SSH Server

Configuration

In order to use SSH principals, you must configure your SSH servers to use them.

You can find here how to generate the file /etc/ssh/ca.pem.

Linux server

...
# Allow root to connect
PermitRootLogin yes

# Copy Vault SSH CA
TrustedUserCAKeys /etc/ssh/ca.pem

# Permit user principals
AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u

# Deny non signed key files
AuthorizedKeysFile /dev/null

# Deny password authentication
PasswordAuthentication no
...

Principals

Create the /etc/ssh/authorized_principals directory

mkdir /etc/ssh/authorized_principals/

Also create the file /etc/ssh/authorized_principals/root for the root user

hackers
superheros

It means that users with hackers and superheros principals can login as root to the server with ssh.

Restart

systemctl restart sshd.service

Windows

...
# Allow log into **
SyslogFacility LOCAL0

# Copy Vault SSH CA
TrustedUserCAKeys __PROGRAMDATA__/ssh/trusted-vault-ca-keys.pub

# Permit user principals
AuthorizedPrincipalsFile __PROGRAMDATA__/ssh/authorized_principals

# Deny non signed key files
AuthorizedKeysFile  none

# Deny password authentication
PasswordAuthentication no

# Nor mandatory but usefull when user has Administrators' right
Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
       AuthorizedPrincipalsFile __PROGRAMDATA__/ssh/authorized_principals
...

Principals

Create the C:\ProgramData\ssh\authorized_princpals file Be sure to only grant RO on this file for SYSTEM user.

In this file indicate all the principals that are owned by users you want to be able to connect to the server.

hackers, superheros

It means that users with hackers and superheros principals can login to the server with ssh.

Restart

Reload the service in the in the Services application or In cmd.exe

net stop gsw_sshd && net start gsw_sshd