Certificate Authentication for OpenSSH Connections
To enable certificate authentication for OpenSSH connections, run the PrivX host-deployment script on the target host.
The host-deployment script is a Python script that configures the OpenSSH server on the target host to accept certificates issued by PrivX. The script also sets up allowed principals for target users.
To obtain and run the host-deployment script:
-
Create a host-deployment script. To do this, access the PrivX GUI as superuser, then go to the Settings→Deployment→Deploy and Configure SSH Target Hosts page.
Select Configure using a deployment script, provide a name for the script, then click Add Script. Download the
deploy.py
script when prompted to. -
Upload the host-deployment script to the target host. You may do this via the PrivX GUI by connecting to the target host (similarly as in Connecting to Hosts), and then by navigating to the File Transfers tab.
-
Execute the host-deployment script as
root
on the target host.In the command, use
--principals
to specify the target accounts and the roles that are allowed to access them. Also add the--standalone
option if your target host is not hosted by a supported cloud provider.For example, allowing both the target accounts root and johndoe to be accessed by members of Example Role and privx-admin (replace /path/to/deploy.py with the path of the host-deployment script, note that role names with spaces need to be quoted):
# python /path/to/deploy.py --standalone --principals \ root="Example Role",privx-admin:johndoe="Example Role",privx-admin
SSH connections to the target accounts from the specified roles are now authorized using certificates, without prompting users for passwords.
You may also verify that certificate authorization is used by checking the OpenSSH-server logs on the target server. Upon successful certificate authorization there should be a log message like the following:
Accepted publickey for root from 192.0.2.26 port 50930 ssh2: RSA-CERT \
ID [email protected]:53188 serial 4920619392583124720 (serial 4920619392583124720) \
CA RSA 98:16:36:bf:6e:c6:3f:e5:a1:5e:31:61:c1:37:ef:d8
Updated about 3 years ago