Pritunl-zero ssh bastion allows to login as any user?

I don’t think there is any option to associate
a Linux user with a specific Pritunl Zero user

If you see my previous post, please, if we encode username in the certificate or find a way to validate user id with pritunl-zero server, that would work, right?..

I mean I thought of:

  • giving the bastion read only access to mongodb to query for user Id; considered this a really bad idea
  • developing a service real quick that would run along with pritunl-zero query the database and validate accounts; consider this to defy entire idea of SSH certificates
  • patching pritunl-zero to encode needed information in the certificate; liked this idea the most

I’m now running on a patched version of pritunl-zero right now (encoding usr.Username instead of usr.Id and on the bastion use a command that validates not only principals but also matches KeyID with login username). It’s working pretty well.

Trouble is that I don’t really feel like maintaining my fork and hoping you could figure out even better way to deal with the trouble.