server {
  use_tls = true  # Optional. If this is set then `tls_key` and `tls_cert` must be set
  tls_key = "server.key"  # Path to TLS key
  tls_cert = "server.crt"  # Path to TLS certificate
  port = 443  # Port to listen on
  cookie_secret = "supersecret"  # Authentication key for the client cookie
}

auth {
  provider = "google"  # Oauth provider to use
  oauth_client_id = "nnnnnnnnnnnnnnnn.apps.googleusercontent.com"  # Oauth client ID
  oauth_client_secret = "yyyyyyyyyyyyyyyyyyyyyy"  # Oauth client secret
  oauth_callback_url = "https://sshca.example.com/auth/callback"  # Oauth callback url
  provider_opts {
    domain = "example.com"  # Oauth-provider specific options
  }
}

ssh {
  signing_key = "signing_key"  # Path to the CA signing secret key
  additional_principals = ["ec2-user", "ubuntu"]  # Additional principals to allow
  max_age = "720h"  # Maximum lifetime of a ssh certificate
  permissions = ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"]  #  Permissions associated with a certificate.
}