inner workings when opening a ssh session for a user

[ffabreti]

This is not a bug. I don't find any public place suitable for asking this so...

I have set forceUserKeyGeneration=false so I can use previous generated keys

Could anybody elaborate about those 2 lines of logs at my destination "system" when a user opens a ssh session thru Bastillion:

Jan  2 17:26:41 hm_app_02 sshd[6531]: Accepted publickey for sys-user1 from system1
                port 47167 ssh2: RSA b6:3b:fd:89:40:b9:02:7b:31:6e:12:20:75:0d:35:70
Jan  2 17:26:41 hm_app_02 sshd[6531]: pam_unix(sshd:session): session opened 
                for user sys-user1 by (uid=0)

I supose what happens is:

1. admin configures system1 to use sys-user1 public key (admin needs to insert sys-user1 passwd)
2. admin adds http-user and sets its passwd
3. admin sets profile connecting http-user to system1
4. admin sets sys-user1 public key to be used by profile
5. http-user logs into Bastillion (via HTTPS)
6. http-user chooses to connect to system1
7. App connects to system1 using bastillion@global_key (fingerprint ...0d:35:70)
8. App retrieves sys-user1 private key and starts a ssh session using sys-user1 key
9. Session is proxied thru HTTPS to http-user

What really intrigues me are steps 7 and 8, because when there is no ssh keys for sys-user1 when admin configures system1, it doesnt work (App asks http-user for passwd). But if there are ssh keys for sys-user1, everything works even if I delete private key for sys-user1 (at ~/.ssh/id_rsa)

Maybe App just opens ssh session with Bastillion keys and make a su to sys-user1? I mean, instead of 7 and 8.

What exactly is the flow here? Thanks.