Metatron cert
PUBLIC_KEY=`ssh-keygen -e -f ~/.ssh/id_rsa -m pkcs8 | grep -v ^- | tr -d '\n'`
ENC_PUBLIC_KEY=`python -c "import urllib, sys; print urllib.quote(sys.argv[1])" $PUBLIC_KEY`
metatron curl -X POST -d "publicKey=$ENC_PUBLIC_KEY" -a mtrefresh https://100.66.9.91:7004/REST/sshCredentials | jq -r .certificate > ~/.ssh/id_rsa-cert.pub
Check the cert with:
ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub
Try using the cert with:
ssh 100.72.18.128
Confiugre the bation
Create Authorized_principle file for authz each users.
cat <<EOF > /etc/ssh/derive_authorized_principals
#!/bin/bash -e
USER="$1"
source /etc/profile.d/netflix_environment.sh
echo "$USER:$BASTION_ACCOUNT"
EOF
chmod 755 /etc/ssh/derive_authorized_principals
Modify sshd config to add the new cert authority and authorized_principle files
cat << EOF >> /etc/ssh/sshd_config
# Metatron SSH certs support
TrustedUserCAKeys = /etc/ssh/metatron-ssh-ca
AuthorizedPrincipalsCommand = /etc/ssh/derive_authorized_principals %u
AuthorizedPrincipalsCommandUser = nobody
EOF