Public-Key Authentication (SSH Bastion)

PrivX users can upload their personal public keys, to be used for authenticating connections via SSH Bastion.

To upload a user's public key:

  1. On the ​Administration→Users​ page, ​Edit​​ the user.

  2. Under ​Authorized keys​​, click ​Add Authorized Key​​ and provide the required data.

    Note that the validity period is mandatory. If unspecified, the period defaults to the maximum duration (730 days by default) starting from one hour before current time.

You can also allow users to upload their own public keys, by giving them the ​authorized-keys-manage​​ permission.

PrivX users with authorized keys can authenticate their SSH-Bastion connections using the corresponding private key (without providing their PrivX password). For example, when using ssh:

$ ssh -i /path/to/private_key <bastion_syntax>

For more information about SSH Connections via PrivX Bastion, see Connecting via PrivX Bastion.

📘

Note

Uploaded keys must be unique within PrivX: you cannot upload the same key twice.

Public-key authentication to PrivX Bastion does not support client interaction (such as keyboard-interactive authentication, multi factor authentication or accepting host keys). Also OIDC (Open Id Connect) users can't be associated with a public key.

Authorized-Key Expiry

PrivX periodically checks and deletes expired authorized keys (every 24 hours by default). You can set the key-validity period and purge frequency via settings on the Administration→Settings→Role Store page, under Authorized keys.

Remember to Restart PrivX to apply any new settings.

Supported Authorized-Key Types

Supported formats:

  • ssh authorized keys format
  • ssh2 public key format (RFC4716)

Default allowed algorithms:

  • ssh-ed25519
  • ssh-rsa (minimum 2048 bits)

All supported algorithms:

  • ecdsa-sha2-nistp224 / 256 / 384 / 521
  • ssh-ed25519
  • ssh-dss
  • ssh-rsa

You can set the allowed key algorithms and minimum RSA-key length via settings on the Administration→Settings→Role Store page, under Authorized keys.

Remember to Restart PrivX to apply any new settings.


Did this page help you?