From Zero to Zero-Trust: Lessons Learned Building a BeyondCorp SSH Proxy

Presented at ToorCon San Diego 19 (2017), Sept. 2, 2017, 11 a.m. (50 minutes).

The term “zero-trust” has become somewhat of a buzzword lately, but we haven’t seen many practical examples of how something like this is implemented. As fantastic as the BeyondCorp papers are, it can be a bit daunting to take concepts from it and build something real. The SSH protocol in particular was of interest to us given how many times we use it on a daily basis, but aside from some comments in the source code for the Chrome Secure Shell extension, there wasn’t much to go on. In this talk we’ll provide an in-depth look at how we built an SSH WebSockets proxy that natively supports the relay protocol built into the Chrome Secure Shell extension. We’ll also cover how we built a client proxy that supports the OpenSSH ProxyCommand directive, which allowed us to continue using standard SSH tooling on macOS, Windows, and *nix operating systems.


Presenters:

  • James Barclay
    James Barclay is an R&D Engineer at Duo Labs, the security research and analysis team at Duo Security. Prior to joining Duo, James was a Tools Engineer at Pinterest, and an IT consultant before that. He’s contributed to a handful of open-source projects, and has been called an Apple nerd once or twice.

Links:

Similar Presentations: