Network Attack Defense: SSH PKI authentication on endpoint outbound connections
Network Attack Defense protection for SSH uses a modified version of libssh
to proxy client connections to the product, which then connects to the remote server. Client-product and product-remote server connections are only established at the transport layer.
Before accepting connections, the proxy initializes its server by loading the SSH keys in /opt/bitdefender-security-tools/etc/ssh
.
It tries ssh_host_rsa_key
, ssh_host_ed25518_key
and finally ssh_host_ecdsa_key
.
The first one that is found will be used. However, if none is found, a completely new pair of keys is automatically generated and the RSA one is used.
The directory layout of /opt/bitdefender-security-tools/etc/ssh
is a copy of the one found on VMware ESXi (5.0 and later). Additionally, for each user in /opt/bitdefender-security-tools/etc/ssh/keys-$user
, besides the private keys, an authorized_keys
file can be configured. This will be required if the proxy manages to authenticate to the remote host using one of the user private keys.
Check the following directory contents example:
# ls -lR etc/ssh/ etc/ssh/: total 24 drwxr-xr-x. 2 root bitdefender 58 Oct 11 15:47 keys-root drwxr-xr-x. 2 root bitdefender 58 Oct 11 15:50 keys-test -rw-------. 1 root bitdefender 241 Oct 6 02:42 ssh_host_ecdsa_key -rw-------. 1 root bitdefender 180 Oct 6 02:42 ssh_host_ecdsa_key.pub -rw-------. 1 root bitdefender 395 Oct 6 02:42 ssh_host_ed25519_key -rw-------. 1 root bitdefender 100 Oct 6 02:42 ssh_host_ed25519_key.pub -rw-------. 1 root bitdefender 3272 Oct 6 02:42 ssh_host_rsa_key -rw-------. 1 root bitdefender 744 Oct 6 02:42 ssh_host_rsa_key.pub etc/ssh/keys-root: total 12 -rw-------. 1 root bitdefender 400 Oct 11 15:47 authorized_keys -rw-------. 1 root bitdefender 1679 Oct 22 2021 id_rsa -rw-------. 1 root bitdefender 400 Oct 22 2021 id_rsa.pub etc/ssh/keys-test: total 12 -rw-------. 1 root bitdefender 400 Oct 11 15:50 authorized_keys -rw-------. 1 root bitdefender 1679 Oct 11 15:50 id_rsa -rw-------. 1 root bitdefender 400 Oct 11 15:50 id_rsa.pub
The authentication flow is as follows:
The proxy advertises the none authentication method to the client in order to capture the user name.
The proxy initializes the connection to the remote server.
The proxy loads all private keys found in
/etc/ssh/keys-$user
(if any).If none of the user’s private keys could be used to authenticate to the remote server or if the PKI authentication with the client failed, the proxy enters MITM mode in order to give the client the chance to try password authentication directly.
Configuring authentication with SSH Keys when Network Attack Defense is enabled
When installing Bitdefender Endpoint Security Tools for Linux with Network Attack Defense and SSH/SCP protocol support enabled, the following steps will be needed if PKI is used:
Move all personal keys into
/opt/bitdefender-security-tools/etc/ssh/keys-$user
, where$user
is the one with which you authenticate to the remote server (not necessarily your current user).Generate a new personal key-pair using ssh-keygen and install the public key in
/opt/bitdefender-security-tools/etc/ssh/keys-$user/authorized_keys
.