The SSH server will control access. There are multiple options available for matching in SSH configuration files. Below is example in /etc/ssh/sshd_config of matching different principals which are referred to as roles in Pritunl Zero for user example1 and example2. The /etc/ssh/principals_example1 and /etc/ssh/principals_example2 files can then contain a list of Pritunl Zero roles that will permit access to that user if the Pritunl Zero user has a matching role. The Match all line will close out the previous Match statement. There are multiple Match paremeters available including Match host to create rules for specific client IP addresses.
Match user example1
Match user example2
We’re evaluating Pritunl Zero, run into same issue. Figured a workaround but it requires clunky sidecar with extraneous access to the database or patching pritunl and we’re not really fond of maintaining our own fork. Sadly that failure to differentiate users feels to be considered a feature not a bug
We like the system very much, hoping Zach will figure out a better way of dealing with the problem.
I’m not aware of any option with SSH to get each Pritunl Zero user to map to Linux users without adding client software on every server. Installing a client on every server just to get users mapped isn’t likely to have a lot of usage by users.