I began analysis for an article on how you can add a honeytrap to a GitHub repo. The concept behind a honeypot weak point is {that a} hacker will comply with by on it and make his/her presence recognized within the course of.Â
My plan was to position a GitHub private entry token in an Ansible vault protected by a weak password. Ought to an attacker crack the password and use the token to clone the personal repository, a webhook ought to have triggered and mailed a notification that the honeypot repo has been cloned and the password cracked.Â
Sadly, GitHub appears to not permit webhooks to be triggered after cloning, as is the case for a few of its higher-level actions. This set me pondering that platforms as standalone methods will not be designed with Dev(Sec)Ops integration in thoughts. DevOps engineers need to chew the bullet and at all times discover methods to safe pipelines end-to-end. I, subsequently, as a substitute determined to research how you can forestall code theft utilizing tokens or personal keys gained by nefarious means.Â
Prevention Is Higher Than Detection
It isn’t greatest observe to have secret materials on exhausting drives pondering that root-only entry is enough safety. Any system administrator or hacker that’s elevated to root can view the key within the open. They need to, fairly, be stored inside {Hardware} Safety Modules (HSMs) or a secret supervisor, on the very least. Moreover, tokens and personal keys ought to by no means be handed in as command line arguments since they may be written to a log file.Â
A option to remedy this downside is to utilize a super-secret grasp key to provoke proceedings and finalize utilizing short-lived lesser keys. That is just like the issue of sharing the primary key in utilized cryptography. As soon as the primary key has been agreed upon, successive transactions might be secured utilizing session keys. It goes past saying that the primary key must be saved in {Hardware} Safety Modules, and all operations in opposition to it need to occur inside an HSM.
I made a decision to check out one thing related when Ansible clones personal Git repositories. Though I’ll illustrate on the hand of GitHub, I’m fairly positive one thing related might be arrange for different Git platforms as properly.
First Key
GitHub private entry tokens can be utilized to carry out a variety of actions in your GitHub account and its repositories. It authenticates and authorizes from each the command line and the GitHub API. It clearly can function the primary key. Â
Private entry tokens are created by clicking your avatar within the prime proper and deciding on Settings:
A left nav panel ought to seem from the place you choose Developer settings:
The menu for private entry tokens will show the place you may create the token:
I created a basic token and gave it the next scopes/permissions: repo, admin:public_key, consumer, and admin:gpg_key. Take care to retailer the token in a good secret supervisor from the place it may be copied and pasted when the Ansible play asks for it when it begins. This secret supervisor ought to clear the copy buffer after just a few seconds to forestall assaults using consideration diversion.
vars_prompt:
- identify: github_token
immediate: "Enter your github private entry token?"
personal: true
Establishing the Session
GitHub deployment keys give entry to personal repositories. They are often created by an API name or from the repo’s prime menu by clicking on Settings:
With the non-public entry token as the primary key, a deployment key can end the operation because the session key. Particularly, Ansible authenticates itself utilizing the token, creates the deployment key, authorizes the clone, and deletes it instantly afterward.Â
The code from my previous post relied on including Git URLs that comprise the tokens to the Ansible vault. This has now been improved to make use of momentary keys as envisioned on this put up. An Ansible function supplied by Asif Mahmud has been amended for this as might be seen within the standard GitHub repo. The essential snippets are:
- identify: Add SSH public key to GitHub account
ansible.builtin.uri:
url: "https://api.{{ git_server_fqdn }}/repos/{{ github_account_id }}/{{ repo }}/keys"
validate_certs: sure
technique: POST
force_basic_auth: true
physique:
title: "{{ key_title }}"
key: "{{ key_content.stdout }}"
read_only: true
body_format: json
headers:
Settle for: utility/vnd.github+json
X-GitHub-Api-Model: 2022-11-28
Authorization: "Bearer {{ github_access_token }}"
status_code:
- 201
- 422
register: create_result
The GitHub API is used so as to add the deploy key to the personal repository. Notice the usage of the entry token typed in at first of play to authenticate and authorize the request.
- identify: Clone the repository
shell: |
GIT_SSH_COMMAND="ssh -i {{ key_path }} -v -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" {{ git_executable }} clone git@{{ git_server_fqdn }}:{{ github_account_id }}/{{ repo }}.git {{ clone_dest }}
- identify: Swap department
shell: "{{ git_executable }} checkout {{ department }}"
args:
chdir: "{{ clone_dest }}"
The repo is cloned, adopted by a swap to the required department.
- identify: Delete SSH public key
ansible.builtin.uri:
url: "https://api.{{ git_server_fqdn }}/repos/{{ github_account_id }}/{{ repo }}/keys/{{ create_result.json.id }}"
validate_certs: sure
technique: DELETE
force_basic_auth: true
headers:
Settle for: utility/vnd.github+json
X-GitHub-Api-Model: 2022-11-28
Authorization: "Bearer {{ github_access_token }}"
status_code:
- 204
Deletion of the deployment key occurs immediately after the clone and swap, once more by way of the API.
Conclusion
The brief lifetime of the deployment key enhances the safety of the DevOps pipeline tremendously. Solely the token must be stored secured always as is the case for any first key. Ideally, it’s best to combine Ansible with a suitable HSM platform.Â
I thank Asif Mahmud for utilizing their code for example the idea of utilizing momentary session keys when cloning personal Git repositories.
