Feature: zerotrust with credentials #2119
Comments
chifu1234
changed the title
|
Hi @chifu1234, this feature is already being considered for the roadmap, but I will leave this post open so that the community can show interest with their upvotes. |
|
@xingluw Is my understanding correct that a first iteration of this feature request was implemented in Thanks! |
|
Hi @karras, that is correct, it will only be available in HCP Boundary and there are no plans to implement this in OSS at this time. |
|
I get that you want to make money to pay back all investors. But pushing for HCP (hosted cloud) of an auth-tool doesn't make sense to me. When you get hacked (will happen) or are down (will also happen) we'll have a big problem. I honestly don't see any benefit to HCP here. Is there a paid offering where the injection feature is available? We're a ~10 people company and pay for several "pro" versions of open-source products. For "boundary pro" a fee per user and month would make sense for us. It should still be OS and we'd manage/host it, but there would be a license requirement and telemetry could report number of users back to HashiCorp for billing. Any plans for such a thing? |
|
@sandstrom first off thank you for the interest in Boundary and for giving feedback to drive the product's direction. [Update] there is now a self-managed Enterprise offering of Boundary available that includes enterprise support and premium features such as credential injection, multi-hop sessions, and session recording. Learn more about Boundary Enterprise here. Moving forward we will continue to invest in all editions of Boundary: Boundary OSS, HCP Boundary (Boundary's cloud service), and Boundary Enterprise. This includes: Investing in HCP Boundary security and availability Continuing to build a compelling Boundary OSS offering |
|
Thanks for answering @PPacent! For us to choose hosted Boundary, it would likely need to be engineered in such a way that even if you are hacked, the hacker wouldn't get access to our systems. Not an impossible engineering challenge, but not a super-easy one either and would likely require us to spin up nodes that does the actual auth, signs them and passes them along to your hosted stuff. At which point there is little use in spreading out the service across components hosted both by you and by us. For example, we do use hosted 1Password since it's E2E. But doing a zero-trust auth-service is going to be trickier 😄 We love hosted stuff in general, but I'd say that server access is probably one of very few things that we prefer to maintain our selves. I looked around a bit more, and found this blog post of yours from about a year ago: Something like that, but with Boundary, would also work for us. In that case we could use brokered credentials, since they are short-lived. I also found this open issue, which I think may be the blocker to unlocking the solution described in that blog post: #1768 |
|
You should really reconsider your stance on this issue. I'm sure there's lots of money to be made on support contracts like what oracle does. I work in a large IT company (7000 employees or so) that currently has a somewhat unpleasant UX for the auth process. Boundary with credential injection would be really great, but there's just no chance of convincing anyone to do a transition to a cloud based service - it's on-prem or nothing. |
|
For us, it was also a big shock now, that we invested a few days setting up Boundary OSS (as our customer is not allowing hosted services from US corps..), after evaluating everything with HCP and to realize now, that all needed features don't work. We would need to switch from SSH certs back to SSH passwords in order for boundary to be able to broker it .. an awful experience. |
|
Same here: Only after setting up a test environment I found out, that "credential injection", something I considered as the core feature of boundary, doesn't work on premise. Currently, the OSS version of boundary is not much more than a password manager with team capabilities, combined with an SSH client - but much more complicated to setup, use and maintain. |
|
Hi all - @chifu1234, to your original request on this thread, Boundary now supports credential injection in HCP Boundary as well as Boundary Enterprise (customer-hosted version of Boundary). With credential injection, the user never sees the credential required to authenticate to the target. This provides a passwordless experience for the user, as the worker does both session establishment and authentication to the target on behalf of the user. We currently support credential injection for SSH credentials and plan to expand to other types of protocols in the future. You can learn more about credential injection here. @jory3, @JannikZed, @simonfelding, @sandstrom - there is now self-managed edition of Boundary that supports credential injection. Boundary Enterprise is now available which includes all premium features of Boundary - including credential injection, multi-hop sessions, and session recording. You can learn more here. |
|
That's nice, thank you for listening!
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: PPacent ***@***.***>
Sent: Wednesday, August 2, 2023 4:47:59 PM
To: hashicorp/boundary ***@***.***>
Cc: simonfelding ***@***.***>; Mention ***@***.***>
Subject: Re: [hashicorp/boundary] Feature: zerotrust with credentials (Issue #2119)
Hi all - @chifu1234<https://github.com/chifu1234>, to your original request on this thread, Boundary now supports credential injection in HCP Boundary as well as Boundary Enterprise (customer-hosted version of Boundary). With credential injection, the user never sees the credential required to authenticate to the target. This provides a passwordless experience for the user, as the worker does both session establishment and authentication to the target on behalf of the user. We currently support credential injection for SSH credentials and plan to expand to other types of protocols in the future. You can learn more about credential injection here<https://developer.hashicorp.com/boundary/docs/concepts/credential-management#credential-injection-hcp-ent>.
@jory3<https://github.com/jory3>, @JannikZed<https://github.com/JannikZed>, @simonfelding<https://github.com/simonfelding>, @sandstrom<https://github.com/sandstrom> - there is now self-managed edition of Boundary that supports credential injection. Boundary Enterprise is now available which includes all premium features of Boundary - including credential injection, multi-hop sessions<https://www.hashicorp.com/blog/boundary-0-12-introduces-multi-hop-sessions-and-ssh-certificate-injection>, and session recording. You can learn more here<https://www.hashicorp.com/blog/boundary-0-13-introduces-ssh-session-recording-boundary-enterprise-and-more?ajs_aid=617143ca-c122-4daf-a7b1-5aa551a27a8a&product_intent=boundary>.
—
Reply to this email directly, view it on GitHub<#2119 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKYOW75KXAHGQYCEQUQ2R2TXTJSB7ANCNFSM5XQWX4MA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Is your feature request related to a problem? Please describe.
Today the user has full access(read) to the cred store & thus knows all credentials. This mechanism sometimes leaks some vulnerable information to the end-user & it reduces the user experience as they have to enter the credentials to the session.
Describe the solution you'd like
Boundary acts as ssh or RDP proxy. The admin can set propriety to a credential that the end-user does not have read or write access to these credential. If a user tries to connect to a system with ssh/RDP, the boundary proxy (worker) performs the authentication and then proxies the session back to the end-user.
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: