infisical ssh
Generate SSH credentials with the CLI
Description
Infisical SSH lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure.
This command enables you to obtain SSH credentials used to access a remote host. We recommend using the connect
sub-command which handles the full workflow of issuing credentials and establishing an SSH connection in one step.
Sub-commands
infisical ssh connect
infisical ssh connect
This command is used to connect to an SSH host using issued credentials. It will automatically issue credentials and either add them to your SSH agent or write them to disk before establishing an SSH connection.
Flags
--hostname
--hostname
The hostname of the SSH host to connect to. If not provided, you will be prompted to select from available hosts.
--login-user
--login-user
The login user for the SSH connection. If not provided, you will be prompted to select from available login users.
--write-host-ca-to-file
--write-host-ca-to-file
Whether to write the Host CA public key to ~/.ssh/known_hosts
if it doesn’t already exist.
Default value: true
--out-file-path
--out-file-path
The path to write the SSH credentials to such as ~/.ssh
, ./some_folder
, ./some_folder/id_rsa-cert.pub
. If not provided, the credentials will be added to the SSH agent and used to establish an interactive SSH connection.
--token
--token
Use a machine identity access token
infisical ssh add-host
infisical ssh add-host
This command is used to register a new SSH host with Infisical.
This command can be used with the --write-user-ca-to-file
, --write-host-cert-to-file
, and --configure-sshd
flags
to also configure the host’s SSH daemon with the necessary certificate authority and host certificate settings.
Flags
--projectId
--projectId
Project ID the host belongs to (required)
--hostname
--hostname
Hostname of the SSH host (required)
--alias
--alias
Alias for the SSH host (optional)
--write-user-ca-to-file
--write-user-ca-to-file
Write User CA public key to /etc/ssh/infisical_user_ca.pub
Default value: false
--user-ca-out-file-path
--user-ca-out-file-path
Custom file path to write the User CA public key
Default value: /etc/ssh/infisical_user_ca.pub
--write-host-cert-to-file
--write-host-cert-to-file
Write SSH host certificate to /etc/ssh/ssh_host_<type>_key-cert.pub
Default value: false
--configure-sshd
--configure-sshd
Update TrustedUserCAKeys
, HostKey
, and HostCertificate
in the /etc/ssh/sshd_config
file
Default value: false
Note: This flag requires both —write-user-ca-to-file and —write-host-cert-to-file to be set
--force
--force
Force overwrite of existing certificate files as part of --write-user-ca-to-file
and --write-host-cert-to-file
Default value: false
--token
--token
Use a machine identity access token