I don’t think there is any option to associate
a Linux user with a specific Pritunl Zero user
If you see my previous post, please, if we encode username in the certificate or find a way to validate user id with pritunl-zero server, that would work, right?..
I mean I thought of:
- giving the bastion read only access to mongodb to query for user Id; considered this a really bad idea
- developing a service real quick that would run along with
pritunl-zero
query the database and validate accounts; consider this to defy entire idea of SSH certificates - patching
pritunl-zero
to encode needed information in the certificate; liked this idea the most
I’m now running on a patched version of pritunl-zero
right now (encoding usr.Username
instead of usr.Id
and on the bastion use a command that validates not only principals but also matches KeyID
with login username). It’s working pretty well.
Trouble is that I don’t really feel like maintaining my fork and hoping you could figure out even better way to deal with the trouble.