ProficientNowTechRFCs
Platform RFCs/RFC-PAM-0001: Privileged Access Management Architecture

6. SSH Access

RFC-PAM-0001                                                    Section 6
Category: Standards Track                                     SSH Access

6. SSH Access

← Previous: Identity Integration | Index | Next: Database Access →

6.1 Certificate-Based Authentication

6.1.1 Overview

SSH access uses certificate-based authentication instead of traditional SSH keys. Users receive short-lived certificates signed by the Vault SSH CA, eliminating:

  • Long-lived SSH keys that persist indefinitely
  • Manual key distribution and revocation
  • Authorized_keys file management across hosts

6.1.2 Certificate vs Key Authentication

AspectSSH KeysSSH Certificates
LifetimeIndefinite until revokedTime-limited (TTL)
RevocationRemove from each hostAutomatic at expiry
DistributionCopy to authorized_keysPresent at connection time
AuditKey fingerprint in logsCertificate with identity claims
AuthorityDecentralized per hostCentralized CA (Vault)

6.1.3 Certificate Properties

SSH certificates issued through this architecture contain:

PropertyDescriptionExample
TypeUser certificateuser
Key IDUnique certificate identifieruser-jane.doe-abc123
Valid PrincipalsUnix usernames permittedubuntu, ec2-user
Valid AfterCertificate start time2026-02-10T10:00:00Z
Valid BeforeCertificate expiry time2026-02-10T14:00:00Z
ExtensionsSSH features permittedpermit-pty, permit-agent-forwarding

6.2 Vault SSH CA Integration

6.2.1 SSH Secrets Engine

Vault's SSH secrets engine acts as the Certificate Authority:

6.2.2 CA Key Management

ComponentLocationAccess
CA Private KeyVault (never exported)Signing operations only
CA Public KeyDistributed to hostsPublic (TrustedUserCAKeys)

The CA private key MUST NOT be exported from Vault. All signing operations occur within Vault.

6.2.3 Signing Roles

Vault defines signing roles with specific parameters:

RoleTTLMax TTLAllowed PrincipalsExtensions
developer1h4hubuntu, ec2-userpermit-pty
operator4h8hubuntu, ec2-user, rootpermit-pty, permit-port-forwarding
emergency30m1hrootpermit-pty

6.2.4 Teleport-Vault Integration

Teleport authenticates to Vault using Kubernetes auth:

6.3 Host Enrollment

6.3.1 Enrollment Process

Hosts are enrolled in Teleport through agent deployment:

6.3.2 Agent Configuration

The SSH agent is configured with:

ParameterDescription
auth_serverTeleport Auth Service address
join_tokenOne-time token from Vault (via ESO)
ssh_service.enabledtrue
ssh_service.labelsHost labels for RBAC

6.3.3 Host Labels

Hosts are labeled for RBAC targeting:

LabelExample ValuesPurpose
envproduction, staging, developmentEnvironment-based access
teamplatform, application, dataTeam ownership
roleweb, database, workerServer function
regionus-east-1, eu-west-1Geographic location

6.3.4 SSHD Configuration

Managed hosts configure sshd to trust only the Vault CA:

SettingValuePurpose
TrustedUserCAKeys/etc/ssh/trusted-user-ca-keys.pemVault CA public key
AuthorizedPrincipalsFile/etc/ssh/auth_principals/%uPrincipal mapping
PasswordAuthenticationnoDisable password auth
ChallengeResponseAuthenticationnoDisable challenge-response

Direct key authentication via authorized_keys is either disabled or restricted to emergency access only.

6.4 User Certificate Flow

6.4.1 Complete Flow

6.4.2 RBAC Evaluation

Before issuing a certificate, Teleport evaluates:

CheckDescription
User rolesWhat roles does the user have?
Role permissionsWhat hosts can these roles access?
Host labelsDoes the target host match allowed labels?
Principal mappingWhat Unix users can this user become?

6.4.3 Example RBAC

A user with role developer:

Role: developer
  Allow:
    - Node labels: env=development OR env=staging
    - Logins: ubuntu, ec2-user
  Deny:
    - Node labels: env=production

This user can SSH to development/staging hosts as ubuntu or ec2-user, but cannot access production.

6.5 Principal Mapping

6.5.1 Unix User Mapping

Certificates include principals—the Unix usernames the certificate holder can assume:

Teleport RoleAllowed PrincipalsRationale
developerubuntu, ec2-userStandard non-root access
operatorubuntu, ec2-user, rootAdministrative access
emergencyrootBreak-glass only

6.5.2 Principal Validation

Hosts validate principals through AuthorizedPrincipalsFile:

/etc/ssh/auth_principals/ubuntu:
  ubuntu
  developers

/etc/ssh/auth_principals/root:
  root
  emergency

A certificate with principal ubuntu can log in as user ubuntu if ubuntu is listed in that user's principals file.

6.5.3 Principal Hierarchy

6.6 Session Recording

6.6.1 Recording Scope

All SSH sessions are recorded:

ContentCaptured
Terminal inputAll keystrokes
Terminal outputAll screen output
Session metadataUser, host, start/end time
Window size changesTerminal resize events

6.6.2 Recording Storage

Recordings are stored per RFC-SECOPS-0001 patterns:

AspectConfiguration
Storage backendS3-compatible or filesystem
EncryptionEncrypted at rest
RetentionPer compliance policy (default: 1 year)
ImmutabilityWrite-once storage

6.6.3 Session Playback

Recordings can be played back through:

  • Teleport Web UI
  • tsh play command
  • Audit API for programmatic access

Document Navigation

PreviousIndexNext
← 5. Identity IntegrationTable of Contents7. Database Access →

End of Section 6

Next

5. Identity Integration

Next

7. Database Access

On this page