Skip to main content

Network Attack Defense: SSH PKI authentication on endpoint outbound connections

Network Attack Defense protection for SSH uses a modified version of libssh to proxy client connections to the product, which then connects to the remote server. Client-product and product-remote server connections are only established at the transport layer.

Before accepting connections, the proxy initializes its server by loading the SSH keys in /opt/bitdefender-security-tools/etc/ssh.

It tries ssh_host_rsa_key, ssh_host_ed25518_key and finally ssh_host_ecdsa_key.

The first one that is found will be used. However, if none is found, a completely new pair of keys is automatically generated and the RSA one is used.

The directory layout of /opt/bitdefender-security-tools/etc/ssh is a copy of the one found on VMware ESXi (5.0 and later). Additionally, for each user in /opt/bitdefender-security-tools/etc/ssh/keys-$user, besides the private keys, an authorized_keys file can be configured. This will be required if the proxy manages to authenticate to the remote host using one of the user private keys.

Check the following directory contents example:

# ls -lR etc/ssh/
etc/ssh/:
total 24
drwxr-xr-x. 2 root bitdefender   58 Oct 11 15:47 keys-root
drwxr-xr-x. 2 root bitdefender   58 Oct 11 15:50 keys-test
-rw-------. 1 root bitdefender  241 Oct  6 02:42 ssh_host_ecdsa_key
-rw-------. 1 root bitdefender  180 Oct  6 02:42 ssh_host_ecdsa_key.pub
-rw-------. 1 root bitdefender  395 Oct  6 02:42 ssh_host_ed25519_key
-rw-------. 1 root bitdefender  100 Oct  6 02:42 ssh_host_ed25519_key.pub
-rw-------. 1 root bitdefender 3272 Oct  6 02:42 ssh_host_rsa_key
-rw-------. 1 root bitdefender  744 Oct  6 02:42 ssh_host_rsa_key.pub

etc/ssh/keys-root:
total 12
-rw-------. 1 root bitdefender  400 Oct 11 15:47 authorized_keys
-rw-------. 1 root bitdefender 1679 Oct 22  2021 id_rsa
-rw-------. 1 root bitdefender  400 Oct 22  2021 id_rsa.pub

etc/ssh/keys-test:
total 12
-rw-------. 1 root bitdefender  400 Oct 11 15:50 authorized_keys
-rw-------. 1 root bitdefender 1679 Oct 11 15:50 id_rsa
-rw-------. 1 root bitdefender  400 Oct 11 15:50 id_rsa.pub

The authentication flow is as follows:

  • The proxy advertises the none authentication method to the client in order to capture the user name.

  • The proxy initializes the connection to the remote server.

  • The proxy loads all private keys found in /etc/ssh/keys-$user (if any).

  • If none of the user’s private keys could be used to authenticate to the remote server or if the PKI authentication with the client failed, the proxy enters MITM mode in order to give the client the chance to try password authentication directly.

Configuring authentication with SSH Keys when Network Attack Defense is enabled

When installing Bitdefender Endpoint Security Tools for Linux with Network Attack Defense and SSH/SCP protocol support enabled, the following steps will be needed if PKI is used:

  • Move all personal keys into /opt/bitdefender-security-tools/etc/ssh/keys-$user , where $user is the one with which you authenticate to the remote server (not necessarily your current user).

  • Generate a new personal key-pair using ssh-keygen and install the public key in /opt/bitdefender-security-tools/etc/ssh/keys-$user/authorized_keys.