HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

Public-Key Authentication (SSH Bastion)

PrivX users can upload their personal public keys, to be used for authenticating connections via SSH Bastion.

To upload a user's public key:

  1. On the ​Settings→Users​ page, ​Edit​​ the user.

  2. Under ​Authorized keys​​, click ​Add Authorized Key​​ and provide the required data.

    Note that the validity period is mandatory. If unspecified, the period defaults to the maximum duration (730 days by default) starting from one hour before current time.

You can also allow users to upload their own public keys, by giving them the ​authorized-keys-manage​​ permission.

PrivX users with authorized keys can authenticate their SSH-Bastion connections using the corresponding private key (without providing their PrivX password). For example, when using ssh:

$ ssh -i /path/to/private_key <bastion_syntax>

For more information about SSH Connections via PrivX Bastion, see Connecting via PrivX Bastion.

📘

Note

Uploaded keys must be unique within PrivX: you cannot upload the same key twice.

Authorized-Key Expiry

You can change the maximum validity period in the rolestore configuration /opt/privx/etc/rolestore.toml, with max_validity_days.

PrivX periodically checks and deletes expired authorized keys (every 24 hours by default). You can change the interval in the rolestore configuration /opt/privx/etc/rolestore.toml, with expired_purge_interval_hours.

To apply configuration changes, restart PrivX services with:

# systemctl restart privx

Supported Authorized-Key Types

Supported formats:

  • ssh authorized keys format
  • ssh2 public key format (RFC4716)

Default allowed algorithms:

  • ssh-ed25519
  • ssh-rsa (minimum 2048 bits)

All supported algorithms:

  • ecdsa-sha2-nistp224 / 256 / 384 / 521
  • ssh-ed25519
  • ssh-dss
  • ssh-rsa

You can set the allowed key algorithms and minimum RSA-key length in the rolestore configuration /opt/privx/etc/rolestore.toml, with the settings supported_key_types and min_rsa_key_size respectively. To apply configuration changes, restart PrivX services with:

# systemctl restart privx