TL;DR

  • A study shows there is a cybersecurity attack every 39 seconds.
  • In a typical SSH protocol:
  • the server trusts the client if the client’s public key is listed as authorized,
  • and the client trusts the server’s public key on first use (TOFU).
  • The trust on first use (TOFU) approach delegates the trust to the clients and leave them vulnerable to man-in-the-middle attacks.
  • One solution to fix this is using SSH certificates and SSH certificate authorities (CA).
  • Many companies take Zero-Trust approach.
  • BeyondCorp is Google’s Zero-Trust model that does NOT use a VPN.
  • Uber uses the Uber SSH Certificate Authority (USSHCA) along with a pam module for continued validity of a user.
  • Facebook has implemented its own SSH servers to trust based on certificate authorities (CA).
  • Certificates issued by CA includes all permissions and privileges for each user.
  • Netflix uses Bastion’s Lambda Ephemeral SSH Service (BLESS) certificate authority.
  • BLESS runs on AWS Lambda and uses AWS Key Management Service (KMS).
  • Netflix’s SSH bastion uses SSO to authenticate users and issuing short-lived certificates.
  • Teleport provides role-based access control using existing SSH protocol.

READ MORE