hyakuhei
commented
6 years ago If this doesn't work, an alternative is to have Heimdall provision an access keypair (private key, certificate) onto Bastions when they're created. Earlier versions of Fulcrum did this already, the access to production would look something like this:
[SSO+2FA+ClientCert ] -> [SSO + Heimdall_Cert] Client---------------------> Bastion ---------------------> Prod Server
This will be injected into new Bastions so that the certificate a user is provided with (by Heimdall / some other system connected to heimdall i.e Vault) can be verified by the Bastion.
This certificate is expected to be used to log into both the basiton and production endpoints (ie the CA is recognised by both).
The expectation is that the user's private key never leaves their host machine. onware authentication to production machines is achieved by SSH-Agent