Authorization with BLESS?

[braxtone]

Reading through the validity constraints docs for SSH certificates, it doesn't look like there's the ability to specify which hosts a SSH user certificate is able to be used with. How are you solving authorization issues (allowing a user access to some hosts, but not all in a larger environment) with BLESS, or are you?

It looks like this would mean the holder of a valid SSH certificate would have access to any host configured to trust that CA certificate (plus or minus networking) without the ability to make access decisions by the type of host. Is that accurate or am I grossly misunderstanding something?

Source: OpenSSH ssh-keygen options docs

[russell-lewis]

Any given SSH certificate (and key pair) for us is not an issue, as we restrict the certs so that they are only accepted from one bastion to exactly one use on exactly one instance, for only a few minutes.

If you have access to the IAM creds that can call BLESS, and you aren't using the kmsauth features, then whomever has access to the IAM Keys can issue any cert they want.

There are a few tools you can use to build AuthZ around BLESS. However the whole AuthZ system is still build it yourself.
Who has access to call a particular lambda?
What SSH CA key does that lambda have?
Can you request a cert with a particular principal?
You can use SSH Cert principals in creative ways.
Certs can expire right after a connection is authenticated.

The way we authorize SSH requests was recently talked about here:
https://www.slideshare.net/Docker/dcsf19-container-security-theory-practice-at-netflix
slides 28-29.
We don't give people access to the IAM Creds that can call BLESS. And we have a in-house AuthZ tool that decides if a cert should be issued.

Lyft is using a rather different model, that relies on IAM users and groups for AuthZ: https://github.com/Netflix/bless/blob/master/bless/aws_lambda/bless_lambda.py#L156-L174 and https://github.com/lyft/python-blessclient