Pritunl zero ssh - all users?

dskillin · September 22, 2022, 6:01pm

SERVER: domain
SSH_KEY: ~/.ssh/id_rsa.pub
OPEN: domain/ssh?ssh-token=REDACTED
CERTIFICATE: ~/.ssh/id_rsa-cert.pub
SSH_CONFIG: ~/.ssh/config
Successfully validated SSH key

ssh -i id_rsa.pub user@host.x.y

Any username works… user1, root, user2, etc…
How does the cert get bound to a single user, or is this a bug?

zach · September 22, 2022, 6:23pm

The SSH server will control access. There are multiple options available for matching in SSH configuration files. Below is example in /etc/ssh/sshd_config of matching different principals which are referred to as roles in Pritunl Zero for user example1 and example2. The /etc/ssh/principals_example1 and /etc/ssh/principals_example2 files can then contain a list of Pritunl Zero roles that will permit access to that user if the Pritunl Zero user has a matching role. The Match all line will close out the previous Match statement. There are multiple Match paremeters available including Match host to create rules for specific client IP addresses.

Match user example1
    TrustedUserCAKeys /etc/ssh/trusted
    AuthorizedPrincipalsFile /etc/ssh/principals_example1
Match user example2
    TrustedUserCAKeys /etc/ssh/trusted
    AuthorizedPrincipalsFile /etc/ssh/principals_example2
Match all

dskillin · September 22, 2022, 7:30pm

If I have 200 users who may need access, and I want attribution to each of the users – I would need 200 user matches configured across each system? Basically assigning a named role for each?

zach · September 22, 2022, 8:30pm

The system is designed around role based access with groups of users being assigned different roles. Each user would need to be assigned a unique role to control access for individual users.

avid-fan · March 17, 2023, 6:45pm

Hi dskillin,

We’re evaluating Pritunl Zero, run into same issue. Figured a workaround but it requires clunky sidecar with extraneous access to the database or patching pritunl and we’re not really fond of maintaining our own fork. Sadly that failure to differentiate users feels to be considered a feature not a bug

We like the system very much, hoping Zach will figure out a better way of dealing with the problem.

zach · March 18, 2023, 11:14pm

I’m not aware of any option with SSH to get each Pritunl Zero user to map to Linux users without adding client software on every server. Installing a client on every server just to get users mapped isn’t likely to have a lot of usage by users.