Early Release. Raw & Unedited. Chapter 1.

What is an SSH bastion and how is this different from an SSH jump server or an SSH proxy? In this post, we’ll answer this question and will show you how to set it up using two popular open source projects. OpenSSH is the older and better known SSH server. It comes pre-installed by default with the vast majority of Linux distributions and is the easier option to get started with. Teleport is a much newer SSH server, its first production-quality release came out in 2016. Teleport has been optimized for elastic multi-cloud environments and supports other access protocols in addition to SSH.

The industry best practices for SSH security include using certificates, two-factor authentication, and SSH bastion hosts. Below, we practically explain how to implement these best practices in detail using working sample commands and configurations with OpenSSH users in mind.

This is the first of a series of blog posts on the most common failures we’ve encountered with Kubernetes across a variety of deployments. In this first part of this series, we will focus on networking. We will list the issue we have encountered, include easy ways to troubleshoot/discover it and offer some advice on how to avoid the failures and achieve more robust deployments. Finally, we will list some of the tools that we have found helpful when troubleshooting.

In April 2021, I discovered an attack vector that could allow a malicious Pull Request to a Github repository to gain access to our production environment. Open source companies like us, or anyone else who accepts external contributions, are especially vulnerable to this. https://goteleport.com/blog/hack-via-pull-request/

What is SAML 2.0? Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standard for authentication and authorizing between multiple parties. It’s one of the protocol that give users the single sign-on (SSO) experience for applications. The other adopted open standard is OAuth and OpenID. Of the two, SAML 2.0, released in 2005, remains the 800 pound gorilla in Enterprise SSO space. This post provides a detailed introduction on how SAML works

In this blog post we’ll cover how to set up an SSH jump server. We’ll cover two open source projects. A traditional SSH jump server using OpenSSH. The advantage of this method is that your servers already have OpenSSH pre-installed. A modern approach using Teleport, a newer open source alternative to OpenSSH. Both of these servers are easy to install and configure, are free and open-source, and are single-binary Linux daemons.

In this article, we will explore this same conundrum for our online identities in the form of the authentication layer, OIDC, built on the authorization protocol, OAuth.

What’s worse than an unsafe private key? An unsafe public key. The “secure” in secure shell comes from the combination of hashing, symmetric encryption, and asymmetric encryption. Together, SSH uses cryptographic primitives to safely connect clients and servers. In the 25 years since its founding, computing power and speeds in accordance with Moore’s Law have necessitated increasingly complicated low-level algorithms. This article will focus on asymmetric keygen algorithms. As of 2020, the most widely adopted algorithms are RSA, DSA, ECDSA, and EdDSA, but it is RSA and EdDSA that provide the best security and performance.

There is a growing discussion among network engineers, DevOps teams, and security professionals about the security benefits of bastions. Many assume that they are the “old way” of network access and have little relevance in the modern cloud native stack. These speculations are not irrelevant as in recent years, the corporate IT network perimeter as we knew it is diminishing, and the concept has been shifted to data, identity, and compute perimeter. Software-defined networking solutions have overtaken hardware firewall boxes, and the requirement of managing bare metal servers has shifted to container deployed or even serverless applications. Where do bastions fit in these scenarios? Do we even need one?

In this post, I’ll cover different tunneling features as supported by OpenSSH, which helps achieve security use cases such as remote web service access without exposing ports on the internet, accessing servers behind NAT, exposing local ports to the internet. OpenSSH is the most widely used open-source SSH server. It comes pre-installed by default with the vast majority of Linux distributions.