From Zero to Zero-Trust: Lessons Learned Building a BeyondCorp SSH Proxy

Presented at ToorCon San Diego 19 (2017), Sept. 2, 2017, 11 a.m. (50 minutes)

The term “zero-trust” has become somewhat of a buzzword lately, but we haven’t seen many practical examples of how something like this is implemented. As fantastic as the BeyondCorp papers are, it can be a bit daunting to take concepts from it and build something real. The SSH protocol in particular was of interest to us given how many times we use it on a daily basis, but aside from some comments in the source code for the Chrome Secure Shell extension, there wasn’t much to go on. In this talk we’ll provide an in-depth look at how we built an SSH WebSockets proxy that natively supports the relay protocol built into the Chrome Secure Shell extension. We’ll also cover how we built a client proxy that supports the OpenSSH ProxyCommand directive, which allowed us to continue using standard SSH tooling on macOS, Windows, and *nix operating systems.

Presenters:

• James Barclay
  James Barclay is an R&D Engineer at Duo Labs, the security research and analysis team at Duo Security. Prior to joining Duo, James was a Tools Engineer at Pinterest, and an IT consultant before that. He’s contributed to a handful of open-source projects, and has been called an Apple nerd once or twice.

Links:

• https://sandiego.toorcon.net/conference/#3
• https://infocon.org/cons/ToorCon/ToorCon 19 - 2017/James Barclay - From Zero to Zero-Trust.eng.srt (subtitles)
• https://infocon.org/cons/ToorCon/ToorCon 19 - 2017/James Barclay - From Zero to Zero - Trust.mp4
• https://www.youtube.com/watch?v=FSbOgwLERaA

Similar Presentations:

• BSidesSF 2017 / Better SSH management with ephemeral keys
• Kernelcon 2019 / HASSH it real good
• Still Hacking Anyway (SHA2017) / SSH - From Zero to Hero (Workshop): Impress your friends with your freshly acquired SSH knowledge