PingOne Privilege

Configuring certificate-based SSH

Administrators can configure managed servers to accept SSH connections that are authenticated by short-lived certificates issued by PingOne Privilege. This process must be completed on each target server.

Automation tools such as Ansible or custom scripting can apply these changes consistently across all your servers.

Enabling certificate-based SSH

First, enable certificate-based SSH using the admin portal or API:

  • Retrieve the key from the admin portal:

    1. Go to Accounts.

    2. Select the appropriate account and click View Public Key.

    3. Copy the public key content.

  • Retrieve the key for automation:

    1. Use a curl command to fetch the key from the API endpoint:

      curl https://console.tun.procyon.ai/api/<tenant>/v1/sshca

      If VPN interop mode is enabled, use the following curl command instead:

      curl https://local.procyon.ai:8643

Configure the target server

Next, apply the configuration to each target server.

  1. Connect to the server using a standard SSH client.

  2. Create a file (for example, /etc/ssh/ca.pub) and paste the CA public key into it.

  3. Open the SSH daemon’s configuration file for editing.

    sudo vi /etc/ssh/sshd_config

  4. Add the TrustedUserCAKeys directive to the file, pointing to the CA public key you just created.

    # Add this line to sshd_config
TrustedUserCAKeys /etc/ssh/ca.pub

    Ensure the path in this directive exactly matches the location where you saved the ca.pub file.

  5. Save your changes to the sshd_config file.

  6. Restart the SSH daemon to apply the new configuration.

    sudo systemctl restart sshd