infisical ssh
Generate SSH credentials with the CLI
Description
Infisical SSH lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure.
This command enables you to obtain SSH credentials used to access a remote host; we recommend using the issue-credentials sub-command to generate dynamic SSH credentials for each SSH session.
Sub-commands
infisical ssh issue-credentials
infisical ssh issue-credentials
This command is used to issue SSH credentials (SSH certificate, public key, and private key) against a certificate template.
We recommend using the --addToAgent flag to automatically load issued SSH credentials to the SSH agent.
Flags
--certificateTemplateId
--certificateTemplateId
The ID of the SSH certificate template to issue SSH credentials for.
--principals
--principals
A comma-separated list of principals (i.e. usernames like ec2-user or hostnames) to issue SSH credentials for.
--addToAgent
--addToAgent
Whether to add issued SSH credentials to the SSH agent.
Default value: false
Note that either the --outFilePath or --addToAgent flag must be set for the sub-command to execute successfully.
--outFilePath
--outFilePath
The path to write the SSH credentials to such as ~/.ssh, ./some_folder, ./some_folder/id_rsa-cert.pub. If not provided, the credentials will be saved to the current working directory where the command is run.
Note that either the --outFilePath or --addToAgent flag must be set for the sub-command to execute successfully.
--keyAlgorithm
--keyAlgorithm
The key algorithm to issue SSH credentials for.
Default value: RSA_2048
Available options: RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1.
--certType
--certType
The certificate type to issue SSH credentials for.
Default value: user
Available options: user or host
--ttl
--ttl
The time-to-live (TTL) for the issued SSH certificate (e.g. 2 days, 1d, 2h, 1y).
Defaults to the Default TTL value set in the certificate template.
--keyId
--keyId
A custom Key ID to issue SSH credentials for.
Defaults to the autogenerated Key ID by Infisical.
--token
--token
An authenticated token to use to issue SSH credentials.
infisical ssh sign-key
infisical ssh sign-key
This command is used to sign an existing SSH public key against a certificate template; the command outputs the corresponding signed SSH certificate.
--certificateTemplateId
--certificateTemplateId
The ID of the SSH certificate template to issue the SSH certificate for.
--publicKey
--publicKey
The public key to sign.
Note that either the --publicKey or --publicKeyFilePath flag must be set for the sub-command to execute successfully.
--publicKeyFilePath
--publicKeyFilePath
The path to the public key file to sign.
Note that either the --publicKey or --publicKeyFilePath flag must be set for the sub-command to execute successfully.
--principals
--principals
A comma-separated list of principals (i.e. usernames like ec2-user or hostnames) to issue SSH credentials for.
--outFilePath
--outFilePath
The path to write the SSH certificate to such as ~/.ssh/id_rsa-cert.pub; the specified file must have the .pub extension. If not provided, the credentials will be saved to the directory of the specified --publicKeyFilePath or the current working directory where the command is run.
--certType
--certType
The certificate type to issue SSH credentials for.
Default value: user
Available options: user or host
--ttl
--ttl
The time-to-live (TTL) for the issued SSH certificate (e.g. 2 days, 1d, 2h, 1y).
Defaults to the Default TTL value set in the certificate template.
--keyId
--keyId
A custom Key ID to issue SSH credentials for.
Defaults to the autogenerated Key ID by Infisical.
--token
--token
An authenticated token to use to issue SSH credentials.