Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh from upstream #40

Open
wants to merge 91 commits into
base: lyft_base
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
7271307
fixes #30 : add coveralls for test coverage reporting
Dec 22, 2016
ba6dc07
Make the 'extensions' included in the cert configurable
nielslaukens Feb 15, 2017
17e5336
Moving pinned packages out of setup.py and into requirements.txt.
russell-lewis Feb 24, 2017
bc6b3bf
Adding a few changes after syncing with lyft's BLESS fork.
russell-lewis Feb 24, 2017
9962238
Bumping version number to reflect the change in the BLESS request of …
russell-lewis Feb 24, 2017
a960865
Merge branch 'lyft_base' of github.com:lyft/bless into lyft-sync
russell-lewis Feb 24, 2017
5f264d5
Updating the "test_user" certificate test case.
russell-lewis Feb 24, 2017
d8befc1
Merge remote-tracking branch 'vrtdev/configurable-extensions' into ly…
russell-lewis Mar 1, 2017
79c3463
Updates after pulling in PR#33. Renamed extensions to certificate_ex…
russell-lewis Mar 1, 2017
0f68e42
Merge pull request #31 from mayn/ISSUE-30
russell-lewis Mar 1, 2017
19cf02f
Merge branch 'master' of github.com:Netflix/bless into lyft-sync
russell-lewis Mar 1, 2017
9f75ccf
Adding the coverage report to the travis bulid output.
russell-lewis Mar 1, 2017
909d955
Additional commit for BLESS v.0.2.0 which changes the format of BLESS…
russell-lewis Mar 1, 2017
bf9a364
Merge pull request #38 from russell-lewis/addressing-open-issues
russell-lewis Mar 7, 2017
4d2e674
Add support to compile dependencies in container
diasjorge Mar 9, 2017
c387868
Copy lib64 packages
Mar 9, 2017
07c9866
Update README.md
diasjorge Mar 9, 2017
fcde42a
Merge pull request #41 from diasjorge/patch-1
russell-lewis Mar 10, 2017
b4eadab
Merge pull request #40 from diasjorge/compilation
russell-lewis Mar 10, 2017
d8e879d
[HOTFIX] Fixes while merge testing
Mar 15, 2017
8df7f6d
Merge pull request #44 from lyft/hotfix-fixes-for-merge
russell-lewis Mar 15, 2017
24f4aba
Remove unused option 'kms_key_id'
benbridts Mar 17, 2017
63cbac9
Merge pull request #46 from ikben/unused-option
russell-lewis Mar 21, 2017
62fe7fc
Decouple configuration from deployment artifact (#45)
benbridts Mar 21, 2017
485663c
Removing an unneeded reference to kms_key_id. (#47)
russell-lewis Mar 21, 2017
21a417b
Add support for debian username validations
diasjorge Mar 14, 2017
b87bbab
Add support for relaxed username validations
diasjorge Mar 14, 2017
329e8dc
Load username_validation configuration value
diasjorge Mar 14, 2017
c050a48
Refactor username_validation configuration
diasjorge Mar 14, 2017
9f3c7c1
Set username_validation when calling lambda
diasjorge Mar 14, 2017
c58b328
Add support to disable username validation
diasjorge Mar 14, 2017
6f91bb6
Use schema context for username validation
diasjorge Mar 21, 2017
8e80230
Add test for username_validation environment value
diasjorge Mar 21, 2017
4340737
Enhancing PR#43 to include support for configurable remote_usernames …
russell-lewis Mar 22, 2017
32e4f4b
Fixing https://github.com/Netflix/bless/issues/48 and moving the expe…
russell-lewis Mar 22, 2017
95693c4
Replace non word characters in environment key
diasjorge Mar 22, 2017
e8af1ca
Merge pull request #51 from diasjorge/fix-invalid-environment-variable
russell-lewis Mar 22, 2017
1393a84
Revising the certifiace key_id to keep consistency in the key[value] …
russell-lewis Mar 23, 2017
7c025fb
Merge pull request #52 from russell-lewis/update-keyid-and-logs
russell-lewis Mar 23, 2017
c543416
Thanks to @Stype:
russell-lewis Mar 29, 2017
4aef80c
Merge pull request #54 from russell-lewis/fix-issue-53
russell-lewis Mar 29, 2017
d8f6d1e
Fixing typos in readme.
russell-lewis Apr 5, 2017
a2cf52d
Merge pull request #56 from russell-lewis/fix-typo
russell-lewis Apr 5, 2017
6c122ba
Merge pull request #1 from russell-lewis/PR43_enhancements
diasjorge Apr 6, 2017
dc02dc7
Merge pull request #43 from diasjorge/username_validation_disabled
russell-lewis Apr 19, 2017
d5a1c1f
Fixing test key paths after merging https://github.com/Netflix/bless/…
russell-lewis Apr 19, 2017
7cd1515
base kmsauth token on bastion_user instead of remote_usernames
djcrabhat Apr 30, 2017
9ad57e0
enforce that bastion_user == remote_usernames by default. add config…
djcrabhat May 7, 2017
3b268a6
add tests for allowing remote_usernames to differ
djcrabhat May 7, 2017
5b452d1
eek out some test coverage
djcrabhat May 7, 2017
cadd803
make sure all requested remote_usernames are allowed to be used
djcrabhat May 7, 2017
f32b9a1
Updating the SSH Certificate comment when no public key comment is se…
russell-lewis Jun 8, 2017
d2bee45
Updating dependencies prior to release.
russell-lewis Jun 8, 2017
fd1d802
Allows username validation against IAM groups
hughtopping Jun 23, 2017
3f37e17
Compressed CA private key support
avoidik Nov 29, 2017
ed54668
Fixing https://github.com/Netflix/bless/issues/72 thanks @Immortalin …
russell-lewis Jul 13, 2018
cdde67a
Add support for loading ED25519 public keys
jnewbigin Jun 10, 2018
f1e2a30
Add certificate builder and test ED25519 signed by RSA
jnewbigin Jun 10, 2018
ba55021
Allowing BLESS lambda to accept ed25519 keys, completing https://gith…
russell-lewis Jul 14, 2018
cf26b72
Moving BLESS to python 3.6. (#75)
russell-lewis Jul 25, 2018
013dd15
Merge branch 'master' into master
russell-lewis Jul 25, 2018
cff5544
Merge pull request #62 from hughtopping/master
russell-lewis Jul 25, 2018
1e01e1d
bless_client.py: fix argv unpacking when using a kmsauth token (#63)
Preston4tw Jul 25, 2018
467eaa8
Add the FileSync flag to the zip command (#76)
kubrickfr Jul 25, 2018
5830630
Make lambda_configs dir optional for publish make target (#69)
acmcelwee Jul 25, 2018
87f9de4
Adding a blacklisted remote_usernames option. This would prevent par…
russell-lewis Jul 19, 2018
a9ad291
Refactored BLESS to cache KMS decrypt results for the ca private key …
russell-lewis Jul 25, 2018
b685728
Merge remote-tracking branch 'avoidik/feature-compressed-key'
russell-lewis Jul 26, 2018
dfbec61
Merge pull request #67 from avoidik/feature-compressed-key
russell-lewis Jul 26, 2018
0b97ba2
Move development to pipenv
pecigonzalo Jul 23, 2018
f82e2a9
Bumping to Release v.0.3.0
russell-lewis Jul 31, 2018
242a586
Add host cert issue hanlder
pecigonzalo Aug 3, 2018
ed85a7f
Add validations for hostnames and tests
pecigonzalo Aug 4, 2018
910f8f9
Add link to Amazon Linux repository
pkoch Apr 23, 2019
679fe9c
Merge pull request #88 from pkoch/patch-1
hosseinsh Apr 23, 2019
f04f83a
Remove the -it flag from lambda-deps docker build
asiragusa Oct 31, 2018
a7b454a
Fix boolean value check on KMSAUTH_SECTION options
paolodedios Feb 14, 2019
5d92a03
Updating code and dependencies to run as a Python 3.7 lambda with the…
russell-lewis May 20, 2019
7ca78b4
Resolving https://github.com/Netflix/bless/pull/80 .
russell-lewis May 20, 2019
cad1dbf
Typo on #133
kant Nov 3, 2018
68a45d1
Removing the Travis sudo tag.
russell-lewis May 20, 2019
9a310ca
Additional fixes after https://github.com/Netflix/bless/pull/85 . Tr…
russell-lewis May 20, 2019
36fc01b
Updating readme to indicate that only PEM private keys are supported.
russell-lewis May 20, 2019
d77ed00
Merge remote-tracking branch 'pecigonzalo/feature/split_host_provider…
russell-lewis May 21, 2019
3d8b0c9
Refactored https://github.com/Netflix/bless/pull/79 and split out use…
russell-lewis May 21, 2019
c03b8d1
Merge pull request #94 from russell-lewis/lambda-host-split
russell-lewis May 22, 2019
03666f8
Adding a sample client that can validte the BLESS host cert lambda.
russell-lewis May 22, 2019
a207d1b
Bumping to Release v.0.4.0
russell-lewis May 22, 2019
80f3c1b
Merge pull request #95 from russell-lewis/release-prep
russell-lewis May 22, 2019
8527924
Merge pull request #39 from lyft/refresh-netflix-code
Dec 10, 2019
5aedde7
Merge branch 'master' of github.com:lyft/bless into lyft_base
surbhishah Jan 20, 2020
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .coveragerc
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[report]
include =
bless/*.py
omit =
bless/__about__.py
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@
*.pyc
*.cache/
.idea/
bless.egg-info/
BLESS.egg-info/
htmlcov/
libs/
publish/
venv/
aws_lambda_libs/
lambda_configs/
.pytest_cache/
12 changes: 8 additions & 4 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,24 @@
sudo: false

language: python

addons:

matrix:
include:
- python: "2.7"
- python: "3.7"

install:
- pip install coveralls
- make develop

before_script:

script:
- make test
- make lint
- make coverage

after_success:
- coveralls
- coverage report

notifications:
email:
Expand Down
18 changes: 14 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ test: lint

develop:
@echo "--> Installing dependencies"
pip install --upgrade pip setuptools
pip install -r requirements.txt
pip install "file://`pwd`#egg=bless[tests]"
@echo ""
Expand All @@ -24,16 +25,25 @@ lint:
@echo ""

coverage:
coverage run --branch --source=bless -m py.test tests
@echo "--> Running Python tests with coverage"
coverage run --branch --source=bless -m py.test tests || exit 1
coverage html
@echo ""

publish:
rm -rf ./publish/bless_lambda/
mkdir -p ./publish/bless_lambda
cp -r ./bless ./publish/bless_lambda/
mv ./publish/bless_lambda/bless/aws_lambda/* ./publish/bless_lambda/
cp ./publish/bless_lambda/bless/aws_lambda/bless* ./publish/bless_lambda/
cp -r ./aws_lambda_libs/. ./publish/bless_lambda/
cp -r ./lambda_configs/. ./publish/bless_lambda/
cd ./publish/bless_lambda && zip -r ../bless_lambda.zip .
if [ -d ./lambda_configs/ ]; then cp -r ./lambda_configs/. ./publish/bless_lambda/; fi
cd ./publish/bless_lambda && zip -FSr ../bless_lambda.zip .

compile:
./lambda_compile.sh

lambda-deps:
@echo "--> Compiling lambda dependencies"
docker run --rm -v ${CURDIR}:/src -w /src amazonlinux:2 ./lambda_compile.sh

.PHONY: develop dev-docs clean test lint coverage publish
68 changes: 37 additions & 31 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
![alt text](bless_logo.png "BLESS")
# BLESS - Bastion's Lambda Ephemeral SSH Service
[![Build Status](https://travis-ci.org/Netflix/bless.svg?branch=master)](https://travis-ci.org/Netflix/bless) [![Join the chat at https://gitter.im/Netflix/bless](https://badges.gitter.im/Netflix/bless.svg)](https://gitter.im/Netflix/bless?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
[![Build Status](https://travis-ci.org/Netflix/bless.svg?branch=master)](https://travis-ci.org/Netflix/bless) [![Test coverage](https://coveralls.io/repos/github/Netflix/bless/badge.svg?branch=master)](https://coveralls.io/github/Netflix/bless) [![Join the chat at https://gitter.im/Netflix/bless](https://badges.gitter.im/Netflix/bless.svg)](https://gitter.im/Netflix/bless?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![NetflixOSS Lifecycle](https://img.shields.io/osslifecycle/Netflix/bless.svg)]()

BLESS is an SSH Certificate Authority that runs as a AWS Lambda function and is used to sign ssh
BLESS is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH
public keys.

SSH Certificates are an excellent way to authorize users to access a particular ssh host,
SSH Certificates are an excellent way to authorize users to access a particular SSH host,
as they can be restricted for a single use case, and can be short lived. Instead of managing the
authorized_keys of a host, or controlling who has access to SSH Private Keys, hosts just
need to be configured to trust an SSH CA.
Expand Down Expand Up @@ -33,7 +33,7 @@ Cd to the bless repo:

Create a virtualenv if you haven't already:

$ virtualenv venv
$ python3.7 -m venv venv

Activate the venv:

Expand All @@ -52,38 +52,29 @@ Run the tests:
To deploy an AWS Lambda Function, you need to provide a .zip with the code and all dependencies.
The .zip must contain your lambda code and configurations at the top level of the .zip. The BLESS
Makefile includes a publish target to package up everything into a deploy-able .zip if they are in
the expected locations.
the expected locations. You will need to setup your own Python 3.7 lambda to deploy the .zip to.

Previously the AWS Lambda Handler needed to be set to `bless_lambda.lambda_handler`, and this would generate a user
cert. `bless_lambda.lambda_handler` still works for user certs. `bless_lambda_user.lambda_handler_user` is a handler
that can also be used to issue user certificates.

A new handler `bless_lambda_host.lambda_handler_host` has been created to allow for the creation of host SSH certs.

All three handlers exist in the published .zip.

### Compiling BLESS Lambda Dependencies
AWS Lambda has some limitations, and to deploy code as a Lambda Function, you need to package up
all of the dependencies. AWS Lambda only supports Python 2.7 and BLESS depends on
[Cryptography](https://cryptography.io/en/latest/), which must be compiled. You will need to
To deploy code as a Lambda Function, you need to package up all of the dependencies. You will need to
compile and include your dependencies before you can publish a working AWS Lambda.

- Deploy an [Amazon Linux AMI](http://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html)
- SSH onto that instance
- Copy BLESS' `setup.py` to the instance
- Copy BLESS' `bless/__about__.py` to the instance at `bless/__about__.py`
- Install BLESS' dependencies:
```
$ sudo yum install gcc libffi-devel openssl-devel
$ virtualenv venv
$ source venv/bin/activate
(venv) $ pip install --upgrade pip setuptools
(venv) $ pip install -e .
```
- From that instance, copy off the contents of:
```
$ cp -r venv/lib/python2.7/site-packages/. aws_lambda_libs
$ cp -r venv/lib64/python2.7/site-packages/. aws_lambda_libs
```
- put those files in: ./aws_lambda_libs/
BLESS uses a docker container running [Amazon Linux 2](https://hub.docker.com/_/amazonlinux) to package everything up:
- Execute ```make lambda-deps``` and this will run a container and save all the dependencies in ./aws_lambda_libs

### Protecting the CA Private Key
- Generate a password protected RSA Private Key:
- Generate a password protected RSA Private Key in the PEM format:
```
$ ssh-keygen -t rsa -b 4096 -f bless-ca- -C "SSH CA Key"
$ ssh-keygen -t rsa -b 4096 -m PEM -f bless-ca- -C "SSH CA Key"
```
- **Note:** OpenSSH Private Key format is not supported.
- Use KMS to encrypt your password. You will need a KMS key per region, and you will need to
encrypt your password for each region. You can use the AWS Console to paste in a simple lambda
function like this:
Expand All @@ -108,13 +99,26 @@ def lambda_handler(event, context):
- Manage your Private Keys .pem files and passwords outside of this repo.
- Update your bless_deploy.cfg with your Private Key's filename and encrypted passwords.
- Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing a new Lambda .zip
- Set the permissions of ./lambda_configs/ca_key_name.pem to 444.

You can now provide your private key and/or encrypted private key password via the lambda environment or config file.
In the `[Bless CA]` section, you can set `ca_private_key` instead of the `ca_private_key_file` with a base64 encoded
version of your .pem (e.g. `cat key.pem | base64` ).

Because every config file option is supported in the environment, you can also just set `bless_ca_default_password`
and/or `bless_ca_ca_private_key`. Due to limits on AWS Lambda environment variables, you'll need to compress RSA 4096
private keys, which you can now do by setting `bless_ca_ca_private_key_compression`. For example, set
`bless_ca_ca_private_key_compression = bz2` and `bless_ca_ca_private_key` to the output of
`cat ca-key.pem | bzip2 | base64`.

### BLESS Config File
- Refer to the the [Example BLESS Config File](bless/config/bless_deploy_example.cfg) and its
included documentation.
- Manage your bless_deploy.cfg files outside of this repo.
- Provide your desired ./lambda_configs/bless_deploy.cfg prior to Publishing a new Lambda .zip
- The required [Bless CA] option values must be set for your environment.
- Every option can be changed in the environment. The environment variable name is constructed
as section_name_option_name (all lowercase, spaces replaced with underscores).

### Publish Lambda .zip
- Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing
Expand Down Expand Up @@ -145,8 +149,10 @@ random from kms (kms:GenerateRandom) and permissions for logging to CloudWatch L
## Using BLESS
After you have [deployed BLESS](#deployment) you can run the sample [BLESS Client](bless_client/bless_client.py)
from a system with access to the required [AWS Credentials](http://boto3.readthedocs.io/en/latest/guide/configuration.html).
This client is really just a proof of concept to validate that you have a functional lambda being called with valid
IAM credentials.

(venv) $ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_username bastion_source_ip bastion_command <id_rsa.pub to sign> <output id_rsa-cert.pub>
(venv) $ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_usernames bastion_source_ip bastion_command <id_rsa.pub to sign> <output id_rsa-cert.pub>


## Verifying Certificates
Expand All @@ -155,11 +161,11 @@ You can inspect the contents of a certificate with ssh-keygen directly:
$ ssh-keygen -L -f your-cert.pub

## Enabling BLESS Certificates On Servers
Add the following line to /etc/ssh/sshd_config:
Add the following line to `/etc/ssh/sshd_config`:

TrustedUserCAKeys /etc/ssh/cas.pub

Add a new file, owned by and only writable by root, at /etc/ssh/cas.pub with the contents:
Add a new file, owned by and only writable by root, at `/etc/ssh/cas.pub` with the contents:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… #id_rsa.pub of an SSH CA
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ… #id_rsa.pub of an offline SSH CA
Expand Down
4 changes: 1 addition & 3 deletions bless/__about__.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
from __future__ import absolute_import, division, print_function

__all__ = [
"__title__", "__summary__", "__uri__", "__version__", "__author__",
"__email__", "__license__", "__copyright__",
Expand All @@ -11,7 +9,7 @@
"sign SSH public keys.")
__uri__ = "https://github.com/Netflix/bless"

__version__ = "0.1.1"
__version__ = "0.4.0"

__author__ = "The BLESS developers"
__email__ = "[email protected]"
Expand Down
Loading