Certificate Authentication for OpenSSH Connections

To enable certificate authentication for OpenSSH connections, run the PrivX host-deployment script on the target host.

The host-deployment script is a Python script that configures the OpenSSH server on the target host to accept certificates issued by PrivX. The script also sets up allowed principals for target users.

To obtain and run the host-deployment script:

  1. Create a host-deployment script. To do this, access the PrivX GUI as ​superuser​​, then go to the ​Administration→Deployment→Deploy and Configure SSH Target Hosts​​ page.

    Select ​Configure using a deployment script​​, provide a name for the script, then click ​Add Script​​. Download the ​deploy.py​​ script when prompted to.

  2. Upload the host-deployment script to the target host. You may do this via the PrivX GUI by connecting to the target host (similarly as in Connecting to Hosts​), and then by navigating to the ​File Transfers​​ tab.

  3. Execute the host-deployment script as root on the target host.

    In the command, use ​--principals​ to specify the target accounts and the roles that are allowed to access them. Also add the --standalone​​ option if your target host is not hosted by a supported cloud provider.

    For example, allowing both the target accounts ​root​ and ​johndoe​ to be accessed by members of ​Example Role​ and ​privx-admin​ (replace ​/path/to/deploy.py​​ with the path of the host-deployment script, note that role names with spaces need to be quoted):

    # python /path/to/deploy.py --standalone --principals \
      root="Example Role",privx-admin:johndoe="Example Role",privx-admin

SSH connections to the target accounts from the specified roles are now authorized using certificates, without prompting users for passwords.

You may also verify that certificate authorization is used by checking the OpenSSH-server logs on the target server. Upon successful certificate authorization there should be a log message like the following:

Accepted publickey for root from port 50930 ssh2: RSA-CERT \
ID [email protected]:53188 serial 4920619392583124720 (serial 4920619392583124720) \
CA RSA 98:16:36:bf:6e:c6:3f:e5:a1:5e:31:61:c1:37:ef:d8

Did this page help you?