Metatron cert

PUBLIC_KEY=`ssh-keygen -e -f ~/.ssh/id_rsa -m pkcs8 | grep -v ^- | tr -d '\n'`
ENC_PUBLIC_KEY=`python -c "import urllib, sys; print urllib.quote(sys.argv[1])" $PUBLIC_KEY`
metatron curl -X POST -d "publicKey=$ENC_PUBLIC_KEY" -a mtrefresh https://100.66.9.91:7004/REST/sshCredentials | jq -r .certificate > ~/.ssh/id_rsa-cert.pub

Check the cert with:

ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub

Try using the cert with:

ssh 100.72.18.128

Confiugre the bation

Create Authorized_principle file for authz each users.

cat <<EOF > /etc/ssh/derive_authorized_principals
#!/bin/bash -e

USER="$1"

source /etc/profile.d/netflix_environment.sh
echo "$USER:$BASTION_ACCOUNT"
EOF

chmod 755 /etc/ssh/derive_authorized_principals

Modify sshd config to add the new cert authority and authorized_principle files

cat << EOF >> /etc/ssh/sshd_config

# Metatron SSH certs support
TrustedUserCAKeys = /etc/ssh/metatron-ssh-ca
AuthorizedPrincipalsCommand = /etc/ssh/derive_authorized_principals %u
AuthorizedPrincipalsCommandUser = nobody
EOF