Page MenuHomePhabricator
Create Task
Maniphest T6706

Allow SSH keys (and other Conduit tokens) to be restricted to specific IP ranges
Open, LowPublic
Actions

Description

In some cases, including cases in the Phacility cluster, we can meaningfully reduce the cost of private key disclosure by restricting keys and tokens to work only from specific source subnets.

For example, the signing key for intra-cluster requests as a cluster agent can be locked to the cluster subnet. An attacker would then need to both learn the private key and gain access to a host (which is generally a strictly higher barrier, as hosts necessarily have access to the key).

This isn't especially important, as it only serves to harden the cluster, but is probably also not very difficult.

This would look something like an option to restrict an SSH key to specific subnets (like 172.30.0.0/24) and then checks in Conduit request authentication and the SSH daemons that the request originates from an allowed IP in the range.

This can apply to Conduit tokens in the general case after T5955.

Revisions and Commits

rPHU libphutil
D11043rPHUbbc4b860710f Add IP range / CIDR utilities to libphutil
rP Phabricator
D11159rPfa7bb8ff7a50 Add `cluster.addresses` and require membership before accepting cluster…

Related Objects

Event Timeline

epriestley created this task.Dec 7 2014, 12:50 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Phacility.
epriestley moved this task from Backlog to Do After Launch on the Phacility board.
epriestley added a subscriber: epriestley.
epriestley mentioned this in T6240: Implement Conduit request signing for host-to-host calls.Dec 10 2014, 5:18 PM
epriestley mentioned this in D10985: Add Conduit Tokens to make authentication in Conduit somewhat more sane.Dec 12 2014, 9:41 PM
epriestley added a comment.Dec 13 2014, 6:26 PM

The cluster tokens (introduced in D10990; for context, see T5955 / T2783) should probably also be lockable to a defined range.

It may make sense to define some global cluster IP range, and then filter cluster tokens and trusted SSH keys to that range, regardless of any other restrictions applied (i.e., they must pass both cluster filtering and explicit filtering).

epriestley mentioned this in T6755: Allow more granular configuration of `security.allow-outbound-http`.Dec 15 2014, 6:00 PM
epriestley mentioned this in rP39f2bbaeea1b: Add Conduit Tokens to make authentication in Conduit somewhat more sane.Dec 15 2014, 7:14 PM
epriestley added a revision: D11043: Add IP range / CIDR utilities to libphutil.Dec 23 2014, 11:55 PM
epriestley added a commit: rPHUbbc4b860710f: Add IP range / CIDR utilities to libphutil.Dec 30 2014, 12:17 AM
epriestley added a revision: D11159: Add `cluster.addresses` and require membership before accepting cluster authentication tokens.Jan 2 2015, 9:13 PM
epriestley added a commit: rPfa7bb8ff7a50: Add `cluster.addresses` and require membership before accepting cluster….Jan 2 2015, 11:13 PM
juodumas added a subscriber: juodumas.Jan 23 2015, 6:59 PM
epriestley added a parent task: T7399: Fully separate live credentials from development repositories.Feb 27 2015, 3:44 PM
epriestley removed a parent task: T7399: Fully separate live credentials from development repositories.
eadler added a subscriber: eadler.Apr 28 2015, 3:54 AM
epriestley mentioned this in T6524: Support "request is from IP / subnet" policy rule.Aug 24 2016, 11:11 PM
20after4 added a subscriber: 20after4.Aug 30 2016, 6:13 PM
Herald added subscribers: cburroughs, andypuettmann, revi. · View Herald TranscriptAug 30 2016, 6:13 PM
epriestley mentioned this in Q489: What awful and unforetold security problems am I unleashing by allowing users to proxy arbitrary commands to drydock machines? (Answer 457).Sep 12 2016, 9:22 PM
tomekj2ee added a subscriber: tomekj2ee.Apr 10 2017, 9:34 PM
joshuaspence added a subscriber: joshuaspence.Jul 25 2017, 12:58 PM
Phabricator · Built by Phacility