The SSH server will control access. There are multiple options available for matching in SSH configuration files. Below is example in /etc/ssh/sshd_config of matching different principals which are referred to as roles in Pritunl Zero for user example1 and example2. The /etc/ssh/principals_example1 and /etc/ssh/principals_example2 files can then contain a list of Pritunl Zero roles that will permit access to that user if the Pritunl Zero user has a matching role. The Match all line will close out the previous Match statement. There are multiple Match paremeters available including Match host to create rules for specific client IP addresses.
Match user example1
TrustedUserCAKeys /etc/ssh/trusted
AuthorizedPrincipalsFile /etc/ssh/principals_example1
Match user example2
TrustedUserCAKeys /etc/ssh/trusted
AuthorizedPrincipalsFile /etc/ssh/principals_example2
Match all
If I have 200 users who may need access, and I want attribution to each of the users – I would need 200 user matches configured across each system? Basically assigning a named role for each?
The system is designed around role based access with groups of users being assigned different roles. Each user would need to be assigned a unique role to control access for individual users.
We’re evaluating Pritunl Zero, run into same issue. Figured a workaround but it requires clunky sidecar with extraneous access to the database or patching pritunl and we’re not really fond of maintaining our own fork. Sadly that failure to differentiate users feels to be considered a feature not a bug
We like the system very much, hoping Zach will figure out a better way of dealing with the problem.
I’m not aware of any option with SSH to get each Pritunl Zero user to map to Linux users without adding client software on every server. Installing a client on every server just to get users mapped isn’t likely to have a lot of usage by users.