Posted at: 2016-10-25 @ 07:59:08
Today I'm announcing the release of an authentication module for OpenVPN that uses DynamoDB as its credential store:
Check it out on github: https://github.com/adcreare/openvpn-dynamodb-authenticator
Installation is as simple as downloading the latest release of the gem file https://github.com/adcreare/openvpn-dynamodb-authenticator/releases/latest
and performing the install
sudo gem install openvpn-dynamodb-authenticator-*.gem
This tool was designed specifically for AWS OpenVPN Baston hosts.
AWS best practices tell us that when we deploy a VPC we should also deploy a Baston host for remote administration and management of instances inside our VPC.
Even if you have a direct connect or VPC level VPN to your corporate datacenter or office, it is still recommended to have a Baston host for your AWS environment for a few reasons.
The day you most need you access instances inside your VPC will be the day that the corporate datacenter is having problems.
Personally I also like to seperate my administration traffic from my application related traffic. Direct connects and VPC VPN connections in my view are for that, not for administration.
Having all administration traffic running through a central host also provides a degree of auditing and control of that traffic. After all, we don't really need our Baston that much, because we shouldn't be making non-scripted manual changes to our instances, right? :)
One of the commonly suggested options, is using SSH and port forwarding. Anyone who has ever used that is sure to know why that is painful and not scalable.
My preference is to use the opensource OpenVPN TLS/SSL vpn product to provide this access.
In addition to the standard private and public keypairs required I also enforce usernames and passwords. I find users tend to expect this (even if they don't need it) and it also makes user management by the operations team simpler.
By default usernames and passwords are stored in standard linux password file, namely /etc/password for user details and /etc/shadow for the encrypted passwords and openvpn will ask the system on logon if those credentials match the ones supplied.
The trouble with this, is that managing these accounts is a pain and they are tied to the vpn server instance. This can cause issues, if that instance fails, terminates or if I want highly available Baston hosts in an autoscaling group combined with elastic load balancer. For that I need a shared credential store and hence this module was born.
OpenVPN will be configured to call this module on logon, which will check the supplied credentials against a dynamoDB table. The module supports the same format as in /etc/shadow for simple migration from an existing credential store.
I only support the newer ID 6 format for encrypted passwords used by glibc 2.7 and above, which is a sha-512 hash combined with a random salt as per crypt man page
Check it out and feel free to fork and pull and changes!