Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
38 lines (26 sloc) 1.73 KB


even allows requesting SSH access to EC2 instances.

How to use

See the section :ref:`ssh-access` on how to get SSH access to EC2 instances using the :ref:`piu` command line tool.

SSH access granting flow

This section explains how :ref:`piu`, :ref:`even`, :ref:`odd` and the IAM services (OAuth2 provider, Team Service and User Service) interact during the process of granting SSH access to a single odd SSH bastion host.

SSH access granting flow

  1. user "jdoe" gets OAuth2 access token from Token Service (done by :ref:`piu`)
  2. user "jdoe" requests access to a specific :ref:`odd` SSH bastion host "" (HTTP POST to /access-requests, done by :ref:`piu`)
  3. even authenticates the user by retrieving the "uid" ("jdoe") from the OAuth2 tokeninfo endpoint
  4. even authorizes the user "jdoe" by checking the team membership (member of "myteam") and comparing the requested hostname (" to the configured hostname template
  5. even executes the SSH forced command "grant-ssh-access jdoe" on the odd host
  6. the odd host downloads the user's public SSH key from even (GET /public-keys/jdoe/
  7. even retrieves the user's public SSH key from the configured user service (simple HTTP endpoint to get public SSH key by username)
  8. the forced command on odd adds the user "jdoe" to the system and writes the authorized_keys file
  9. the user "jdoe" finally logs into the odd host using their personal SSH key


See the :ref:`STUPS Installation Guide section on even <even-deploy>` for details about deploying the "even" SSH access granting service into your AWS account.