Skip to main content

Description

Infisical SSH lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure. This command enables you to obtain SSH credentials used to access a remote host; we recommend using the issue-credentials sub-command to generate dynamic SSH credentials for each SSH session.

Sub-commands

This command is used to issue SSH credentials (SSH certificate, public key, and private key) against a certificate template.We recommend using the --addToAgent flag to automatically load issued SSH credentials to the SSH agent.
$ infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<principals> --addToAgent

Flags

The ID of the SSH certificate template to issue SSH credentials for.
A comma-separated list of principals (i.e. usernames like ec2-user or hostnames) to issue SSH credentials for.
Whether to add issued SSH credentials to the SSH agent.Default value: falseNote that either the --outFilePath or --addToAgent flag must be set for the sub-command to execute successfully.
The path to write the SSH credentials to such as ~/.ssh, ./some_folder, ./some_folder/id_rsa-cert.pub. If not provided, the credentials will be saved to the current working directory where the command is run.Note that either the --outFilePath or --addToAgent flag must be set for the sub-command to execute successfully.
The key algorithm to issue SSH credentials for.Default value: RSA_2048Available options: RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1.
The certificate type to issue SSH credentials for.Default value: userAvailable options: user or host
The time-to-live (TTL) for the issued SSH certificate (e.g. 2 days, 1d, 2h, 1y).Defaults to the Default TTL value set in the certificate template.
A custom Key ID to issue SSH credentials for.Defaults to the autogenerated Key ID by Infisical.
An authenticated token to use to issue SSH credentials.
This command is used to sign an existing SSH public key against a certificate template; the command outputs the corresponding signed SSH certificate.
$ infisical ssh sign-key --certificateTemplateId=<certificate-template-id> --publicKey=<public-key> --principals=<principals> --outFilePath=<out-file-path>
The ID of the SSH certificate template to issue the SSH certificate for.
The public key to sign.Note that either the --publicKey or --publicKeyFilePath flag must be set for the sub-command to execute successfully.
The path to the public key file to sign.Note that either the --publicKey or --publicKeyFilePath flag must be set for the sub-command to execute successfully.
A comma-separated list of principals (i.e. usernames like ec2-user or hostnames) to issue SSH credentials for.
The path to write the SSH certificate to such as ~/.ssh/id_rsa-cert.pub; the specified file must have the .pub extension. If not provided, the credentials will be saved to the directory of the specified --publicKeyFilePath or the current working directory where the command is run.
The certificate type to issue SSH credentials for.Default value: userAvailable options: user or host
The time-to-live (TTL) for the issued SSH certificate (e.g. 2 days, 1d, 2h, 1y).Defaults to the Default TTL value set in the certificate template.
A custom Key ID to issue SSH credentials for.Defaults to the autogenerated Key ID by Infisical.
An authenticated token to use to issue SSH credentials.