{"id":15028268,"url":"https://github.com/netflix/bless","last_synced_at":"2025-04-11T06:21:56.531Z","repository":{"id":8664024,"uuid":"59155443","full_name":"Netflix/bless","owner":"Netflix","description":"Repository for BLESS, an SSH Certificate Authority that runs as a AWS Lambda function","archived":false,"fork":false,"pushed_at":"2024-08-16T23:28:53.000Z","size":284,"stargazers_count":2743,"open_issues_count":17,"forks_count":224,"subscribers_count":417,"default_branch":"master","last_synced_at":"2025-04-03T07:08:23.975Z","etag":null,"topics":["aws","bastion","lambda","python","security","serverless","ssh","ssh-certificates"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Netflix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-18T22:19:30.000Z","updated_at":"2025-03-30T08:57:37.000Z","dependencies_parsed_at":"2024-10-25T09:23:43.895Z","dependency_job_id":"c71ebb44-68c3-4665-8d85-0cc0586a0d8e","html_url":"https://github.com/Netflix/bless","commit_stats":{"total_commits":96,"total_committers":27,"mean_commits":"3.5555555555555554","dds":0.53125,"last_synced_commit":"f3714d549d79c5e0a36b7467d8b7680ce9fe2e61"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Fbless","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Fbless/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Fbless/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Fbless/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Netflix","download_url":"https://codeload.github.com/Netflix/bless/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246952276,"owners_count":20859812,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","bastion","lambda","python","security","serverless","ssh","ssh-certificates"],"created_at":"2024-09-24T20:07:55.717Z","updated_at":"2025-04-03T07:08:32.989Z","avatar_url":"https://github.com/Netflix.png","language":"Python","readme":"# Archived\nWith the existence of more SSH certificate tools since the release of BLESS, and better SSH access management from AWS, we're moving BLESS to the archived OSS project state. This means we no longer plan to maintain the project, but will be keeping it public for others who may still use it.\n\n![alt text](bless_logo.png \"BLESS\")\n# BLESS - Bastion's Lambda Ephemeral SSH Service\n[![Build Status](https://travis-ci.org/Netflix/bless.svg?branch=master)](https://travis-ci.org/Netflix/bless) [![Test coverage](https://coveralls.io/repos/github/Netflix/bless/badge.svg?branch=master)](https://coveralls.io/github/Netflix/bless) [![Join the chat at https://gitter.im/Netflix/bless](https://badges.gitter.im/Netflix/bless.svg)](https://gitter.im/Netflix/bless?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge) [![NetflixOSS Lifecycle](https://img.shields.io/osslifecycle/Netflix/bless.svg)]()\n\nBLESS is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH\npublic keys.\n\nSSH Certificates are an excellent way to authorize users to access a particular SSH host,\nas they can be restricted for a single use case, and can be short lived.  Instead of managing the\nauthorized_keys of a host, or controlling who has access to SSH Private Keys, hosts just\nneed to be configured to trust an SSH CA.\n\nBLESS should be run as an AWS Lambda in an isolated AWS account.  Because BLESS needs access to a\nprivate key which is trusted by your hosts, an isolated AWS account helps restrict who can access\nthat private key, or modify the BLESS code you are running.\n\nAWS Lambda functions can use an AWS IAM Policy to limit which IAM Roles can invoke the Lambda\nFunction.  If properly configured, you can restrict which IAM Roles can request SSH Certificates.\nFor example, your SSH Bastion (aka SSH Jump Host) can run with the only IAM Role with access to\ninvoke a BLESS Lambda Function configured with the SSH CA key trusted by the instances accessible\nto that SSH Bastion.\n\n## Getting Started\nThese instructions are to get BLESS up and running in your local development environment.\n### Installation Instructions\nClone the repo:\n\n    $ git clone git@github.com:Netflix/bless.git\n\nCd to the bless repo:\n\n    $ cd bless\n\nCreate a virtualenv if you haven't already:\n\n    $ python3.8 -m venv venv\n\nActivate the venv:\n\n    $ source venv/bin/activate\n\nInstall package and test dependencies:\n\n    (venv) $ make develop\n\nRun the tests:\n\n    (venv) $ make test\n\n\n## Deployment\nTo deploy an AWS Lambda Function, you need to provide a .zip with the code and all dependencies.\nThe .zip must contain your lambda code and configurations at the top level of the .zip.  The BLESS\nMakefile includes a publish target to package up everything into a deploy-able .zip if they are in\nthe expected locations.  You will need to setup your own Python 3.7 lambda to deploy the .zip to.\n\nPreviously the AWS Lambda Handler needed to be set to `bless_lambda.lambda_handler`, and this would generate a user \ncert.  `bless_lambda.lambda_handler` still works for user certs.  `bless_lambda_user.lambda_handler_user` is a handler \nthat can also be used to issue user certificates.\n\nA new handler `bless_lambda_host.lambda_handler_host` has been created to allow for the creation of host SSH certs.\n\nAll three handlers exist in the published .zip.\n\n### Compiling BLESS Lambda Dependencies\nTo deploy code as a Lambda Function, you need to package up all of the dependencies.  You will need to\ncompile and include your dependencies before you can publish a working AWS Lambda.\n\nBLESS uses a docker container running [Amazon Linux 2](https://hub.docker.com/_/amazonlinux) to package everything up:\n- Execute ```make lambda-deps``` and this will run a container and save all the dependencies in ./aws_lambda_libs\n\n### Protecting the CA Private Key\n- Generate a password protected RSA Private Key in the PEM format:\n```\n$ ssh-keygen -t rsa -b 4096 -m PEM -f bless-ca- -C \"SSH CA Key\"\n```\n- **Note:** OpenSSH Private Key format is not supported.\n- Use KMS to encrypt your password.  You will need a KMS key per region, and you will need to\nencrypt your password for each region.  You can use the AWS Console to paste in a simple lambda\nfunction like this:\n```\nimport boto3\nimport base64\nimport os\n\n\ndef lambda_handler(event, context):\n    region = os.environ['AWS_REGION']\n    client = boto3.client('kms', region_name=region)\n    response = client.encrypt(\n    KeyId='alias/your_kms_key',\n    Plaintext='Do not forget to delete the real plain text when done'\n    )\n\n    ciphertext = response['CiphertextBlob']\n    return base64.b64encode(ciphertext)\n```\n\n- Manage your Private Keys .pem files and passwords outside of this repo.\n- Update your bless_deploy.cfg with your Private Key's filename and encrypted passwords.\n- Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing a new Lambda .zip\n- Set the permissions of ./lambda_configs/ca_key_name.pem to 444.\n\nYou can now provide your private key and/or encrypted private key password via the lambda environment or config file.\nIn the `[Bless CA]` section, you can set `ca_private_key` instead of the `ca_private_key_file` with a base64 encoded\nversion of your .pem (e.g. `cat key.pem | base64` ).\n\nBecause every config file option is supported in the environment, you can also just set `bless_ca_default_password`\nand/or `bless_ca_ca_private_key`.  Due to limits on AWS Lambda environment variables, you'll need to compress RSA 4096\nprivate keys, which you can now do by setting `bless_ca_ca_private_key_compression`. For example, set \n`bless_ca_ca_private_key_compression = bz2` and `bless_ca_ca_private_key` to the output of \n`cat ca-key.pem | bzip2 | base64`.\n\n### BLESS Config File\n- Refer to the the [Example BLESS Config File](bless/config/bless_deploy_example.cfg) and its\nincluded documentation.\n- Manage your bless_deploy.cfg files outside of this repo.\n- Provide your desired ./lambda_configs/bless_deploy.cfg prior to Publishing a new Lambda .zip\n- The required [Bless CA] option values must be set for your environment.\n- Every option can be changed in the environment. The environment variable name is constructed\nas section_name_option_name (all lowercase, spaces replaced with underscores).\n\n### Publish Lambda .zip\n- Provide your desired ./lambda_configs/ca_key_name.pem prior to Publishing\n- Provide your desired [BLESS Config File](bless/config/bless_deploy_example.cfg) at\n./lambda_configs/bless_deploy.cfg prior to Publishing\n- Provide the [compiled dependencies](#compiling-bless-lambda-dependencies) at ./aws_lambda_libs\n- run:\n```\n(venv) $ make publish\n```\n\n- deploy ./publish/bless_lambda.zip to AWS via the AWS Console,\n[AWS SDK](http://boto3.readthedocs.io/en/latest/reference/services/lambda.html), or\n[S3](https://aws.amazon.com/blogs/compute/new-deployment-options-for-aws-lambda/)\n- remember to deploy it to all regions.\n\n\n### Lambda Requirements\nYou should deploy this function into its own AWS account to limit who has access to modify the\ncode, configs, or IAM Policies.  An isolated account also limits who has access to the KMS keys\nused to protect the SSH CA Key.\n\nThe BLESS Lambda function should run as its own IAM Role and will need access to an AWS KMS Key in\neach region where the function is deployed.  The BLESS IAMRole will also need permissions to obtain\nrandom from kms (kms:GenerateRandom) and permissions for logging to CloudWatch Logs\n(logs:CreateLogGroup,logs:CreateLogStream,logs:PutLogEvents).\n\n## Using BLESS\nAfter you have [deployed BLESS](#deployment) you can run the sample [BLESS Client](bless_client/bless_client.py)\nfrom a system with access to the required [AWS Credentials](http://boto3.readthedocs.io/en/latest/guide/configuration.html).\nThis client is really just a proof of concept to validate that you have a functional lambda being called with valid\nIAM credentials. \n\n    (venv) $ ./bless_client.py region lambda_function_name bastion_user bastion_user_ip remote_usernames bastion_source_ip bastion_command \u003cid_rsa.pub to sign\u003e \u003coutput id_rsa-cert.pub\u003e\n\n\n## Verifying Certificates\nYou can inspect the contents of a certificate with ssh-keygen directly:\n\n    $ ssh-keygen -L -f your-cert.pub\n\n## Enabling BLESS Certificates On Servers\nAdd the following line to `/etc/ssh/sshd_config`:\n\n    TrustedUserCAKeys /etc/ssh/cas.pub\n\nAdd a new file, owned by and only writable by root, at `/etc/ssh/cas.pub` with the contents:\n\n    ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an SSH CA\n    ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an offline SSH CA\n    ssh-rsa AAAAB3NzaC1yc2EAAAADAQ…  #id_rsa.pub of an offline SSH CA 2\n\nTo simplify SSH CA Key rotation you should provision multiple CA Keys, and leave them offline until\nyou are ready to rotate them.\n\nAdditional information about the TrustedUserCAKeys file is [here](https://www.freebsd.org/cgi/man.cgi?sshd_config(5))\n\n## Project resources\n- Source code \u003chttps://github.com/netflix/bless\u003e\n- Issue tracker \u003chttps://github.com/netflix/bless/issues\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetflix%2Fbless","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetflix%2Fbless","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetflix%2Fbless/lists"}