We're currently discussing how to restrict access to bastion machines in production (not on the Phabricator tier, but the production system of our product). We want to be able to provide access to bastion machines based on assigning users in Phabricator to projects / tags. Ideally we want to be able to write a script on all of the bastion machines that updates the /root/.ssh/authorized_keys file on a regular basis and synchronises the public keys of users in Phabricator with that file (or alternatively, use the authorized keys command like Phabricator itself does).
Right now Phabricator provides an SSH public key store in the form of SSH keys associated with a user's account. This is almost what we need, but we can't designate some keys as "Git access for Phabricator" and other keys as "Production bastion keys". Obviously we don't want to be in a scenario where a user is using the same SSH key to access Git as they are to access bastion machines in production.
Alternatively we could use Passphrase, but there's no API for automatically creating passphrase entries, and the creation process would be clunky for a user to do manually - not only do they need to create / generate the key in Passphrase, but they also need to set the policies so the bastion machines can view the public components of the keys, and then they'd probably have to do some additional thing to put their username in the description field or something? So that the bastion machines know who is being authorized? Although this is possible, I think it'd be far easier for everyone if we could just use the current SSH public key store for users.
Ultimately our goal is to not only restrict who has access to the bastion machines, but also insert an command= option so that we can explicitly log the username of the person connecting into the system audit logs.