SSH Certificates

Configure SSH certificate authority

SSH certificates allow the certificate authority (Pritunl Zero server) to sign a public SSH key (users key). Servers can then be configured to accept signed keys from the certificate authority. This will allow Pritunl Zero users to access any server configured with the certificate authority without adding the users SSH key to the authorized_keys.

Configure User Web Console

A new domain will need to be created for the user web console. Currently this web console is only used to allow users to approve SSH certificate requests. The DNS for the domain should point to a Pritunl Zero node or load balancer with port 443 open. Once done activate the User option in the node settings then set the User Domain. The certificate for the node must also be updated for the user domain.

Configure Authority

An authority represents a certificate authority, users can have keys signed by multiple authorities and servers can be configured to accept multiple authorities. Create an authority and copy the Public Key to a new file /etc/ssh/trusted on the server that will be accepting SSH connections. The Download URL can be used to download the key. Next create the file /etc/ssh/principals and add the roles separated by newlines that will be permitted to access this server. The lines in the principals file must match user roles in Pritunl Zero. If a user has one of the roles listed in the principals file they will have access to the server. The first line of the principals file should be set to emergency to allow access from the emergency Pritunl Zero access server which will be released in the future. Then add the lines below to /etc/ssh/sshd_config. Once done the sshd service may need to be restarted.

TrustedUserCAKeys /etc/ssh/trusted
AuthorizedPrincipalsFile /etc/ssh/principals
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDxrdn54I870OAXcbQQ4EsgZxt/bYn2HD9lqSBfhSkNdOAi9Numsc2lhqeXW4Musw7S6Ib8i38475BGHoBkf30SxwF7VFRyAieg7yyQxf686G/o+94WbrdkFaVR17WVwvAS6dB/Lb9WjzQ63G2DEzfcg7MQhpygyRrpt6oC9EKr4x3hYaM422HyaUx6o8koof2tex1F1Wb79m0Y/QQkoyhkhhLGHw7xN3Qopm9/6DlgNetKGXhWmUtupldbbwoglNkltT5SRaxrTpBiycAII8wcEUeaHjSO/FMGy2RY4aBdQ/GjAnOVXxB5ZojtEs3RoCW2RkCHwxM2pt88XcxVYFBxO/qJTARFTGbbpTtH/77XRJjgYkex/yLu42AfGqncbsFNdekYRUbWx5Iwy9LzlKnEXiv7i2mlh+rSVBiCdePcCPiKuN5DvM8i7s1ZfvKxhpp/u716lHxDZyBggEqKlE+sRnBrEAUe7qH3FEIyuy8CXmz7JydYugDh05tztI1X4cuHL9LbiDi1KkxsaGiOjSF+7q7iXZUaKgrbQZLQ24HlBxBl71EgxYdnVby9LQel5W5kj3aLg9MyAfauHM4K2Mo2P9CxyoRmptXP/dyZbMDBVFgkER2WydCLeqWINfGFQf+eu7ee2ieCEr7jr61swVMVRnUaxtQB3MpLjqWIpO4fw==
emergency
example_role1
example_role2
example_role3

Bastion Host

To use a bastion host with Pritunl Zero first configure the server to allow SSH connections and configure other hosts to allow SSH connections from the bastion host. Then set the Bastion Host value in the authority settings. Once done the Pritunl Zero SSH client will add a ProxyJump host to the SSH configuration for all connections to the Host Domain.

Host Certificates

Host certificates can be configured by setting the Host Domain and adding a DNS entry for each server inside that domain. The servers can then run the Pritunl Zero SSH Host Client to automatically retrieve host certificates.

Deploy Script

Below is an example script that can be used to automate the sshd configuration on a server. Replace EXAMPLE_ROLE with the Pritunl Zero roles separated by a newline that will be allowed to access the server. Any user that has one of these roles will have access to the server. Replace EXAMPLE_SSH_PUB_KEY with the text in the Public Key field in the authority settings in the Pritunl Zero admin console. Separate each public key with a newline.

sudo sed -i '/^TrustedUserCAKeys/d' /etc/ssh/sshd_config
sudo sed -i '/^AuthorizedPrincipalsFile/d' /etc/ssh/sshd_config
sudo tee -a /etc/ssh/sshd_config << EOF

TrustedUserCAKeys /etc/ssh/trusted
AuthorizedPrincipalsFile /etc/ssh/principals
EOF
sudo tee /etc/ssh/principals << EOF
emergency
EXAMPLE_ROLE_1
EXAMPLE_ROLE_2
EXAMPLE_ROLE_3
EOF
sudo tee /etc/ssh/trusted << EOF
ssh-rsa EXAMPLE_SSH_PUB_KEY_1
ssh-rsa EXAMPLE_SSH_PUB_KEY_2
EOF

Two-Factor SSH Authentication

Two-factor SSH with Pritunl Zero can be configured by enabling Authority two-factor authentication in a policy and setting a 1-2 minute certificate expiration time. When authenticating a web browser will open prompting the user to authentication with the two-factor provider. Once authenticated the user will be able to connect to SSH servers for the next 1-2 minutes until they are prompted again. The user can run the command pritunl-ssh alias to configure a bash alias for ssh to run pritunl-ssh; ssh. This will run pritunl-ssh before every SSH command to renew the certificate if it has expired.