mirror of https://gitlab.com/curben/blog
post(ssh-cert): matching email to different user
This commit is contained in:
parent
26228eba94
commit
72b5cdcc67
|
@ -106,7 +106,7 @@ Install `openssh-server`.
|
||||||
|
|
||||||
`sudo -e /etc/ssh/sshd_config.d/cf.conf`
|
`sudo -e /etc/ssh/sshd_config.d/cf.conf`
|
||||||
|
|
||||||
```
|
```plain /etc/ssh/sshd_config.d/cf.conf
|
||||||
TrustedUserCAKeys /etc/ssh/ca.pub
|
TrustedUserCAKeys /etc/ssh/ca.pub
|
||||||
ListenAddress 127.0.0.1
|
ListenAddress 127.0.0.1
|
||||||
ListenAddress ::1
|
ListenAddress ::1
|
||||||
|
@ -125,6 +125,24 @@ The easiest setup is one where a Unix username matches the email that you config
|
||||||
|
|
||||||
Set a random password and leave everything else blank.
|
Set a random password and leave everything else blank.
|
||||||
|
|
||||||
|
### Matching email to different username
|
||||||
|
|
||||||
|
To match **loremipsum**@youremail.com to **lipsum** user:
|
||||||
|
|
||||||
|
```plain /etc/ssh/sshd_config.d/cf.conf
|
||||||
|
Match user lipsum
|
||||||
|
AuthorizedPrincipalsCommand /bin/echo 'loremipsum'
|
||||||
|
AuthorizedPrincipalsCommandUser nobody
|
||||||
|
```
|
||||||
|
|
||||||
|
**loremipsum+somealias**@youremail.com also works.
|
||||||
|
|
||||||
|
```plain /etc/ssh/sshd_config.d/cf.conf
|
||||||
|
Match user lipsum
|
||||||
|
AuthorizedPrincipalsCommand /bin/echo 'loremipsum+somealias'
|
||||||
|
AuthorizedPrincipalsCommandUser nobody
|
||||||
|
```
|
||||||
|
|
||||||
## Initiate SSH connection
|
## Initiate SSH connection
|
||||||
|
|
||||||
Install `cloudflared` on the host that you're going to SSH from.
|
Install `cloudflared` on the host that you're going to SSH from.
|
||||||
|
@ -133,7 +151,7 @@ Install `cloudflared` on the host that you're going to SSH from.
|
||||||
|
|
||||||
Example output:
|
Example output:
|
||||||
|
|
||||||
```
|
```plain ~/.ssh/config
|
||||||
Match host test.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h"
|
Match host test.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h"
|
||||||
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
|
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
|
||||||
IdentityFile ~/.cloudflared/%h-cf_key
|
IdentityFile ~/.cloudflared/%h-cf_key
|
||||||
|
@ -142,7 +160,7 @@ Match host test.example.com exec "/usr/local/bin/cloudflared access ssh-gen --ho
|
||||||
|
|
||||||
or
|
or
|
||||||
|
|
||||||
```
|
```plain ~/.ssh/config
|
||||||
Host test.example.com
|
Host test.example.com
|
||||||
ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %r@cfpipe-test.example.com >&2 <&1'
|
ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %r@cfpipe-test.example.com >&2 <&1'
|
||||||
|
|
||||||
|
@ -150,7 +168,7 @@ Host cfpipe-test.example.com
|
||||||
HostName test.example.com
|
HostName test.example.com
|
||||||
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
|
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
|
||||||
IdentityFile ~/.cloudflared/test.example.com-cf_key
|
IdentityFile ~/.cloudflared/test.example.com-cf_key
|
||||||
CertificateFile ~/.cloudflared/test.example.com-cf_key-cert.pup
|
CertificateFile ~/.cloudflared/test.example.com-cf_key-cert.pub
|
||||||
```
|
```
|
||||||
|
|
||||||
Save the output to `$HOME/.ssh/config`.
|
Save the output to `$HOME/.ssh/config`.
|
||||||
|
@ -174,3 +192,7 @@ As a bonus, head to test.yourdomain.com (see [Add an application](#Add-an-applic
|
||||||
Head to **Settings** -> **Account** to monitor how many users you have, each email address you configured to receive one-time PIN is counted as one user.
|
Head to **Settings** -> **Account** to monitor how many users you have, each email address you configured to receive one-time PIN is counted as one user.
|
||||||
|
|
||||||
To delete user(s), head to **Users**, tick the relevant users, **Update status** and then **Remove**. The seat usage column should show _Inactive_.
|
To delete user(s), head to **Users**, tick the relevant users, **Update status** and then **Remove**. The seat usage column should show _Inactive_.
|
||||||
|
|
||||||
|
## Inspect user certificate
|
||||||
|
|
||||||
|
`ssh-keygen -L -f ~/.cloudflared/test.example.com-cf_key-cert.pub`
|
||||||
|
|
Loading…
Reference in New Issue