have you used this? https://www.vaultproject.io/docs/secrets/ssh/
![attachment image](https://www.vaultproject.io/assets/images/og-image-7fdfa20b.png)
When using this type, the administrator registers a secret key with appropriate sudo privileges on the remote machines. For every authorized credential request, Vault creates a new SSH key pair and appends the newly-generated public key to the authorized_keys file for the configured username on the remote host. Vault uses a configurable install script to achieve this.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
It’s been deprecated, so I ended up using SSHCA instead.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea sorry linked to wrong page
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
It’s cleaner too, because you’re not constantly shedding keys to the target servers; they just trust the vault CA sand vault gives out short lived certs
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yea like with teleport and Netflix bless
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
How long have you been using it?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Was it easy to get up and running?
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
At that time we had Puppet pushing changes so adding the cert wasnt too bad… Ansible would have been just as easy
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
That’s the hardest part: pushing the trusted public to all your machines
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Are you redeploying? Do you have some kind of cfg management? Etc.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Security had a big requirement if no self-signed so I had to follow extra steps to make vault an issuing CA and not a root. But that’s a one time thing
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
No, our case is a bit different. Would be containers.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Ssh into containers?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But I think we will stick with teleport approach
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Bastions are deployed as containers
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
In your case rebuild lol. But yeah, didn’t try it on containers (should work just fine)
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Does teleport track logins? That was the thing or security team liked. It logged every access request
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
“jking requested a cert for the next 1hour for target y”
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
this was just released, but may not help with containers, https://aws.amazon.com/blogs/aws/new-session-manager
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
but it does track and audit the logins and commands
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Just tried using that today… But our ssmagent is too old.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Looks nice though
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
That’s cool. Didn’t see the announcement.
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
In the containers I had (company actually moved off them) we tried to just parse logs and redeploy. Bastions were traditional hosts
![justin.dynamicd avatar](https://secure.gravatar.com/avatar/a0c4b7aa02ee2f167ca97da2bcb86c79.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Yeah, I think a ssmagent update is in the backlog. If it works like Azure then it will be nice to be able to disable ssh
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
New release enabling the ssm session manager, https://github.com/aws/amazon-ssm-agent/releases/tag/2.3.50.0
Agent to enable remote management of your Amazon EC2 instance configuration. - aws/amazon-ssm-agent
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Late to this… Looks interesting, I can’t think of use cases though. I gravitate more towards immutable infra these days so I can’t think of a reason I’d want to run a command on an ec2 instance , I’m prob not thinking hard enough!
Agent to enable remote management of your Amazon EC2 instance configuration. - aws/amazon-ssm-agent
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
i gravitate there also… but sometimes it takes a while to get the immutable bits all just right, and maybe the instrumentation isn’t perfected yet. can be pretty valuable to poke around to see what failed and maybe try a couple options at fixing, before patching upstream
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yea, for triaging/RCA, it’s difficult to escape
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that said, teleport is still a better product IMO b/c it supports session logs
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
my understanding was that this also captured the session, stored in cloudwatch logs?
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
from the blog post:
Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started.
https://aws.amazon.com/blogs/aws/new-session-manager
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
is a session log something different in teleport?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
No, that’s the same hung. i missed that. I thought it was slated as a later feature.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I wonder how it works if it is a raw log
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
E.g. replaying a vim transcript.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
With teleport, you get a YouTube style playback
![loren avatar](https://secure.gravatar.com/avatar/d1e25dcfbc68a0857a04dd78c9afe952.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
looks like a textual log, not a video, according to screenshots later in that blog… not sure how it would work with vim
2018-09-17
2018-09-18
2018-09-19
2018-09-22
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![attachment image](https://cdn-images-1.medium.com/max/1200/1*wMUhEePtvnMwBrCJ5d18JA.jpeg)
NOTE: This guide is geared towards a Kubernetes cluster running in AWS. You might have to tweak things to fit your needs.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Looks like an alternative to the bitly oauth2 proxy which is unmaintained
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But this one seems pretty tightly coupled to google
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Single Sign-On Kubernetes operator for Dex identity provider - jenkins-x/sso-operator
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Hi, As everyone here can see, the project is almost abandoned. I believe someone or preferable a group of people fluent in Go lang should create an 'official' fork of the project so the com…
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Igor Rodionov the bitly oauth2 proxy Is officially abandoned by bitly and will be archived by the end of the month
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Upstream for this project (which has not worked in ages against anything close to a current implementation of ingress controllers) has been abandoned. See bitly/oauth2_proxy#628 (comment) My compan…
![Igor Rodionov avatar](https://secure.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
@Igor Rodionov has joined the channel
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Max Moon should probably consider replacing oauth2 proxy with CloudFlare access
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Max Moon has joined the channel
2018-09-26
![Max Moon avatar](https://secure.gravatar.com/avatar/c5140df884cb23031870bc683b2e8315.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Custom & better AppArmor profile generator for Docker containers. - genuinetools/bane