SSH.COM PrivX Documentation Hub

Welcome to the SSH.COM PrivX documentation! Here you'll find the PrivX administration manual, use case specific guides as well as API specifications.

Documentation    API Reference

Public-Key Authentication (SSH Bastion)

PrivX users can upload their personal public keys, to be used for authenticating connections via SSH Bastion.

To upload a user's public key:

  1. On the ​Administration→Users​ page, ​Edit​​ the user.

  2. Under ​Authorized keys​​, click ​Add Authorized Key​​ and provide the required data.

    Note that the validity period is mandatory. If unspecified, the period defaults to the maximum duration (730 days by default) starting from one hour before current time.

You can also allow users to upload their own public keys, by giving them the ​authorized-keys-manage​​ permission.

PrivX users with authorized keys can authenticate their SSH-Bastion connections using the corresponding private key (without providing their PrivX password). For example, when using ssh:

$ ssh -i /path/to/private_key <bastion_syntax>

For more information about SSH Connections via PrivX Bastion, see Connecting via PrivX Bastion.



Uploaded keys must be unique within PrivX: you cannot upload the same key twice.

Public-key authentication to PrivX Bastion does not support client interaction (such as keyboard-interactive authentication or accepting host keys).

Authorized-Key Expiry

You can change the maximum validity period in the rolestore configuration /opt/privx/etc/rolestore.toml, with max_validity_days.

PrivX periodically checks and deletes expired authorized keys (every 24 hours by default). You can change the interval in the rolestore configuration /opt/privx/etc/rolestore.toml, with expired_purge_interval_hours.

To apply configuration changes, restart PrivX services with:

# systemctl restart privx

Supported Authorized-Key Types

Supported formats:

  • ssh authorized keys format
  • ssh2 public key format (RFC4716)

Default allowed algorithms:

  • ssh-ed25519
  • ssh-rsa (minimum 2048 bits)

All supported algorithms:

  • ecdsa-sha2-nistp224 / 256 / 384 / 521
  • ssh-ed25519
  • ssh-dss
  • ssh-rsa

You can set the allowed key algorithms and minimum RSA-key length in the rolestore configuration /opt/privx/etc/rolestore.toml, with the settings supported_key_types and min_rsa_key_size respectively. To apply configuration changes, restart PrivX services with:

# systemctl restart privx

Updated about a month ago

Public-Key Authentication (SSH Bastion)

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.