Support access using SSH certificates + groups
ieugen opened this issue · comments
What version of nebula are you using? (nebula -version)
1.8.2
What operating system are you using?
N/A
Describe the Bug
Users can be allowed to acces nebula SSH interface by having nebula trust certificates issues by an SSH certificate authority.
This feature should be accompanied by a set of options to trust a specific user name or users from a specific group - specified in the certificate.
One advantage of using an SSH CA is that you can also sign the host key by the CA and thus avoid the dangers of trusting the host key on first connect.
A configuration could look like this
sshd:
enabled: true
listen: 127.0.0.1:2222
host_key: /etc/ssh/ssh_host_ed25519_key
certificate_authorities:
- allow_groups:
- sysadmins
- team-dev1
keys:
- /etc/ssh/user_ca_key.pub
Some examples on how to setup ssh CA
- https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication
- https://www.hashicorp.com/blog/managing-ssh-access-at-scale-with-hashicorp-vault
This issue is somewhat related to #1051 .
Logs from affected hosts
N/A
Config files from affected hosts
N/A