Modify the PIV policy for the ingress keys of an account
--osh accountPIV --account ACCOUNT --policy <default|enforce|never|grace --ttl SECONDS|DURATION>
- --account ACCOUNT
Bastion account to work on
- --policy POLICY
Changes the PIV policy of account. See below for a description of available policies.
- --ttl SECONDS|DURATION
gracepolicy, amount of time after which the account will automatically revert
to its previous policy (amount of seconds, or duration string such as "4d12h15m").
Possible POLICY values:
No specific policy is defined for this account, the default bastion policy applies (see the ingressRequirePIV global option).
Only verified PIV keys can be added as ingress SSH keys for this account. Note that setting the policy to
enforcealso immediately disables any non-PIV keys from the account's ingress keys. If no valid PIV key is found, this in effect disables all the keys of said account, preventing connection. The disabled keys are still kept so that setting back the policy to
neverdoes restore the non-PIV keys.
Regardless of the global configuration of the bastion (see the ingressRequirePIV global option), this account will never be required to use only PIV keys. This can be needed for a non-human account if PIV is enabled bastion-wide.
enables temporary deactivation of PIV enforcement on this account. This is only meaningful when the policy is already set to
enforcefor this account, or if the global ingressRequirePIV option is set to true. This policy requires the use of the
--ttloption to specify how much time the policy will be relaxed for this account before going back to its previous policy automatically. This can be useful when people forget their PIV-enabled hardware token and you don't want to send them back home.