About the SSH authorization resource
The SSH authorization resource provides a range of options for controlling user's SSH capabilities.
You can create, read, update, and delete this object using the
api command of
An example follows.
apoctl api create sshauthorizationpolicy
Refer to the
apoctl reference for more information about the
An example object follows.
name: allow-ssh-access description: description namespace: /acme/team-a/linux-hosts propagate: true subject: - - @ssh:usr:auth:email@example.com - @auth:realm=oidc - - @ssh:usr:auth:firstname.lastname@example.org - @auth:realm=oidc object: - - $identity=enforcer extensions: - permit-pty - permit-X11-forwarding authorizedSubnets: - 192.168.0.0/16 forceCommand: /bin/ps -ef principals: - extra-principal validity: 2h45m
A discussion of each key follows.
|The name of the SSH authorization. Aporeto requires this string but it does not have to be unique.|
|A description of the SSH authorization.|
|The namespace of the remote hosts that this SSH authorization allows access to.|
|This is a boolean value: |
|Aporeto tag(s) that identify the user that should be allowed to access the remote host. Use the following tag syntax: |
|Aporeto tag(s) that identify the enforcer(s) on the remote host(s).|
|Accepts the following values. |
|Restricts the user to making SSH logins from a specific subnet, expressed as CIDR(s).|
|Specify a single command that the user can issue on the remote host. This can be useful for:|
■ Issuing single-purpose certificates.
■ Ensuring that users stay in their home directories (
■ Restricting users to a bash shell (
Refer to the FreeBSD documentation for more information.
|Allows you to specify one or more values that should appear under |
|Specifies how long the certificate should remain valid in Golang duration syntax. Defaults to one hour.|