# SSH (Certificate Auth) ## Overview This guide describes how to set up the SSH (Certificate Auth) resource type in StrongDM. Using SSH (Certificate Auth) enables StrongDM to manage secure, just-in-time access to your SSH servers without distributing static credentials. Each connection request triggers StrongDM to issue a short-lived SSH certificate signed by your organization’s CA. Your hosts trust this CA, allowing access only while the certificate is valid. Some of the benefits of using certificate authentication include the following: * Eliminates long-lived SSH keys * Enables centralized access control and revocation * Simplifies onboarding and offboarding * Provides detailed session auditing ## Authentication StrongDM acts as an SSH certificate authority (CA). When a user initiates a session, the following happens: * The StrongDM node (gateway, relay, or proxy worker) requests a short-lived SSH certificate from the CA. * The CA signs the certificate, embedding the user’s identity and allowed principals. * The node uses this certificate to authenticate to the target host. * The host verifies the signature using the trusted CA public key. Each connection is ephemeral, traceable, and scoped to the authenticated StrongDM user. ## Prerequisites Before configuring a host for certificate authentication, ensure the following requirements are met: * You have Admin privileges in StrongDM. * A StrongDM node can reach the target SSH host over TCP port `22` (or custom port). * The host runs a version of OpenSSH that supports `TrustedUserCAKeys` (OpenSSH 7.2+ recommended). * Network firewalls allow SSH connections from your StrongDM node. * (Optional but recommended) NTP or clock synchronization is enabled on all hosts, as certificate authentication depends on accurate system time. {% hint style="info" %} To verify that the server you are attempting to add is accessible from your StrongDM node, go to the gateway or relay server and from a command prompt, type `ping `. If your gateway or relay can connect to this hostname, you can continue. \ For more information see [gateways-and-relays](https://docs.strongdm.com/admin/networking/gateways-and-relays "mention"). {% endhint %} ## Review StrongDM CA Public Key Each StrongDM organization has a unique SSH Certificate Authority (CA). Hosts must trust this CA’s public key to validate StrongDM-issued certificates. You can use either: * The StrongDM-managed CA (default) called Strong CA * A third-party CA if your organization is on the Enterprise plan The Strong CA is a cryptographic key pair in charge of issuing and validating certificates for every SSH session. You need to add the SSH CA public key as a trusted source on any hosts you want to access with this option. StrongDM CA certificates for SSH have a lifespan of three years. Organizations that have the Enterprise plan enabled may use an SSH CA issued by a third-party issuer (for example, HashiCorp). Third-party CAs are managed in the same way as the Strong CA. All SSH CAs available to your organization are listed on the Admin UI's **Settings** > **Secrets Management** within the **Certificate Authorities** tab. Selecting a CA opens that CA's settings, which shows all certificates issued by the CA. Each certificate is identified by a unique fingerprint and the time and date when it was created. Multiple certificates can exist, but only one can be active at a time. An active certificate is the one configured to authenticate to the resource. The active certificate is highlighted and shown in blue, whereas inactive certificates are shown in gray. {% hint style="warning" %} Only one active SSH CA is permitted per organization. If the CA is rotated, all SSH sessions using the last active CA are terminated. Please rotate with caution. Certificate rotation may be done in the Admin UI only from **Settings** > **Secrets Management** within the **Certificate Authorities** tab. For more information, please see [Certificate Authorities](https://docs.strongdm.com/admin/access/certificate-authorities). If you rotate or replace your CA, remember to update all host configurations accordingly. {% endhint %} ### How to view and copy the SSH CA public key To retrieve your organization’s SSH CA public key, follow these steps. 1. In the StrongDM Admin UI, navigate to **Settings > Secrets Management > Certificate Authorities**. 2. From the SSH CA's **Settings** tab, select one of the certificates shown, or create a new certificate. 3. From the **SSH Certificate** dialog that displays, use the **Copy** button to copy the SSH CA public key to your clipboard. 4. Save it locally as `/etc/ssh/sdm_ca.pub` on each target host. > 💡 **Tip:** Ensure you copy the entire key, including the `ssh-rsa` or `ssh-ed25519` prefix, without extra spaces or line breaks. If you later rotate your CA, repeat these steps and replace the old key on each host. ## Add the StrongDM CA to Your Host To configure a host to trust the StrongDM CA, follow these steps. 1. Copy the CA public key to the host and save it: ```bash sudo tee /etc/ssh/sdm_ca.pub <<'EOF' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEexampleStrongDMCAKey== strongdm-ca EOF sudo chmod 600 /etc/ssh/sdm_ca.pub ``` 2. With your editor of choice, open your SSH daemon configuration for editing. For example: ```bash sudo vim /etc/ssh/sshd_config ``` 3. Add or update the following line: ```bash TrustedUserCAKeys /etc/ssh/sdm_ca.pub ``` 4. Restart the SSH service on this host for the changes to take effect. Note that the command you execute may differ based on your system configuration, and you may need to restart `sshd` or `ssh`, as in the following example: ```bash sudo systemctl restart sshd ``` {% hint style="warning" %} You may want to keep an active session open while restarting SSH to avoid locking yourself out. {% endhint %} ### Restrict access by username By default, any Linux username can be used when authenticating via a StrongDM-issued certificate.\ For tighter control, restrict which usernames are permitted. Every certificate created by the StrongDM CA contains two principals: the username specified in the datasource settings and the literal string `strongdm`. You can use the following steps to restrict access to only this user, replacing `user-one` with your desired username. {% hint style="info" %} The user must already exist (be created or validated externally) before the usernames are added to the authorized principals file. {% endhint %} 1. Create a directory for allowed principals: ```bash mkdir /etc/ssh/sdm_users ``` 2. Create a file named after the username you wish to allow and include the StrongDM principal inside. For example, using vim: ```bash sudo tee /etc/ssh/sdm_users/user-one <<'EOF' user-one EOF ``` 3. Update `sshd_config` to reference this directory: ```bash AuthorizedPrincipalsFile /etc/ssh/sdm_users/%u ``` 4. Restart the sshd service. ```bash sudo systemctl restart sshd ``` Now only users with certificates that include that principal can log in as the specified Linux user. > 🔒 For environments with multiple users, create one file per Linux user you wish to allow. You can find additional ways to restrict access by username in Red Hat's [Creating SSH Certificates](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-signing_ssh_certificates) documentation. ## Add the Resource in StrongDM Once your host trusts the StrongDM CA, add it as a resource in StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. In the Admin UI, Go to **Resources** > **Managed Resources**. 2. Click **Add Resource**. 3. For **Resource Type**, select **SSH (Certificate Based)**. 4. For **Connectivity Mode**, select either **Virtual Networking Mode** or **Loopback Mode** and their related properties. 5. For **Authentication** type, choose either **Leased Credentials** or **Identity Aliases** and set their properties: 1. **Leased Credentials** 1. For **Username**, enter the username that the relay should utilize to connect to the server via SSH. 2. **Identity Aliases** 1. For **Identity Set**, select an Identity Set name from the list. 2. For **Healthcheck Username**, enter the SSH user account name (for example, `ubuntu`).\\ 6. Set all other required [resource properties](#resource-properties) to configure how the StrongDM node connects to the server via RDP. 7. When you are done, click **Create** to save the resource. Then you may click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ```sh sdm login ``` 2. Run `sdm admin servers add ssh-cert --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them. ```sh $ sdm admin servers add ssh-cert --help NAME: sdm admin servers add ssh-cert - create SSH (Certificate Based) server USAGE: sdm admin servers add ssh-cert [command options] OPTIONS: --allow-deprecated-key-exchanges sdm must use TLS to connect --bind-interface value IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default") --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --hostname value (required) --identity-alias-healthcheck-username value (conditional) --identity-set-id value --identity-set-name value set the identity set by name --key-type value --port value (required) (default: 22) --port-forwarding --port-override value Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1) --proxy-cluster-id value proxy cluster id --secret-store-id value secret store id --subdomain value, --bind-subdomain value DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.."). Only applicable to HTTP-based resources or resources using virtual networking mode. --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --timeout value set time limit for command --username value (conditional, secret) ``` 3. Run `sdm admin servers add ssh-cert ` to add the resource in StrongDM Set all required properties with their values. For example: ```sh sdm admin servers add ssh-cert "linux-ssh-cert-prod-01" --hostname "ssh01.acme.internal" --port 22 --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --proxy-cluster-id "plc_0123456789abcdef" --secret-store-id "ss_abcdef0123456789" --identity-set-id "is_1234567890abcdef" --identity-set-name "Linux SSH Cert Identity Set" --identity-alias-healthcheck-username "svc_ssh_health" --username "fallback_local_admin" --key-type "rsa-4096" --allow-deprecated-key-exchanges --port-forwarding --subdomain "ssh-prod01" --tags "env=prod,role=linux,team=infra" --timeout 30 ``` 4. Check that the resource has been added. The output of the following command should show the resource's name: ```sh sdm admin resources list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create SSH certificate-based auth server resource "sdm_resource" "linux_ssh_cert_prod_01" { ssh_cert { name = "linux-ssh-cert-prod-01" # hostname = "ssh01.acme.internal" # --hostname port = 22 # --port (default 22) bind_interface = "default" # --bind-interface (default: "default") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter identity_set_id = "is_1234567890abcdef" # --identity-set-id # identity_set_id = data.sdm_identity_set.ssh_cert.id # (looked up by name) identity_alias_healthcheck_username = "svc_ssh_health" # --identity-alias-healthcheck-username secret_store_id = "ss_abcdef0123456789" # --secret-store-id subdomain = "ssh-prod01" # --subdomain username = "fallback_local_admin" # --username (conditional, secret) tags = { # --tags env = "prod" role = "linux" team = "infra" } # The following options may depend on your provider version: # key_type = "rsa-4096" # --key-type # allow_deprecated_key_exchanges = true # --allow-deprecated-key-exchanges # port_forwarding = true # --port-forwarding # proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Go | ​[pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16)​ | ​[strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go)​ | ​[Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples)​ | | ------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | | Java | ​[javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/)​ | ​[strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java)​ | ​[Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples)​ | | Python | ​[pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/)​ | ​[strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python)​ | ​[Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples)​ | | Ruby | ​[RubyDoc](https://www.rubydoc.info/gems/strongdm)​ | ​[strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby)​ | ​[Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples)​ | | {% endtab %} | | | | | {% endtabs %} | | | | ## Resource Properties Configuration properties are visible when you add a **Resource Type** or when you click to view the server's settings. The following table describes the settings available for your SSH (Certificate Based) server.
PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSSH (Certificate Based)
Proxy ClusterRequiredDefaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
HostnameRequiredHostname or IP address to which you are connecting, such as testserver-01.example.org; relay server should be able to connect to your target server or hostname
PortRequiredPort to connect to the resource; default port value 22
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization
IP AddressOptionalIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
Certificate AuthorityRequiredWhere the credentials for the server are stored; defaults to Strong CA; to learn more, see Certificate Authority options
Key TypeRequiredSigning algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options
AuthenticationRequiredSelect Leased Credentials (default) or Identity Aliases
UsernameRequiredDisplays if Authentication is set to Leased Credentials; enter the username the relay should utilize to connect to the server via SSH (for example, bob.belcher)
Identity SetRequiredDisplays if Authentication is set to Identity Aliases; select an Identity Set name from the list
Healthcheck UsernameRequiredDisplays if Authentication is set to Identity Alias; enter the username that will be utilized to verify StrongDM's connection to the server; username must exist on the target server
Allow Port ForwardingOptionalWhen enabled, allows SSH connections proxied by StrongDM for this server to accept local forwarding requests; this checkbox is shown when the Allow port forwarding through SSH? option is turned on in the Admin UI security settings; see Port Forwarding for more information
Resource Lock RequiredRequiredEnables a resource lock, which can lock access the resource to ensure it can only be used by one user at a time; defaults to disabled
Resource TagsOptionalResource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
### Certificate Authority options By default, server credentials are stored in [Strong CA](https://docs.strongdm.com/admin/access/certificate-authorities/strong-ca). If the Enterprise plan is enabled for your organization, you may use a [third-party CA](https://docs.strongdm.com/admin/access/certificate-authorities), instead of the default Strong CA, to issue certificates for authentication to your certificate-based SSH resources. For more information, please see [Certificate Authorities](https://docs.strongdm.com/admin/access/certificate-authorities).
OptionDescription
Strong CA (default)StrongDM automatically generates and signs SSH certificates.
Third-party CAFor Enterprise customers, import and manage your own SSH CA. This allows tighter integration with internal PKI systems.
> ⚠️ Only one SSH CA can be active per organization. Rotating or replacing the CA immediately invalidates existing sessions. ### Key type options The following table describes the different key types StrongDM can use to encrypt and secure SSH connections.
Key typeDescriptionAdditional information
RSA-20482048-bit key generated with RSA algorithmLowest security guarantees, but has broad support across hosts
RSA-40964096-bit key generated with RSA algorithmSlightly better than RSA-2048; still uses RSA, but larger keys can prolong the time to crack if an attacker gains access
ECDSA-256Key generated with 256-bit elliptic curve and ECDSA algorithmProvides better security guarantees than RSA
ECDSA-384Key generated with 384-bit elliptic curve and ECDSA algorithmSlightly better than ECSDA-256
ECDSA-521Key generated with 521-bit elliptic curve and ECDSA algorithmServes as the best ECDSA choice from a security standpoint
ED25519Key generated with ED25519 algorithmProvides the best performance and comparable security to ECDSA; much smaller keys, but not as widely supported as other options
## Additional Considerations * You may have an existing CA key pair and certificate to perform direct SSH or other tasks. You can continue to use this key pair, but you cannot import this CA into StrongDM. * You do not need to sign these keys, or any user keys. StrongDM handles that for you and for your users. * Session-based certificates for users are automatically renewed every 3 minutes. ## Test the Connection After adding the resource, follow these steps to test the connection. 1. In the Admin UI, check that the resource shows a healthy status. 2. From the StrongDM CLI or desktop app, attempt a connection: ```bash sdm ssh ubuntu@prod-ssh-cert ``` 3. Verify access and run a basic command (for example, `whoami`). If the resource is unhealthy: * Confirm that the host is reachable from a StrongDM node. * Verify the CA public key on the host matches your current StrongDM CA. * Check system logs (`/var/log/auth.log`) for certificate or principal errors. * Ensure that correct username restrictions are configured. ### Help For more information, please see the documentation: * [SSH Resources](https://docs.strongdm.com/admin/resources/servers/) * [OpenSSH TrustedUserCAKeys documentation](https://man.openbsd.org/sshd_config#TrustedUserCAKeys) * [StrongDM Terraform Provider](https://registry.terraform.io/providers/strongdm/strongdm/latest) If you encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/servers/ssh-certificate-auth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.