Skip to main content

Network Attack Defense: SSH PKI authentication on endpoint connections

Network Attack Defense protection for SSH uses a modified version of libssh to proxy client connections to the product, which then connects to the remote server. Client-product and product-remote server connections are only established at the transport layer.

Before accepting connections, the proxy initializes its server by loading the SSH keys in /opt/bitdefender-security-tools/etc/ssh

It tries ssh_host_rsa_key, ssh_host_ed25518_key and finally ssh_host_ecdsa_key

The first one that is found will be used. However, if none is found, a completely new pair of keys is automatically generated and the RSA one is used.

The directory layout of /opt/bitdefender-security-tools/etc/ssh is a copy of the one found on VMware ESXi (5.0 and later). Additionally, for each user in /opt/bitdefender-security-tools/etc/ssh/keys-$user, besides the private keys, an authorized_keys file can be configured. This will be required if the proxy manages to authenticate to the remote host using one of the user private keys.

Check the following directory layout example:

# ls -lR etc/ssh/
etc/ssh/:
total 24
drwxr-xr-x. 2 root bitdefender   58 Oct 11 15:47 keys-root
drwxr-xr-x. 2 root bitdefender   58 Oct 11 15:50 keys-test
-rw-------. 1 root bitdefender  241 Oct  6 02:42 ssh_host_ecdsa_key
-rw-------. 1 root bitdefender  180 Oct  6 02:42 ssh_host_ecdsa_key.pub
-rw-------. 1 root bitdefender  395 Oct  6 02:42 ssh_host_ed25519_key
-rw-------. 1 root bitdefender  100 Oct  6 02:42 ssh_host_ed25519_key.pub
-rw-------. 1 root bitdefender 3272 Oct  6 02:42 ssh_host_rsa_key
-rw-------. 1 root bitdefender  744 Oct  6 02:42 ssh_host_rsa_key.pub

etc/ssh/keys-root:
total 12
-rw-------. 1 root bitdefender  400 Oct 11 15:47 authorized_keys
-rw-------. 1 root bitdefender 1679 Oct 22  2021 id_rsa
-rw-------. 1 root bitdefender  400 Oct 22  2021 id_rsa.pub

etc/ssh/keys-test:
total 12
-rw-------. 1 root bitdefender  400 Oct 11 15:50 authorized_keys
-rw-------. 1 root bitdefender 1679 Oct 11 15:50 id_rsa
-rw-------. 1 root bitdefender  400 Oct 11 15:50 id_rsa.pub

The authentication flow is as follows:

  • The proxy advertises the none authentication method to the client in order to capture the user name.

  • The proxy initializes the connection to the remote server.

  • The proxy loads all private keys found in /etc/ssh/keys-$user (if any).

  • If none of the user’s private keys could be used to authenticate to the remote server or if the PKI authentication with the client failed, the proxy enters MITM mode in order to give the client the chance to try password authentication directly.

Configuring authentication with SSH keys when Network Attack Defense is enabled

When Network Attack Defense and SSH/SCP traffic inspection are enabled, additional configuration is required for environments that use SSH key-based authentication (PKI).

Follow the procedure that applies to your use case.

Important

  • All commands in the following procedures must be executed on the endpoint where BEST is installed.

  • In the following procedures, the BEST installation directory is assumed to be /opt/bitdefender-security-tools.

Outgoing SSH connections

Use this procedure if the protected endpoint initiates SSH or SCP connections to remote servers:

  1. Create the /opt/bitdefender-security-tools/etc/ssh/keys-$user directory, where $user is the username used to authenticate to the remote server, if it does not already exist.

  2. Move the SSH key pair used to authenticate to the remote server in the previously created directory.

  3. Use ssh-keygen to generate a new SSH key pair for the user on the protected endpoint.

  4. Create the authorized_keys file in the same /opt/bitdefender-security-tools/etc/ssh/keys-$user directory, if it does not already exist.

  5. Append the public key (*.pub) previously generated to the authorized_keys file created earlier.

Example

Consider the following setup:

  • The protected endpoint has a local user named local.

  • The remote server has a user named remote.

  • The connection is initiated from the protected endpoint:

    ssh remote@remote-server

To configure SSH key authentication:

  1. Create the directory /opt/bitdefender-security-tools/etc/ssh/keys-remote/ if it does not already exist.

  2. Move the SSH key pair used to authenticate to the remote server into the previously created directory.

  3. Generate a new SSH key-pair for the user local using ssh-keygen.

  4. Create the /opt/bitdefender-security-tools/etc/ssh/keys-remote/authorized_keys file if it does not already exist.

  5. Append the public key generated at step 3 to the previously created file.

Incoming SSH connections

Use this procedure if remote clients initiate SSH or SCP connections to the protected endpoint:

  1. Create the /opt/bitdefender-security-tools/etc/ssh/keys-$user directory, where $user is the account that remote clients use to authenticate to the protected endpoint, if it does not already exist.

  2. In the newly created directory, create the authorized_keys file.

  3. Copy the contents of the target user's existing authorized_keys file (typically located in ~/.ssh) into the previously created file.

  4. Generate a new SSH key pair for $user and store it in /opt/bitdefender-security-tools/etc/ssh/keys-$user.

  5. Append the public key generated at the previous step to the authorized_keys file on the protected endpoint, typically located in ~/.ssh.

    This allows the Network Attack Defense SSH proxy to authenticate to the local SSH service on behalf of the user.

Example

Consider the following setup:

  • The protected endpoint has a local user named local.

  • A remote client connects to the protected endpoint using:

    ssh local@protected-endpoint

To configure SSH key authentication:

  1. Create the /opt/bitdefender-security-tools/etc/ssh/keys-local directory if it does not already exist.

  2. Create the /opt/bitdefender-security-tools/etc/ssh/keys-local/authorized_keys file if it does not already exist.

  3. Copy the contents of the existing ~/.ssh/authorized_keys file into the previously created file.

  4. Generate a new SSH key pair and store it in /opt/bitdefender-security-tools/etc/ssh/keys-local/.

    Example:

    ssh-keygen -t ed25519 -f /opt/bitdefender-security-tools/etc/ssh/keys-local/id_ed25519

  5. Append the public key previously generated to the ~/.ssh/authorized_keys file.

In this section: