Uber Debuts SSH Key Authentication Module

Developers at Uber have unveiled a new module to help users enable the continuous re-authentication of SSH keys.

Developers at Uber have unveiled a new module to help users enable the continuous re-authentication of SSH keys.

The company wrote the module in order to work alongside another tool, a SSH Certificate Authority it designed, to keep stock of public SSH keys. While its CA is for its internal use, Uber released code for the open source module, dubbed PAM_SSH, for free on Github on Wednesday.

According to Peter Moody, a systems security engineer with Uber’s Engineering team, the driving force behind the tool’s creation was the fickleness that’s usually associated with SSH keys.

Networks traditionally use SSH keys to identify users to a SSH server using a combination of public-key cryptography and challenge-response authentication. SSH keys don’t expire like SSL certificates do – they have to be revoked.

Moody told Threatpost Wednesday that his team created the tool because an open source alternative didn’t exist.

“There weren’t any existing open source solutions that fit our needs, so we created our own CA. SSH certificates allow us to auto-expire keys, reduce maintenance costs, and eliminate host key-mismatch warnings,” Moody said.

Since SSH keys don’t technically expire and invalidating them can be especially cumbersome, Uber’s engineering department mostly wanted an easier way to automatically expire those keys. The company’s new SSH CA–Uber SSH Certificate Authority, or USSHCA–can issue SSH certs to employees and also control how they’re used on a per-user, per-group basis. The CA can keep track of those SSH keys, and in tandem with the module, can allow the company to enable automatic expiration of the keys and improve host authentication.

“SSH certificates are great for authenticating a user at a single point in time, namely when they first access a given machine. After that point, however, even if a certificate expires, the login session will remain active,” Moody wrote Wednesday.

PAM_SSH, free to use through a MIT license, can authenticate users based on the continued validity of a user’s SSH certificate.

After a user runs a command to get a certificate, they’re connected to the CA, which performs a PAM conversation–in this case PAM_SSH–and sends that SSH agent to the CA. Assuming it’s successful, the CA sends the SSH key, along with any metadata, “validity period, the user it’s valid for, the options permitted, etc,”to the client, according to Moody.

PAM, or pluggable authentication modules, are mechanisms that combine a series of lower tiered authentication schemes into a higher-level API.

The module is the latest in a long line of free and open source tools Uber’s engineering department has shared on GitHub.

In December, the company open sourced an auditing system, Chaperone, that monitors data stream latency and can alert developers when data loss or duplication may be happening. It also published code for Cherami, a message queue system that’s comprised of a handful of libraries that are also open source. Last month the company debuted an iOS framework, Ohana, for retrieving and formatting contact information.

The company hinted in December that it might eventually open source the code for its internal email intrusion detection system, designed to identify and thwart phishing campaigns.

The company is one of several technology giants, like contemporaries Facebook, Netflix, and Google, to share open source security software over the last several years.

Facebook released code its Capture the Flag platform last May and ported its SQL-powered detection tool, osquery, to Windows users this past September. Google meanwhile debuted a pair of projects, OSS-Fuzz, aimed at continuously fuzzing open source software, and Project Wycheproof, a collection of tests to help check for weaknesses in cryptographic algorithms, in December alone.

Suggested articles

Newsmaker Interview: Scott Helme on Securing the Web

Threatpost sat down with Helme to discuss the state of web security, including certificate transparency, HTTPS deployment, Let’s Encrypt, content security policy and HTTP strict transport security.

Discussion

  • anon on

    They haven't run into FreeIPA or what?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.