SSH certificates allow the certificate authority (Pritunl Zero server) to sign a public SSH key (users key). Servers can then be configured to accept signed keys from the certificate authority. This will allow Pritunl Zero users to access any server configured with the certificate authority without adding the users SSH key to the
A new domain will need to be created for the user web console. Currently this web console is only used to allow users to approve SSH certificate requests. The DNS for the domain should point to a Pritunl Zero node or load balancer with port 443 open. Once done activate the User option in the node settings then set the User Domain. The certificate for the node must also be updated for the user domain.
An authority represents a certificate authority, users can have keys signed by multiple authorities and servers can be configured to accept multiple authorities. Create an authority and copy the Public Key to a new file
/etc/ssh/trusted on the server that will be accepting SSH connections. The Download URL can be used to download the key. Next create the file
/etc/ssh/principals and add the roles separated by newlines that will be permitted to access this server. The lines in the principals file must match user roles in Pritunl Zero. If a user has one of the roles listed in the principals file they will have access to the server. The first line of the principals file should be set to
emergency to allow access from the emergency Pritunl Zero access server which will be released in the future. Then add the lines below to
/etc/ssh/sshd_config. Once done the sshd service may need to be restarted.
TrustedUserCAKeys /etc/ssh/trusted AuthorizedPrincipalsFile /etc/ssh/principals
emergency example_role1 example_role2 example_role3
To use a bastion host with Pritunl Zero first configure the server to allow SSH connections and configure other hosts to allow SSH connections from the bastion host. Then set the Bastion Host value in the authority settings. Once done the Pritunl Zero SSH client will add a
ProxyJump host to the SSH configuration for all connections to the Host Domain.
Host certificates can be configured by setting the Host Domain and adding a DNS entry for each server inside that domain. The servers can then run the Pritunl Zero SSH Host Client to automatically retrieve host certificates.
Below is an example script that can be used to automate the sshd configuration on a server. Replace
EXAMPLE_ROLE with the Pritunl Zero roles separated by a newline that will be allowed to access the server. Any user that has one of these roles will have access to the server. Replace
EXAMPLE_SSH_PUB_KEY with the text in the Public Key field in the authority settings in the Pritunl Zero admin console. Separate each public key with a newline.
sudo sed -i '/^TrustedUserCAKeys/d' /etc/ssh/sshd_config sudo sed -i '/^AuthorizedPrincipalsFile/d' /etc/ssh/sshd_config sudo tee -a /etc/ssh/sshd_config << EOF TrustedUserCAKeys /etc/ssh/trusted AuthorizedPrincipalsFile /etc/ssh/principals EOF sudo tee /etc/ssh/principals << EOF emergency EXAMPLE_ROLE_1 EXAMPLE_ROLE_2 EXAMPLE_ROLE_3 EOF sudo tee /etc/ssh/trusted << EOF ssh-rsa EXAMPLE_SSH_PUB_KEY_1 ssh-rsa EXAMPLE_SSH_PUB_KEY_2 EOF
Two-factor SSH with Pritunl Zero can be configured by enabling Authority two-factor authentication in a policy and setting a 1-2 minute certificate expiration time. When authenticating a web browser will open prompting the user to authentication with the two-factor provider. Once authenticated the user will be able to connect to SSH servers for the next 1-2 minutes until they are prompted again. The user can run the command
pritunl-ssh alias to configure a bash alias for
ssh to run
pritunl-ssh; ssh. This will run
pritunl-ssh before every SSH command to renew the certificate if it has expired.
Updated over 3 years ago