Support for SSH certificates has been added to Pritunl Zero. This allows users to access SSH servers with the Pritunl Zero Client.
Simple Server Configuration
Server configuration only requires modifying the sshd configuration. This can be automated with a deploy script or configuration management system. No server agent is required.
sudo sed -i '/TrustedUserCAKeys/d' /etc/ssh/sshd_config
sudo sed -i '/AuthorizedPrincipalsFile/d' /etc/ssh/sshd_config
sudo tee -a /etc/ssh/sshd_config << EOF
TrustedUserCAKeys /etc/ssh/trusted
AuthorizedPrincipalsFile /etc/ssh/principals
EOF
sudo tee /etc/ssh/principals << EOF
emergency
EXAMPLE_ROLE_1
EXAMPLE_ROLE_2
EXAMPLE_ROLE_3
EOF
sudo tee /etc/ssh/trusted << EOF
ssh-rsa EXAMPLE_SSH_PUB_KEY_1
ssh-rsa EXAMPLE_SSH_PUB_KEY_2
EOFPritunl Zero Client
The Pritunl Zero Client is a small Python script that is packaged for macOS and Linux. The client automates retrieving an SSH key from the Pritunl Zero server. For more complex use cases a custom client can be developed. Users only need to enter the Pritunl Zero hostname to configure the client. Once configured the pritunl-ssh command can be run the retrieve a new certificate. After getting the certificate they will have access to the servers until the certificate expires. By default the certificate expires after 10 hours.
Documentation
More information can be found in the documentation.
Follow Pritunl on Twitter | Find us on GitHub | Subscribe to our mailing list
