Home Big Data Securing the CLI with OAuth2 Machine Authorization

Securing the CLI with OAuth2 Machine Authorization

0
Securing the CLI with OAuth2 Machine Authorization

[ad_1]

Most corporations have sturdy exterior safety, e.g. blocking all entry to manufacturing property utilizing a firewall, and requiring a VPN to get “inside” entry to manufacturing environments. Nevertheless, as soon as you might be linked to the VPN, the inner programs are often very poorly protected, and there’s little to no authentication and authorization for inner instruments and providers.

Two widespread threats to inner safety are compromised worker laptops and provide chain assaults. In these eventualities, the attacker operates behind the firewall, usually with unrestricted community entry.

Providers with an online ui may be secured utilizing an utility load balancer, e.g. an AWS ALB with OIDC, however how do you shield entry to command line interface (CLI) based mostly instruments? Requiring a username and password for each CLI invocation makes it painful to make use of and storing the credentials on the system leaves them vast open in case the pc they reside on is compromised.

The Command Line

Most inner instruments have a CLI to handle the providers which can be used throughout the firm and plenty of are poorly protected. What’s the easiest way to authorize CLIs? And how will you tie authorization into the corporate’s SSO?

One possibility is to deploy Hashicorp Vault, however that’s loads of setup and upkeep, so until you might have a group to function it, Vault may not be an excellent match.

An alternative choice is the OAuth2 gadget authorization grant (RFC8628), which is what this weblog publish will present you use.

The OAuth 2.0 gadget authorization grant is designed for Web-connected gadgets that both lack a browser to carry out a user-agent-based authorization or are enter constrained to the extent that requiring the consumer to enter textual content in an effort to authenticate in the course of the authorization circulation is impractical. It allows OAuth shoppers on such gadgets (like sensible TVs, media consoles, digital image frames, and printers) to acquire consumer authorization to entry protected sources by utilizing a consumer agent on a separate gadget.

Should you ever used the AWS CLI with Single SignOn, that is what it does.

OAuth2 Machine Circulate

The Machine Authorization Circulate comprises two completely different paths; one happens on the gadget requesting authorization (the CLI) and the opposite happens in a browser. The browser circulation path, whereby a tool code is certain to the session within the browser, happens as a parallel path half within the gadget circulation path.


device-5

Implementing the OAuth Machine Circulate

Now we’ll take a look at what the above sequence diagram seems like when it’s carried out.

The inner CLI device at Rockset is named rsctl and is written in go. Step one is to provoke the gadget circulation to get a JWT entry token.

$ rsctl login
Trying to mechanically open the SSO authorization web page in your default browser.
If the browser doesn't open otherwise you want to use a unique gadget to authorize this request, open the next URL:

https://rockset.auth0.com/activate?user_code=BBLF-JCWB

Then enter the code:
BBLF-JCWB

Efficiently logged in!

If you’re utilizing the CLI after logging in to a different laptop, e.g. ssh:ing to a Linux server, and you utilize macOS, you may configure iTerm to mechanically open the hyperlink utilizing a “Run command” set off.

The web page that the hyperlink takes you to seems like this:


Device Confirmation


After you have confirmed that the “consumer code” is appropriate (matches with what the CLI reveals), and also you click on “Verify”, it is going to take you thru the conventional OAuth2 login process (which in our case requires a username, password and {hardware} token).

As soon as the authentication is accomplished, you’ll be redirected and introduced with a dialog just like the one beneath, and you may shut the browser window.


Device Confirmation


The CLI has now obtained a jwt entry token which is legitimate for various hours and is used to authenticate through inner providers. The token may be cached on disk and reused between CLI invocations throughout its lifetime.

While you concern a brand new rsctl command, it is going to learn the cached Entry Token from disk, and use it to authenticate with the inner APIs.

Below the Hood

We’ve got carried out and open sourced a go module to carry out the gadget authorization circulation (github.com/rockset/device-authorization). It helps each Auth0 and Okta as OAuth suppliers.

Pattern Code

The next code is offered within the instance listing within the git repository.

Embedded content material: https://gist.github.com/pmenglund/5ed2708cdb88b6a6982258aed59a0899

We now have a JWT token, which can be utilized to authenticate REST calls by setting the Authorization header to Bearer: <jwt entry token>

Embedded content material: https://gist.github.com/pmenglund/b2ac7bb15ce25755a69573f5a063cb14

It’s now as much as the receiving finish to validate the bearer token, which may be executed utilizing an AWS ALB with OIDC authentication or a supplier particular API from the API server.

Offline Validation

An alternative choice for entry token validation is “offline validation”. In offline validation, the API server will get the general public key used to signal the JWT token from the supplier (and caches the general public key) and performs the validation within the API server, as a substitute of constructing a validation request to the supplier.

Residual Danger

One factor this doesn’t shield towards is an attacker with a foothold on the pc that executes the CLI. They’ll simply wait till the consumer has accomplished the authentication, and they’re going to then have the ability to act because the consumer throughout the entry token.

To mitigate this threat, you may require a one time password (OTP), e.g. a Yubikey, each time the consumer performs a privileged motion.

$ rsctl delete useful resource foobar
please enter yubikey OTP: ccccccvfbbcddjtuehgnfrbtublkuufbgeebklrubkhf
useful resource foobar deleted

Closing Ideas

On this weblog, now we have proven how we constructed and open-sourced a go module to safe the Command Line Interface (CLI) utilizing an OAuth2 gadget authorization circulation that helps each Auth0 and Okta SSO suppliers. You may add this go module to your inner instruments and scale back inner safety threats.



[ad_2]