# SSH (Public key) ## Overview This guide describes how to set up an SSH server with a public key. The SSH (Public Key) resource type allows StrongDM to automatically generate an SSH key pair for a given server resource, publish the public key for you to install on the target host, and then allow the StrongDM node (gateway, relay, or proxy worker) to connect as that key. This setup is especially useful when you want to avoid managing a private key yourself, but you still want the benefits of public-key authentication (that is, no passwords) and centralized resource management via StrongDM. Some of the benefits of using this resource type include the following: * There is no need to generate or install your own key pair manually. * StrongDM handles public key generation and management. * StrongDM generates the key, you paste it into `authorized_keys`, and then the resource shows as healthy. * This is ideal for environments where certificate authentication isn’t desired or you just need simple public-key setup. ### Authentication When you create an SSH (Public Key) server resource: * StrongDM generates a key pair, which is a private key stored by/handled by StrongDM and a public key you install on the host. * You install the public key into the target host’s `~/.ssh/authorized_keys` for the specified user. * When a user connects via StrongDM, the relay uses the private key (managed by StrongDM) to authenticate to the SSH host. * The SSH host verifies the public key (that you installed) and allows the connection. Because the private key is never exposed to you, and StrongDM manages it, this approach simplifies key lifecycle management while still relying on SSH public key authentication. ## Prerequisites Before you begin setting up the SSH (Public Key) resource, ensure that the following requirements are met: * You have Admin privileges in StrongDM. * A StrongDM node is running and can reach the target SSH host (hostname/IP and port). * The host allows SSH public-key authentication for the user you intend to login as. * You know the username on the host that StrongDM will use for the SSH login. * If using Virtual Networking Mode or a non-default port, ensure that your node and host network/firewalls allow it. * (Optional but recommended) The host’s `~/.ssh/authorized_keys` directory and file permissions are correctly configured (for example, `700` for `.ssh`, `600` for `authorized_keys`). {% hint style="info" %} To verify that the server you are attempting to add is accessible from your StrongDM node, go to the gateway or relay server and from a command prompt, type `ping `. If your gateway or relay can connect to this hostname, you can continue. \ For more information see [Gateways and Relays](/admin/networking/gateways-and-relays.md). {% endhint %} ## Add the Resource in StrongDM After the host is ready, add the resource in StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. Log in to the Admin UI and go to **Resources** > **Managed Resources**. 2. Click the **Add Resource** button. 3. Select **SSH (Public Key)** as the **Resource Type** and set other [resource properties](#resource-properties) to configure how the StrongDM relay connects to the server via SSH. ![](/files/DYe8CLfysqRK6Dlxycfd) 4. Click **create** to save the resource. 5. Click the resource name to view status, diagnostic information, and setting details. 6. Click the **Settings** tab to view the **Public Key** field, which now contains data. 7. Copy the **Public Key** value to your clipboard. 8. Open a command prompt on the server you are adding. Edit the `authorized_keys` file for the user specified in the server configuration properties: ```bash sudo vi ~/.ssh/authorized_keys ``` 9. Append the generated public key value to the end of the file, write, and quit. 10. Back in the Admin UI, click **update**. As the configuration is applied, the server status in the Admin UI appears unhealthy. It turns green or positive to signal a successful connection. If you have multiple servers to create, follow these steps for each server. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ```sh sdm login ``` 2. Run `sdm admin servers add ssh --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them. ```sh NAME: sdm admin servers add ssh - create SSH (Public Key) server USAGE: sdm admin servers add ssh [command options] OPTIONS: --allow-deprecated-key-exchanges sdm must use TLS to connect --bind-interface value bind interface (default: "127.0.0.1") --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --hostname value (required) --key-type value --port value (required) (default: 22) --port-forwarding --port-override value port profile override (default: -1) --proxy-cluster-id value proxy cluster id --secret-store-id value secret store id --subdomain value, --bind-subdomain value DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.."). Only applicable to HTTP-based resources or resources using virtual networking mode. --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --timeout value set time limit for command --username value (required, secret) ``` 3. Run `sdm admin servers add ssh ` to add the resource in StrongDM. Set all required properties with their values. For example: ```sh sdm admin servers add ssh "linux-ssh-pubkey-prod-01" --hostname "ssh01.acme.internal" --port 22 --username "ubuntu" --key-type "rsa-4096" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --proxy-cluster-id "plc_0123456789abcdef" --secret-store-id "ss_abcdef0123456789" --port-forwarding --subdomain "ssh-prod01" --tags "env=prod,role=linux,team=infra" --timeout 30 ``` 4. Check that the resource has been added. The output of the following command should show the resource's name: ```sh sdm admin resources list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from the Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create SSH (Public Key) server resource "sdm_resource" "linux_ssh_pubkey_prod_01" { ssh { # Required name = "linux-ssh-pubkey-prod-01" # hostname = "ssh01.acme.internal" # --hostname port = 22 # --port (default 22) username = "ubuntu" # --username # Common networking options bind_interface = "default" # --bind-interface ("default" | "loopback" | "vnm") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter subdomain = "ssh-prod01" # --subdomain (VN/HTTP-only applicability noted in CLI) # Key & connection behavior key_type = "rsa-4096" # --key-type (e.g., rsa-2048, rsa-4096, ecdsa-256/384/521, ed25519) allow_deprecated_key_exchanges = false # --allow-deprecated-key-exchanges port_forwarding = true # --port-forwarding # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id # Tags tags = { # --tags env = "prod" role = "linux" team = "infra" } } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Go | ​[pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v17)​ | ​[strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go)​ | ​[Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples)​ | | ------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | | Java | ​[javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/)​ | ​[strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java)​ | ​[Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples)​ | | Python | ​[pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/)​ | ​[strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python)​ | ​[Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples)​ | | Ruby | ​[RubyDoc](https://www.rubydoc.info/gems/strongdm)​ | ​[strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby)​ | ​[Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples)​ | | {% endtab %} | | | | | {% endtabs %} | | | | ## Resource properties Configuration properties are visible when you add a **Resource Type** or when you click to view the server's settings. The following table describes the settings available for your SSH (Public Key) server.
PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSSH (Public Key)
Proxy ClusterRequiredDefaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
HostnameRequiredHostname or IP address to which you are connecting, such as testserver-01.example.org; relay server should be able to connect to your target server or hostname
PortRequiredPort to connect to the resource; default port value 22
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization
IP AddressOptionalIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
Secret StoreOptionalCredential store location; defaults to none (credentials are stored in StrongDM resource configuration); to learn more, see Secret Store options
Key TypeRequiredSigning algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options
UsernameRequiredDisplays if Authentication is set to Leased Credentials; enter the username the relay should utilize to connect to the server via SSH (for example, bob.belcher)
Public KeyRead onlyGenerated automatically after the server is created or updated; once generated, you must append the public key to the ~/.ssh/authorized_keys on the host
Allow Port ForwardingOptionalWhen enabled, allows SSH connections proxied by StrongDM for this server to accept local forwarding requests; this checkbox is shown when the Allow port forwarding through SSH? option is turned on in the Admin UI security settings; see Port Forwarding for more information
Resource Lock RequiredRequiredEnables a resource lock, which can lock access the resource to ensure it can only be used by one user at a time; defaults to disabled
Resource TagsOptionalResource /spaces/4XOJmXFslCMVCzIG2rKp/pages/anUqbOAAmDPD3e0fF6GO consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
### Secret Store options By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool. Non-StrongDM options appear in the **Secret Store** dropdown if they are created under **Settings** > **Secrets Management**. When you select another Secret Store type, its unique properties display. For more details, see [Configure Secret Store Integrations](/admin/access/secret-stores.md). ### Key Type options The following table describes the different key types StrongDM can use to encrypt and secure SSH connections. | Key type | Description | Additional information | | ------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | **RSA-2048** | 2048-bit key generated with RSA algorithm | Lowest security guarantees, but has broad support across hosts | | **RSA-4096** | 4096-bit key generated with RSA algorithm | Slightly better than RSA-2048; still uses RSA, but larger keys can prolong the time to crack if an attacker gains access | | **ECDSA-256** | Key generated with 256-bit elliptic curve and ECDSA algorithm | Provides better security guarantees than RSA | | **ECDSA-384** | Key generated with 384-bit elliptic curve and ECDSA algorithm | Slightly better than ECSDA-256 | | **ECDSA-521** | Key generated with 521-bit elliptic curve and ECDSA algorithm | Serves as the best ECDSA choice from a security standpoint | | **ED25519** | Key generated with ED25519 algorithm | Provides the best performance and comparable security to ECDSA; much smaller keys, but not as widely supported as other options | ## Test the Connection After adding the resource, follow these steps to test the connection. 1. In the Admin UI, check that the resource shows a healthy status. 2. From the StrongDM CLI or desktop app, attempt a connection. Replace `ubuntu` and the resource name with your values. ```bash sdm ssh ubuntu@prod-ssh-server-01 ``` 3. On the host, verify that you are logged in as expected. If the resource is unhealthy: * Verify the matching public key is present in `~/.ssh/authorized_keys`. * Check host logs (`/var/log/auth.log`, `/var/log/secure`) for SSH errors. * Confirm network connectivity from the node to the host. * Ensure that the username configured in the resource matches one with the public key installed. * Confirm permissions/ownership on the host `.ssh` directory and `authorized_keys`. If you still encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/servers/ssh-public-key.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.