Public-Key Authentication (SSH Bastion)

PrivX users can upload their personal public keys, to be used for authenticating connections via SSH Bastion.

To upload a user's public key:

1. On the Administration→Users page, Edit the user.

2. Under Authorized keys, click Add Authorized Key and provide the required data.

   Note that the validity period is mandatory. If unspecified, the period defaults to the maximum duration (730 days by default) starting from one hour before current time.

You can also allow users to upload their own public keys, by giving them the authorized-keys-manage permission.

PrivX users with authorized keys can authenticate their SSH-Bastion connections using the corresponding private key (without providing their PrivX password). For example, when using ssh:

$ ssh -i /path/to/private_key <bastion_syntax>

For more information about SSH Connections via PrivX Bastion, see Connecting via PrivX Bastion.

Authorized-Key Expiry

PrivX periodically checks and deletes expired authorized keys (every 24 hours by default). For keys with an original lifetime exceeding 30 days, PrivX generates an audit event 30 and 7 days before the expiry date.

You can set the key-validity period and purge frequency via settings on the Administration→Settings→Role Store page, under Authorized keys.

Remember to Restart PrivX to apply any new settings.

Supported Authorized-Key Types

Supported formats:

• ssh authorized keys format
• ssh2 public key format (RFC4716)

Default allowed algorithms:

• ssh-ed25519
• ssh-rsa (minimum 2048 bits)

All supported algorithms:

• ecdsa-sha2-nistp224 / 256 / 384 / 521
• ssh-ed25519
• ssh-dss
• ssh-rsa

You can set the allowed key algorithms and minimum RSA-key length via settings on the Administration→Settings→Role Store page, under Authorized keys.

Remember to Restart PrivX to apply any new settings.