pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-03-02 16:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove add ca step

Browse Source
This commit is contained in:
miloschwartz
2026-02-17 22:36:24 -08:00
parent 5e929eab75
commit 45790fae70
1 changed files with 43 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
manage/ssh.mdx
View File

@@ -58,6 +58,10 @@ You can enable SSH in two ways:
| SSH into the **same server** that runs Newt | **Option 1**: Run Newt with auth-daemon support (built-in). | | SSH into the **same server** that runs Newt | **Option 1**: Run Newt with auth-daemon support (built-in). |
| SSH into **other servers** on the same network as Newt | **Option 2**: Run Newt on one host (e.g. bastion) and run the auth daemon on each server you want to SSH into. | | SSH into **other servers** on the same network as Newt | **Option 2**: Run Newt on one host (e.g. bastion) and run the auth daemon on each server you want to SSH into. |
<Note>
A single Newt instance cannot run as the auth daemon for its own host **and** use external auth daemons. You must choose one mode: either Option 1 (built-in auth daemon on this host) or Option 2 (external auth daemons on other hosts).
</Note>
Both options require the SSH server on each target host to be configured to trust the Pangolin CA and to use the auth daemon for principals (see [Configure the SSH server](#configure-the-ssh-server-on-the-host) below). You also need a **private resource** on the site for each host you want to SSH into (see below). Both options require the SSH server on each target host to be configured to trust the Pangolin CA and to use the auth daemon for principals (see [Configure the SSH server](#configure-the-ssh-server-on-the-host) below). You also need a **private resource** on the site for each host you want to SSH into (see below).
## Create a private resource (required) ## Create a private resource (required)
@@ -148,29 +152,60 @@ flowchart LR
### Prerequisites ### Prerequisites
- **Newt** running on one host (the “site” / bastion) with auth-daemon support and a preshared key for external auth daemons. - **Newt** running on one host (the “site” / bastion) with auth-daemon support and a pre-shared key for external auth daemons.
- **Pangolin CLI** installed on each server where you will run the auth daemon. See [Install Clients — Quick Install (Recommended)](/manage/clients/install-client#quick-install-recommended). - **Pangolin CLI** installed on each server where you will run the auth daemon. See [Install Clients — Quick Install (Recommended)](/manage/clients/install-client#quick-install-recommended).
### Step 1: On the server running Newt ### Step 1: On the server running Newt
Start Newt with auth-daemon enabled and a **preshared key** so external auth daemons can authenticate to it: Start Newt with a **pre-shared key** so external auth daemons can authenticate to it:
```bash ```bash
sudo newt --id <id> --secret <secret> --endpoint <endpoint> --auth-daemon --ad-preshared-key <preshared-key> sudo newt --id <id> --secret <secret> --endpoint <endpoint> --ad-pre-shared-key <pre-shared-key>
``` ```
<Note> <Note>
Choose a strong, random value for `<preshared-key>` and use the same value when starting the auth daemon on each target server. Choose a strong, random value for `<pre-shared-key>` and use the same value when starting the auth daemon on each target server.
</Note> </Note>
### Step 2: On each server you want to SSH into ### Step 2: On each server you want to SSH into
On every host that should accept Pangolin SSH (and is not running Newt), run the auth daemon with the same preshared key: On every host that should accept Pangolin SSH (and is not running Newt), run the auth daemon with the same pre-shared key:
```bash ```bash
sudo pangolin auth-daemon --pre-shared-key <preshared-key> sudo pangolin auth-daemon --pre-shared-key <pre-shared-key>
``` ```
#### Run as a systemd service
Create a systemd unit so the auth daemon runs on boot:
```ini title="/etc/systemd/system/pangolin-auth-daemon.service"
[Unit]
Description=Pangolin SSH auth daemon
After=network.target
[Service]
ExecStart=/usr/local/bin/pangolin auth-daemon --pre-shared-key <pre-shared-key>
Restart=always
User=root
[Install]
WantedBy=multi-user.target
```
Replace `<pre-shared-key>` with the same value used on Newt. Then:
```bash
sudo systemctl daemon-reload
sudo systemctl enable pangolin-auth-daemon
sudo systemctl start pangolin-auth-daemon
sudo systemctl status pangolin-auth-daemon
```
<Warning>
Ensure the Pangolin CLI binary is at `/usr/local/bin/pangolin` (or update `ExecStart` to its path) before creating the service.
</Warning>
### Step 3: Configure the SSH server on each target host ### Step 3: Configure the SSH server on each target host
On each of these hosts, configure the SSH server as in [Configure the SSH server on the host](#configure-the-ssh-server-on-the-host). Use the `pangolin auth-daemon principals` command in `AuthorizedPrincipalsCommand` (see that section for the exact line). On each of these hosts, configure the SSH server as in [Configure the SSH server on the host](#configure-the-ssh-server-on-the-host). Use the `pangolin auth-daemon principals` command in `AuthorizedPrincipalsCommand` (see that section for the exact line).
@@ -188,11 +223,7 @@ These ports do not need to be exposed to the public internet. They only need to
For both Option 1 and Option 2, the hosts SSH server must trust the Pangolin CA and use the auth daemon to resolve principals. Do the following on **every** host that will accept Pangolin SSH (the host running Newt in Option 1, or each host running the external auth daemon in Option 2). For both Option 1 and Option 2, the hosts SSH server must trust the Pangolin CA and use the auth daemon to resolve principals. Do the following on **every** host that will accept Pangolin SSH (the host running Newt in Option 1, or each host running the external auth daemon in Option 2).
### 1. Add the CA public key ### 1. Update `sshd_config`
Place your organizations CA public key on the server (e.g. at `/etc/ssh/ca.pem`). You can obtain this from the Pangolin dashboard or your administrator.
### 2. Update `sshd_config`
Add or adjust these lines in `/etc/ssh/sshd_config`: Add or adjust these lines in `/etc/ssh/sshd_config`:
@@ -215,7 +246,7 @@ AuthorizedPrincipalsCommand /usr/local/bin/pangolin auth-daemon principals --use
AuthorizedPrincipalsCommandUser root AuthorizedPrincipalsCommandUser root
``` ```
### 3. Restart the SSH server ### 2. Restart the SSH server
```bash ```bash
sudo systemctl restart ssh sudo systemctl restart ssh