[openstack-dev] Supporting SSH host certificates

Giuseppe de Candia giuseppe.decandia at gmail.com
Fri Oct 6 18:49:43 UTC 2017

Hi Clint,

Isn't user-data by definition available via the Metadata API, which isn't
considered secure:

Or is there a way to specify that certain user-data should only be
available via config-drive (and not metadata api)?

Otherwise, the only difference I see compared to using Meta-data is that
the process you describe is driven by the user vs. automated.

Regarding the extra plumbing, I'm not trying to avoid it. I'm thinking to
eventually tie this all into Keystone. For example, a project should have
Host CA and User CA keys. Let's assume OpenStack manages these for now,
later we can consider OpenStack simply proxying signature requests and
vouching that a public key does actually belong to a specific instance (and
host-name) or Keystone user. So what I think should happen is when a
Project is enabled for SSHaaS support, any VM instance automatically gets
host certificate, authorized principal files based on Keystone roles for
the project, and users can call an API (or Dashboard form) to get a public
key signed (and assigned appropriate SSH principals).


On Fri, Oct 6, 2017 at 2:37 AM, Clint Byrum <clint at fewbar.com> wrote:

> A long time ago, a few Canonical employees (Scott Moser was one of them,
> forget who else was doing it, maybe Dave Walker and/or Dustin Kirkland)
> worked out a scheme for general usage that doesn't require extra plumbing:
>  * Client generates a small SSH host key locally and pushes it into
>    user data in a way which causes the image to boot and install this
>    key from user_data as the host SSH key.
>  * Client SSH's in with the strict requirement that the host key be the
>    one they just generated and pushed into the instance.
>  * Client now triggers new host key generation, and copies new public
>    key into client known_hosts.
> With this system you don't have to scrape console logs for SSH keys or
> build your system on hope.
> Excerpts from Giuseppe de Candia's message of 2017-09-29 14:21:06 -0500:
> > Hi Folks,
> >
> >
> >
> > My intent in this e-mail is to solicit advice for how to inject SSH host
> > certificates into VM instances, with minimal or no burden on users.
> >
> >
> >
> > Background (skip if you're already familiar with SSH certificates):
> without
> > host certificates, when clients ssh to a host for the first time (or
> after
> > the host has been re-installed), they have to hope that there's no man in
> > the middle and that the public key being presented actually belongs to
> the
> > host they're trying to reach. The host's public key is stored in the
> > client's known_hosts file. SSH host certicates eliminate the possibility
> of
> > Man-in-the-Middle attack: a Certificate Authority public key is
> distributed
> > to clients (and written to their known_hosts file with a special syntax
> and
> > options); the host public key is signed by the CA, generating an SSH
> > certificate that contains the hostname and validity period (among other
> > things). When negotiating the ssh connection, the host presents its SSH
> > host certificate and the client verifies that it was signed by the CA.
> >
> >
> >
> > How to support SSH host certificates in OpenStack?
> >
> >
> >
> > First, let's consider doing it by hand, instance by instance. The only
> > solution I can think of is to VNC to the instance, copy the public key to
> > my CA server, sign it, and then write the certificate back into the host
> > (again via VNC). I cannot ssh without risking a MITM attack. What about
> > using Nova user-data? User-data is exposed via the metadata service.
> > Metadata is queried via http (reply transmitted in the clear, susceptible
> > to snooping), and any compute node can query for any instance's
> > meta-data/user-data.
> >
> >
> >
> > At this point I have to admit I'm ignorant of details of cloud-init. I
> know
> > cloud-init allows specifying SSH private keys (both for users and for SSH
> > service). I have not yet studied how such information is securely
> injected
> > into an instance. I assume it should only be made available via
> ConfigDrive
> > rather than metadata-service (again, that service transmits in the
> clear).
> >
> >
> >
> > What about providing SSH host certificates as a service in OpenStack?
> Let's
> > keep out of scope issues around choosing and storing the CA keys, but the
> > CA key is per project. What design supports setting up the SSH host
> > certificate automatically for every VM instance?
> >
> >
> >
> > I have looked at Vendor Data and I don't see a way to use that, mainly
> > because 1) it doesn't take parameters, so you can't pass the public key
> > out; and 2) it's queried over http, not https.
> >
> >
> >
> > Just as a feasibility argument, one solution would be to modify Nova
> > compute instance boot code. Nova compute can securely query a CA service
> > asking for a triplet (private key, public key, SSH certificate) for the
> > specific hostname. It can then inject the triplet using ConfigDrive. I
> > believe this securely gets the private key into the instance.
> >
> >
> >
> > I cannot figure out how to get the equivalent functionality without
> > modifying Nova compute and the boot process. Every solution I can think
> of
> > risks either exposing the private key or vulnerability to a MITM attack
> > during the signing process.
> >
> >
> >
> > Your help is appreciated.
> >
> >
> >
> > --Pino
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171006/88c6f08e/attachment.html>

More information about the OpenStack-dev mailing list