SSH Certificate Authentication

PrivX supports the following standards for SSH certificate-based authentication to target hosts:

  • OpenSSH certificate authentication
  • RFC 6187 X.509 certificate user authentication
  • Tectia Server X.509 certificate user authentication

OpenSSH Certificate Authentication

You can enable OpenSSH certificate-based authentication on a target host with one of the following methods:

To use OpenSSH certificate-based authentication for SSH connections, hosts serving as connection endpoints (target hosts) must use an SSH server that supports OpenSSH certificates. The exact required version depends on the chosen authentication method. For additional information about the supported authentication methods, see Supported Authentication Methods

Authentication MethodRequired SSH version
Certificate authentication with shared accountsOpenSSH 5.6 or later
Certificate authentication with login-as-self (Directory account type)OpenSSH 6.9 or later

Determine the PrivX roles that can access the host, and the target users as whom they are granted login.

X.509 Certificate Authentication

You can enable X.509 certificate-based authentication against compatible target hosts by configuring the target server to accept certificates issued by PrivX CA and configuring the host on PrivX with a suitable x509v3 certificate template.

For additional information about the target server certificate validation requirements, see SSH X.509 Certificate Authentication.

SSH Certificate Templates

When adding an SSH service to a host, under Additional settings, you can select a certificate template to be used with the connection.

The certificate templates themselves can be configured under Administration / Settings / Authorizer / Certificate templates.

The certificate template is a json document with the following properties:

  • name: Unique name displayed in the UI (required)
  • description: Human readable description (optional)
  • service: service this certificate template applies to, currently only "SSH" is supported (required)
  • type: type of certificate, "openssh", "default-openssh-sha2", "default-openssh-sha1", "ssh-x509v3-rfc6187" or "ssh-x509v3-tectia" (optional, default "openssh")
  • rsa_signature_types: Array of SSH signature types used with RSA keys (optional)
  • key_id: OpenSSH certificate KeyID field content (optional, specific to type "openssh")
  • principals: Array of OpenSSH certificate principals (optional, specific to type "openssh")
  • extensions: Array of OpenSSH certificate extensions (optional, specific to type "openssh")

The certificate templates support the following replacement attributes:

%HTarget hostname
%RRequest client address
%SSerial Number
Mappable attributeDescription
%PPrivX username

The following RSA signature types are supported:

Certificate Template TypeSupported Signature TypesDefault Signature Types

The default certificate template configuration which is delivered with PrivX:

    "name": "default",
    "description": "Default Template",
    "key_id": "%P@%R serial %S",
    "extensions": []
    "name": "default-openssh-sha2",
    "description": "OpenSSH SHA-2",
    "type": "openssh",
    "key_id": "%P@%R serial %S",
    "service": "SSH",
    "extensions": [],
    "rsa_signature_types": [ "rsa-sha2-512" ]
    "name": "default-openssh-sha1",
    "description": "OpenSSH SHA-1",
    "type": "openssh",
    "key_id": "%P@%R serial %S",
    "service": "SSH",
    "extensions": [],
    "rsa_signature_types": [ "ssh-rsa" ]
    "name": "default-x509v3-rfc6187",
    "description": "x509v3 RFC6187",
    "type": "ssh-x509v3-rfc6187",
    "name": "default-x509v3-tectia",
    "description": "x509v3 Tectia Server",
    "type": "ssh-x509v3-tectia",
    "name": "GitHub Enterprise",
    "description": "GitHub Enterprise",
    "key_id": "%W@%H",
    "principals": [],
    "extensions": [
    "name": "GitLab",
    "description": "GitLab",
    "key_id": "%W",
    "principals": [
    "extensions": []

Was this page helpful?