How Uber, Facebook, and Netflix Do SSH

TL;DR

• A study shows there is a cybersecurity attack every 39 seconds.
• In a typical SSH protocol:
• the server trusts the client if the client’s public key is listed as authorized,
• and the client trusts the server’s public key on first use (TOFU).
• The trust on first use (TOFU) approach delegates the trust to the clients and leave them vulnerable to man-in-the-middle attacks.
• One solution to fix this is using SSH certificates and SSH certificate authorities (CA).
• Many companies take Zero-Trust approach.
• BeyondCorp is Google’s Zero-Trust model that does NOT use a VPN.
• Uber uses the Uber SSH Certificate Authority (USSHCA) along with a pam module for continued validity of a user.
• Facebook has implemented its own SSH servers to trust based on certificate authorities (CA).
• Certificates issued by CA includes all permissions and privileges for each user.
• Netflix uses Bastion’s Lambda Ephemeral SSH Service (BLESS) certificate authority.
• BLESS runs on AWS Lambda and uses AWS Key Management Service (KMS).
• Netflix’s SSH bastion uses SSO to authenticate users and issuing short-lived certificates.
• Teleport provides role-based access control using existing SSH protocol.

READ MORE

• How Uber, Facebook, and Netflix Do SSH
• Introducing the Uber SSH Certificate Authority
• Hackers Attack Every 39 Seconds