even allows requesting SSH access to EC2 instances.
How to use
SSH access granting flow
This section explains how :ref:`piu`, :ref:`even`, :ref:`odd` and the IAM services (OAuth2 provider, Team Service and User Service) interact during the process of granting SSH access to a single odd SSH bastion host.
- user "jdoe" gets OAuth2 access token from Token Service (done by :ref:`piu`)
- user "jdoe" requests access to a specific :ref:`odd` SSH bastion host "odd.myteam.example.org" (HTTP POST to /access-requests, done by :ref:`piu`)
- even authenticates the user by retrieving the "uid" ("jdoe") from the OAuth2 tokeninfo endpoint
- even authorizes the user "jdoe" by checking the team membership (member of "myteam") and comparing the requested hostname ("odd.myteam.example.org) to the configured hostname template
- even executes the SSH forced command "grant-ssh-access jdoe" on the odd host
- the odd host downloads the user's public SSH key from even (GET /public-keys/jdoe/sshkey.pub)
- even retrieves the user's public SSH key from the configured user service (simple HTTP endpoint to get public SSH key by username)
- the forced command on odd adds the user "jdoe" to the system and writes the
- the user "jdoe" finally logs into the odd host using their personal SSH key
See the :ref:`STUPS Installation Guide section on even <even-deploy>` for details about deploying the "even" SSH access granting service into your AWS account.