💻Accessing Your Remote Host
The following guide covers how to access your remote host using OpenPubkey SSH.
OpenPubkey SSH (OPK SSH) is fully compatible with existing workflows for accessing a remote host with SSH. To access your host through OPK SSH, you will first log in with the ZLI and then can ssh
using your local terminal.
If you have not installed the ZLI on your local machine yet, instructions are below.
Log in using the ZLI from your local terminal.
Assuming the remote host you would like to access is already configured and tested, ensure you have removed your traditional SSH keys that allowed access to your remote host prior to OPK SSH setup. If not, see Remove Your SSH Keys for help with this.
SSH to your box using
ssh
from your local terminal. This may look likessh ec2-user@my-aws-host
.
For dd support so the user can type in the sudoer password when we run the opk-ssh validator script on the remote server. The user indicated this can be done by adding the ‘-t’ option to our remote ssh command invocation.
Depending on which OS you're running the ZLI on, you may see a notification when you execute zli login --opk
for the first time asking to permit opk_ssh_login
to accept incoming network connections. To use OPK SSH, you must click "Accept."
What Does The Login
Command Do?
Login
Command Do?This login
command does the following:
It will redirect you to a Google login page in a browser window, where you should authenticate as you would regularly when logging in to Google (
username
andpassword
).Once logged in, your Google ID token is used to create a PK Token.
This token is then used to generate an SSH certificate. The ZLI saves this certificate to a default key in your SSH directory (
~/.ssh
) and is used in place of traditional SSH certificates to grant SSH access to a remote host.
The SSH certificate generated by OPK SSH is only valid until your id_token
expires (this is controlled by your OP - Google in this case - and is typically limited to 1 hour). When your id_token
expires, OPK SSH will use your refresh token to get a new id_token
and generate a new SSH certificate. Re-authentication is required when your refresh token expires.
Product feedback? Send us a note at product@bastionzero.com.
Last updated