🚦Managing Personal & Collaborative Access

The following guide covers how to manage access to your remote host(s) with OpenPubkey SSH.

Use this index to navigate directly to your area of interest:

Grant SSH Access Through OpenPubkey SSH

The following action must be taken by a user who has privileged access to the remote host (i.e., can perform actions with sudo).

To Grant Access to Yourself

When setting up your remote host with OpenPubkey SSH (OPK SSH), you granted yourself access to your remote host using the zli configure opk <Gmail or G Suite email> <Linux user>@<hostname> command. This enables you to access your remote host using OPK SSH. No other action is required!

See Test Your Access to ensure permissions are set up as intended.

To Grant Collaborative Access to Others

OpenPubkey SSH supports collaborative access for any Gmail or G Suite user. This allows you to share access with friends and colleagues at different organizations.

To allow other Gmail or G Suite users to have access to your remote host, take the following actions:

  1. SSH onto the remote host you wish to grant a user access to as the privileged user.

  2. Execute the below command, which grants the Gmail or G Suite email access to the remote host as the <Linux user>.

    sudo /etc/opk/opk-ssh add <Gmail or G Suite email> <Linux user>

Configured users are now able to log in to the ZLI and then SSH to the remote host.

See Test Your Access to ensure permissions are set up as intended.

Let Others Grant Collaborative Access For Themselves

OpenPubkey SSH's collaborative access enables users with non-sudo privileges to grant themselves access to a remote host via OPK SSH.

To do this, users must:

  1. SSH onto the remote host as the non-privileged user they wish to have access as with OPK SSH.

  2. Execute the below command, which grants your Gmail or G Suite email access to the remote host as the <Linux user>. Due to the nature of being a non-privileged user, you must use the Linux user that you are presently accessing the remote host through. Any other email or role will not be written to policy.

    ~/.opk/opk-ssh add <your Gmail or G Suite email> <Linux user you are presently accessing the host as>

    This may look like ~/.opk/opk-ssh add alice@acme.co read-only.

See Test Your Access to ensure permissions are set up as intended.

Test Your Access

What Does Policy Look Like?

Policy is defined through a YAML file, which dictates which Linux user(s) (referred to in policy as "principles") a Gmail or G Suite email can access a particular remote host as.

For example, the policy below allows two individuals, alice@acme.co and bob@co.acme access to a remote host.

In alice@acme.co's case, she is able to access the host as the privileged root user or the non-privileged luffy user. In bob@co.acme's case, he has access to the host as a single non-privileged user, luffy.

users:
    - email: alice@acme.co
      principles:
        - root
        - luffy
    - email: bob@co.acme
      principals:
        - luffy

Product feedback? Send us a note at product@bastionzero.com.

PreviousInstallation & DeploymentNextAccessing Your Remote Host

Last updated