Yesterday at OSCON Russell Lewis, a senior software engineer at Netflix gave a talk entitled How Netflix Gives All Its Engineers SSH Access to Instances Running In Production. The talk introduced a system called BLESS, which issues short-term SSH client certificates based on AWS IAM roles. We’re excited to see Netflix join the growing ranks of companies opening up about how they use client certificates to control access to their infrastructure.
Modern authentication systems operate by having a user authenticate against a central service in exchange for a limited access token. Using that token the user can access various services for a limited period of time. After that they are required to re-authenticate. If you’ve ever logged into a corporate single sign-on (SSO) system, or even just a Gmail account, you’ve experienced this before.
By decoupling the authentication workflow from the underlying services these systems offer a multitude of benefits: only a single system needs to handle sensitive credentials, lowering the surface area for attack. Authentication policies can be easily extended or modified by changing a single configuration. And in some cases the centralized system can make more intelligent decisions based on additional factors such as the user’s location or behavior.
In contrast, most organizations still use relatively primitive authentication schemes to secure the SSH and RDP services that guard access to their most sensitive infrastructure. Many rely on static SSH keys, which are difficult to centrally manage and audit. Others use centralized systems like LDAP, which require users to enter passwords or MFA codes directly into the servers they are authenticating to - hardly a best practice even for a low value target.
Systems like ScaleFT and BLESS use client certificates to modernize infrastructure authentication. Instead of trusting widely distributed static credentials, or requiring users to enter sensitive credentials into untrusted servers, these sytems operate as a Certificate Authority (CA), allowing users to authenticate against a central authority in exchange for short-lived infrastructure credentials.
Servers configured to trust certificates issued by ScaleFT or BLESS can cryptographically verify that a user is authenticated, without requiring sensitive information from the user or even needing to communicate with the CA.
Legacy infrastructure authentication mechanisms pose a major risk to organizations, and client certificates are a critical part of any modern replacement. We’re excited to continue seeing the creative solutions that companies like Netflix are using to combat these risks, and we can’t wait to learn how other organizations are using client certificates.
For details on how Netflix authenticates engineers to their production infrastructure, check out the talk.