# Identity Alias for SSH You can use an [Identity Alias](https://docs.strongdm.com/admin/principals/identity-alias), instead of a leased credential, with StrongDM to proxy authentication with your SSH resources. Actions are executed via the user’s account (that is, the Identity Alias) with the resource, while user-level auditing and monitoring occur on the resource side via native logging. Utilizing an Identity Alias results in your native server logs identifying the particular user performing an action, rather than identifying all actions conducted via StrongDM connections as being performed by the single leased user account. The username employed is the user’s Identity Alias set in their StrongDM user account. ### Set Up Identity Aliases #### Set up your server and user account 1. Create your server if you do not have one already. 2. Create or identify an account on the server that StrongDM can use to check its health. This user should have SSH access to the machine. Built-in accounts such as `ubuntu` or `ec2-user` are a good choice. #### Add the resource in StrongDM 1. In the Admin UI, create the resource by going to **Resources** > **Managed Resources** and clicking **Add Resource**. 2. Select your desired server type. **SSH (Certificate Based)** and **SSH (Customer Managed Key)** support Identity Aliases. **SSH (Certificate Based)** authenticates users to the server with a certificate provided by StrongDM or a supported Certificate Authority (CA) that you have integrated with. **SSH (Customer Managed Key)** authenticates users to the server using a certificate that you provide and import during configuration. 3. Set all required properties for the selected server type. Pay particular attention to the following: * For **Authentication**, set **Identity Aliases**. Select an **Identity Set** name from the list. * For **Healthcheck Username**, set the SSH user account name (for example, `ubuntu`). 4. After you have set all the required properties, click **Create** to save the resource. See the specific guide for [**SSH (Certificate Based) server**](https://docs.strongdm.com/admin/resources/servers/ssh-certificate-auth) or [**SSH (Customer Managed Key)**](https://docs.strongdm.com/admin/resources/servers/ssh-customer-key) for more configuration details. #### Add the Identity Alias to the user's settings 1. In the Admin UI, go to **Principals** > **Users** and select the user who is going to use an Identity Alias. 2. In that user's **Identity Aliases** tab, for **Identity Alias** enter the user's username, which can be any string that is not already in use. 3. For **Identity Set**, enter the name of the Identity Set that the Identity Alias will be used for. A user can only have one alias per set. 4. For **Roles**, optionally enter the name of the group(s) that the user will use to connect to the Identity Alias-enabled resource. {% hint style="info" %} If Identity Aliases are configured on a resource, an Identity Alias also must be set for any user that is given access to that resource. If it is not, that user is unable to connect to the resource.\ \ Individual users must have their own accounts on the server. The account name must match the **Identity Alias** value specified in the user's settings. {% endhint %} Configuration is now complete. You may now start using Identity Aliases to authenticate with your SSH resource. ### Identity Aliases and Third-Party Secret Stores When you use the **SSH (Customer Managed Key)** resource type, and provide your own certificate that is stored with a third-party Secret Store, it is possible to provide different keys for different Identity Aliases. During server configuration, the **Private Key (path)** field, which specifies the path to the SSH private key in the Secret Store, can optionally include the variable `$SDM_USERNAME`. This variable is substituted with the user's Identity Alias when connecting to the resource. This allows a different SSH key to be used for different Identity Aliases connecting to the same resource. For example, you could set **Private Key (path)** to `path/to/credential/for/$SDM_USERNAME?key=ssh-key` and store the keys for different users in the Secret Store under paths matching that pattern (`path/to/credential/for/user1`, `path/to/credential/for/user2`, ...`path/to/credential/for/userN`). This is optional. If the path you provide does not include the variable, the same SSH key is used for each user. This is only supported for secret stores. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/servers/ssh-identity-alias.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.