Whilst Google's rockstar Staff Developer Advocates like to call kubectl "the new SSH" as they make light of procedural problem-solving skills applied to Kubernetes' decidedly declarative world, real-world cluster operations still requires low-level access beneath the almighty kubelet.
In this talk we'll review legacy SSH patterns relative to new way teams manage, deploy, and troubleshoot their applications running on elastic infrastructure. Along the way, Kevin will demo Teleport (https://github.com/gravitational/teleport), an open source re-implementation of SSH using Google's golang crypto, and show how to cross the chasm from traditional SSH anti-patterns into fancy new orchestrated worlds with automatically expiring access certificates.
8. WHY CERTIFICATES?
• Ever?
• Lost a backup?
• Run untrusted Software?
• Rotated keys?
• Sent the private key instead of the public?
source: https://www.gagcartoons.com/cartoons/305/
9. • FreeBSD packaging servers hacked
• http://www.infosecisland.com/blogview/22766-FreeBSD-Servers-Hacked-Lessons-
on-SSH-Public-Key-Authentication.html
• Malware & Hackers collect ssh keys
• https://www.ssh.com/malware/
• Active attacks using stolen SSH keys (2008)
• https://isc.sans.edu/forums/diary/
Active+attacks+using+stolen+SSH+keys+UPDATED/4937/
• New Attacker Scanning for SSH Private Keys on Websites
• https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/
• CIA malware can steal SSH Credentials
• https://www.bleepingcomputer.com/news/security/cia-malware-can-steal-ssh-
credentials-session-traffic/
10. • Large Database of Device Certificates, SSH keys published
• https://www.pindrop.com/blog/large-database-of-device-certificates-ssh-keys-
published/
• Learning from the Expedia Heist
• https://medium.com/starting-up-security/learning-from-the-expedia-
heist-6cf8a0069ce0
• New ‘MASK’APT Campaign called most sophisticated yet
• https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148/
• Multi-billion dollar defence firm fails to protect private SSH keys
• https://www.appviewx.com/multi-billion-dollar-defense-firm-fails-protect-private-ssh-
keys/
• The default OpenSSH key encryption is worse than plaintext
• https://latacora.singles/2018/08/03/the-default-openssh.html
11. TSH LS
• List all the servers in you’re
infrastructure
• New servers join the
cluster, old ones leave
• Labels
• Automatically update as
infra changes
12. TSH SSH
• SSH to the Node
• Or the Label(s)
• Automatic Bastions
• Auditable
• and SCP