Have you ever found the need to secure access to administrative traffic? This might be a system agent or a diagnostic endpoints for a service.
Recently I had the need to secure traffic for code examples I'm using in an book I am writing. I wanted to secure the traffic to a bunch of host machines without putting my readers (or myself) through the hassle of TLS mutual AAA or Oauth.
SSH To The Rescue
SSH seemed like the perfect solution to the problem and came with some side benefits of segmenting my serving traffic from admin traffic.
SSH is generally not exposed through a load balancer and should only be available through a VPN, from a bastion host or to services within a serving cluster. By leveraging SSH for admin traffic, it was simply consolidating administrative traffic on a port that is already setup for that purpose.
If SSH is exposed, then the box is no more at risk than it was with just the user account exposed.
To prevent any leaking locally, we can serve that traffic in a domain socket. This can be setup to allow only a single user on the device to access that domain socket. External traffic is accessing that domain socket over SSH and authenticates with secure keys using that local user. No internal exposure.
For people who would be trying out the exercises, they could simply setup a key on their bastion device that allows login to all their nodes and are ready to rock.
Time to Rock and Roll
Sound interesting and want to give it a try? I've packaged up a library that handles the SSH part of this:
Here are two examples for doing this with HTTP and gRPC:
HTTP Example
gRPC Example