Convert Figma logo to code with AI

Netflix logobless

Repository for BLESS, an SSH Certificate Authority that runs as a AWS Lambda function

2,736
224
2,736
17

Top Related Projects

31,597

A tool for secrets management, encryption as a service, and privileged access management

17,914

The easiest, and most secure way to access and protect all of your infrastructure.

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Plugin for sudo that requires another human to approve and monitor privileged sudo sessions

Quick Overview

BLESS (Bastion's Lambda Ephemeral SSH Service) is an SSH Certificate Authority (CA) that runs as an AWS Lambda function. It allows for short-lived SSH certificates to be issued to users, enhancing security by eliminating the need for long-lived SSH keys and providing better access control and auditing capabilities.

Pros

  • Improves security by using short-lived SSH certificates instead of long-lived SSH keys
  • Integrates well with AWS infrastructure, leveraging Lambda for serverless operation
  • Provides better access control and auditing capabilities
  • Reduces the operational overhead of managing SSH keys across multiple servers

Cons

  • Requires AWS infrastructure, which may not be suitable for all environments
  • Learning curve for teams not familiar with certificate-based SSH authentication
  • Dependency on external services (AWS Lambda, KMS) for core functionality
  • May require changes to existing SSH client configurations

Code Examples

  1. Generating an SSH certificate using BLESS:
from bless.request.bless_request import BlessRequest
from bless.config.bless_config import BlessConfig
from bless.ssh.certificate_authorities.ssh_certificate_authority_factory import SSHCertificateAuthorityFactory

bless_config = BlessConfig()
ca_private_key = bless_config.getPrivateKeyFile()
certificate_authority = SSHCertificateAuthorityFactory.getSSHCertificateAuthority(ca_private_key)

request = BlessRequest(
    bastion_user='user',
    remote_username='remote_user',
    public_key_to_sign='ssh-rsa AAAAB3NzaC1yc2E...',
    command='',
    ip_address='1.2.3.4'
)

cert = certificate_authority.sign(request)
print(cert)
  1. Configuring the BLESS Lambda function:
# serverless.yml
service: bless

provider:
  name: aws
  runtime: python3.8
  stage: ${opt:stage, 'dev'}
  region: ${opt:region, 'us-west-2'}

functions:
  bless:
    handler: bless_lambda.lambda_handler
    events:
      - http:
          path: bless
          method: post
  1. Using a BLESS-generated certificate with SSH:
# Add the following to your ~/.ssh/config
Host bastion
    HostName bastion.example.com
    User ec2-user
    IdentityFile ~/.ssh/id_rsa
    CertificateFile ~/.ssh/id_rsa-cert.pub

# Connect using the certificate
ssh bastion

Getting Started

  1. Clone the BLESS repository:

    git clone https://github.com/Netflix/bless.git
    cd bless
    
  2. Install dependencies:

    pip install -r requirements.txt
    
  3. Configure AWS credentials and region:

    aws configure
    
  4. Deploy BLESS using Serverless Framework:

    serverless deploy
    
  5. Update your SSH client configuration to use BLESS-generated certificates.

Competitor Comparisons

31,597

A tool for secrets management, encryption as a service, and privileged access management

Pros of Vault

  • More comprehensive secret management solution, handling various types of secrets beyond SSH certificates
  • Offers a wider range of authentication methods and integrations with cloud providers
  • Provides a web UI for easier management and monitoring

Cons of Vault

  • More complex setup and configuration compared to BLESS
  • Requires additional infrastructure to run and maintain
  • May be overkill for organizations only needing SSH certificate management

Code Comparison

BLESS (Python):

def validate_ip(ip_address):
    try:
        ipaddress.ip_address(ip_address)
        return True
    except ValueError:
        return False

Vault (Go):

func validateIP(ipAddress string) bool {
    ip := net.ParseIP(ipAddress)
    return ip != nil
}

Both repositories provide IP validation functions, but Vault's implementation is more concise due to Go's standard library.

Key Differences

  • BLESS focuses specifically on SSH certificate management, while Vault offers a broader range of secret management capabilities
  • BLESS is designed to run as a Lambda function, whereas Vault requires dedicated infrastructure
  • Vault provides more extensive documentation and community support
  • BLESS is written in Python, while Vault is written in Go

Use Cases

  • Choose BLESS for lightweight SSH certificate management, especially in AWS environments
  • Opt for Vault when requiring a comprehensive secret management solution across multiple platforms and use cases
17,914

The easiest, and most secure way to access and protect all of your infrastructure.

Pros of Teleport

  • Offers a more comprehensive access solution, including SSH, Kubernetes, databases, and web applications
  • Provides a web-based UI for easier management and monitoring
  • Supports certificate-based authentication, eliminating the need for static SSH keys

Cons of Teleport

  • More complex setup and configuration compared to BLESS
  • Requires running additional infrastructure (Teleport cluster)
  • May have a steeper learning curve for users and administrators

Code Comparison

BLESS (Python):

def validate_ip(ip):
    try:
        socket.inet_aton(ip)
        return True
    except socket.error:
        return False

Teleport (Go):

func ValidateIP(ip string) bool {
    return net.ParseIP(ip) != nil
}

Both projects aim to enhance SSH security, but they take different approaches. BLESS focuses on short-lived SSH certificates, while Teleport provides a more comprehensive access management solution. BLESS is simpler to implement but offers fewer features, while Teleport provides a richer set of capabilities at the cost of increased complexity.

The code comparison shows a similar function for IP validation in both projects, with BLESS using Python and Teleport using Go. This reflects the different language choices and implementation styles of the two projects.

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Pros of certificates

  • More comprehensive certificate management solution, including a full PKI infrastructure
  • Supports multiple protocols (SSH, HTTPS, etc.) and certificate types
  • Actively maintained with regular updates and improvements

Cons of certificates

  • More complex setup and configuration compared to BLESS
  • Requires additional infrastructure components for full functionality
  • May have a steeper learning curve for users new to PKI concepts

Code comparison

BLESS (Python):

def validate_ip_in_cidr(ip_address, cidr):
    return ipaddress.ip_address(ip_address) in ipaddress.ip_network(cidr)

certificates (Go):

func ValidateIPInCIDR(ipAddress, cidr string) bool {
    ip := net.ParseIP(ipAddress)
    _, network, _ := net.ParseCIDR(cidr)
    return network.Contains(ip)
}

Both projects implement IP validation within CIDR ranges, but certificates uses Go's built-in networking functions, while BLESS relies on Python's ipaddress module.

Summary

certificates offers a more comprehensive certificate management solution with support for multiple protocols and certificate types. It's actively maintained but may require more setup and infrastructure. BLESS, on the other hand, is simpler to use but focuses primarily on SSH certificate management. The choice between the two depends on specific use cases and infrastructure requirements.

Plugin for sudo that requires another human to approve and monitor privileged sudo sessions

Pros of sudo_pair

  • Focuses on real-time pair programming for sudo commands, enhancing security through collaboration
  • Lightweight and easy to integrate into existing systems
  • Provides immediate oversight for privileged operations

Cons of sudo_pair

  • Limited to sudo command execution, while BLESS offers broader SSH key management
  • Requires two users to be available for privileged operations, which may not always be feasible
  • May introduce delays in urgent situations where immediate action is required

Code Comparison

sudo_pair example:

sudo pair vim /etc/sensitive_config

BLESS example:

client = bless_client.BlessClient(config_file, region)
cert = client.get_cert(public_key_to_sign, remote_username, bastion_user, bastion_user_ip, command)

Summary

sudo_pair is a focused tool for enhancing sudo command security through pair programming, while BLESS is a comprehensive SSH certificate authority. sudo_pair offers immediate oversight but is limited to sudo operations, whereas BLESS provides broader key management capabilities but with more complex implementation. The choice between them depends on specific security needs and operational requirements.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Archived

With the existence of more SSH certificate tools since the release of BLESS, and better SSH access management from AWS, we're moving BLESS to the archived OSS project state. This means we no longer plan to maintain the project, but will be keeping it public for others who may still use it.

alt text

BLESS - Bastion's Lambda Ephemeral SSH Service

Build Status Test coverage Join the chat at https://gitter.im/Netflix/bless NetflixOSS Lifecycle

BLESS is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys.

SSH Certificates are an excellent way to authorize users to access a particular SSH host, as they can be restricted for a single use case, and can be short lived. Instead of managing the authorized_keys of a host, or controlling who has access to SSH Private Keys, hosts just need to be configured to trust an SSH CA.

BLESS should be run as an AWS Lambda in an isolated AWS account. Because BLESS needs access to a private key which is trusted by your hosts, an isolated AWS account helps restrict who can access that private key, or modify the BLESS code you are running.

AWS Lambda functions can use an AWS IAM Policy to limit which IAM Roles can invoke the Lambda Function. If properly configured, you can restrict which IAM Roles can request SSH Certificates. For example, your SSH Bastion (aka SSH Jump Host) can run with the only IAM Role with access to invoke a BLESS Lambda Function configured with the SSH CA key trusted by the instances accessible to that SSH Bastion.

Getting Started

These instructions are to get BLESS up and running in your local development environment.

Installation Instructions

Clone the repo:

$ git clone git@github.com:Netflix/bless.git

Cd to the bless repo:

$ cd bless

Create a virtualenv if you haven't already:

$ python3.8 -m venv venv

Activate the venv:

$ source venv/bin/activate

Install package and test dependencies:

(venv) $ make develop

Run the tests:

(venv) $ make test

Deployment

To deploy an AWS Lambda Function, you need to provide a .zip with the code and all dependencies. The .zip must contain your lambda code and configurations at the top level of the .zip. The BLESS Makefile includes a publish target to package up everything into a deploy-able .zip if they are in the expected locations. You will need to setup your own Python 3.7 lambda to deploy the .zip to.

Previously the AWS Lambda Handler needed to be set to bless_lambda.lambda_handler, and this would generate a user cert. bless_lambda.lambda_handler still works for user certs. bless_lambda_user.lambda_handler_user is a handler that can also be used to issue user certificates.

A new handler bless_lambda_host.lambda_handler_host has been created to allow for the creation of host SSH certs.

All three handlers exist in the published .zip.

Compiling BLESS Lambda Dependencies

To deploy code as a Lambda Function, you need to package up all of the dependencies. You will need to compile and include your dependencies before you can publish a working AWS Lambda.

BLESS uses a docker container running Amazon Linux 2 to package everything up:

  • Execute make lambda-deps and this will run a container and save all the dependencies in ./aws_lambda_libs

Protecting the CA Private Key

  • Generate a password protected RSA Private Key in the PEM format:
$ ssh-keygen -t rsa -b 4096 -m PEM -f bless-ca- -C "SSH CA Key"
  • Note: OpenSSH Private Key format is not supported.
  • Use KMS to encrypt your password. You will need a KMS key per region, and you will need to encrypt your password for each region. You can use the AWS Console to paste in a simple lambda function like this:
import boto3
import base64
import os


def lambda_handler(event, context):
    region = os.environ['AWS_REGION']
    client = boto3.client('kms', region_name=region)
    response = client.encrypt(
    KeyId='alias/your_kms_key',
    Plaintext='Do not forget to delete the real plain text when done'
    )

    ciphertext = response['CiphertextBlob']
    return base64.b64encode(ciphertext)
  • Manage your Private Keys .pem files and passwords outside of this repo.
  • Update your bless_deploy.cfg with your Private Key's filename and encrypted passwords.
  • Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing a new Lambda .zip
  • Set the permissions of ./lambda_configs/ca_key_name.pem to 444.

You can now provide your private key and/or encrypted private key password via the lambda environment or config file. In the [Bless CA] section, you can set ca_private_key instead of the ca_private_key_file with a base64 encoded version of your .pem (e.g. cat key.pem | base64 ).

Because every config file option is supported in the environment, you can also just set bless_ca_default_password and/or bless_ca_ca_private_key. Due to limits on AWS Lambda environment variables, you'll need to compress RSA 4096 private keys, which you can now do by setting bless_ca_ca_private_key_compression. For example, set bless_ca_ca_private_key_compression = bz2 and bless_ca_ca_private_key to the output of cat ca-key.pem | bzip2 | base64.

BLESS Config File

  • Refer to the the Example BLESS Config File and its included documentation.
  • Manage your bless_deploy.cfg files outside of this repo.
  • Provide your desired ./lambda_configs/bless_deploy.cfg prior to Publishing a new Lambda .zip
  • The required [Bless CA] option values must be set for your environment.
  • Every option can be changed in the environment. The environment variable name is constructed as section_name_option_name (all lowercase, spaces replaced with underscores).

Publish Lambda .zip

  • Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing
  • Provide your desired BLESS Config File at ./lambda_configs/bless_deploy.cfg prior to Publishing
  • Provide the compiled dependencies at ./aws_lambda_libs
  • run:
(venv) $ make publish
  • deploy ./publish/bless_lambda.zip to AWS via the AWS Console, AWS SDK, or S3
  • remember to deploy it to all regions.

Lambda Requirements

You should deploy this function into its own AWS account to limit who has access to modify the code, configs, or IAM Policies. An isolated account also limits who has access to the KMS keys used to protect the SSH CA Key.

The BLESS Lambda function should run as its own IAM Role and will need access to an AWS KMS Key in each region where the function is deployed. The BLESS IAMRole will also need permissions to obtain random from kms (kms:GenerateRandom) and permissions for logging to CloudWatch Logs (logs:CreateLogGroup,logs:CreateLogStream,logs:PutLogEvents).

Using BLESS

After you have deployed BLESS you can run the sample BLESS Client from a system with access to the required AWS Credentials. This client is really just a proof of concept to validate that you have a functional lambda being called with valid IAM credentials.

(venv) $ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_usernames bastion_source_ip bastion_command <id_rsa.pub to sign> <output id_rsa-cert.pub>

Verifying Certificates

You can inspect the contents of a certificate with ssh-keygen directly:

$ ssh-keygen -L -f your-cert.pub

Enabling BLESS Certificates On Servers

Add the following line to /etc/ssh/sshd_config:

TrustedUserCAKeys /etc/ssh/cas.pub

Add a new file, owned by and only writable by root, at /etc/ssh/cas.pub with the contents:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an SSH CA
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an offline SSH CA
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an offline SSH CA 2

To simplify SSH CA Key rotation you should provision multiple CA Keys, and leave them offline until you are ready to rotate them.

Additional information about the TrustedUserCAKeys file is here

Project resources