Authorization with BLESS? #89
Comments
|
Any given SSH certificate (and key pair) for us is not an issue, as we restrict the certs so that they are only accepted from one bastion to exactly one use on exactly one instance, for only a few minutes. If you have access to the IAM creds that can call BLESS, and you aren't using the kmsauth features, then whomever has access to the IAM Keys can issue any cert they want. There are a few tools you can use to build AuthZ around BLESS. However the whole AuthZ system is still build it yourself. The way we authorize SSH requests was recently talked about here: Lyft is using a rather different model, that relies on IAM users and groups for AuthZ: https://github.com/Netflix/bless/blob/master/bless/aws_lambda/bless_lambda.py#L156-L174 and https://github.com/lyft/python-blessclient |
Reading through the validity constraints docs for SSH certificates, it doesn't look like there's the ability to specify which hosts a SSH user certificate is able to be used with. How are you solving authorization issues (allowing a user access to some hosts, but not all in a larger environment) with BLESS, or are you?
It looks like this would mean the holder of a valid SSH certificate would have access to any host configured to trust that CA certificate (plus or minus networking) without the ability to make access decisions by the type of host. Is that accurate or am I grossly misunderstanding something?
Source: OpenSSH ssh-keygen options docs
The text was updated successfully, but these errors were encountered: