Core commands
infisical ssh
Generate SSH credentials with the CLI
Description
Infisical SSH lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure. This command enables you to obtain SSH credentials used to access a remote host. We recommend using theconnect sub-command which handles the full workflow of issuing credentials and establishing an SSH connection in one step.
Sub-commands
infisical ssh connect
infisical ssh connect
This command is used to connect to an SSH host using issued credentials. It will automatically issue credentials and either add them to your SSH agent or write them to disk before establishing an SSH connection.
Flags
--hostname
--hostname
The hostname of the SSH host to connect to. If not provided, you will be prompted to select from available hosts.
--login-user
--login-user
The login user for the SSH connection. If not provided, you will be prompted to select from available login users.
--write-host-ca-to-file
--write-host-ca-to-file
Whether to write the Host CA public key to
~/.ssh/known_hosts if it doesn’t already exist.Default value: true--out-file-path
--out-file-path
The path to write the SSH credentials to such as
~/.ssh, ./some_folder, ./some_folder/id_rsa-cert.pub. If not provided, the credentials will be added to the SSH agent and used to establish an interactive SSH connection.--token
--token
Use a machine identity access token
infisical ssh add-host
infisical ssh add-host
This command is used to register a new SSH host with Infisical.This command can be used with the
--write-user-ca-to-file, --write-host-cert-to-file, and --configure-sshd flags
to also configure the host’s SSH daemon with the necessary certificate authority and host certificate settings.Flags
--projectId
--projectId
Project ID the host belongs to (required)
--hostname
--hostname
Hostname of the SSH host (required)
--alias
--alias
Alias for the SSH host (optional)
--write-user-ca-to-file
--write-user-ca-to-file
Write User CA public key to
/etc/ssh/infisical_user_ca.pubDefault value: false--user-ca-out-file-path
--user-ca-out-file-path
Custom file path to write the User CA public keyDefault value:
/etc/ssh/infisical_user_ca.pub--write-host-cert-to-file
--write-host-cert-to-file
Write SSH host certificate to
/etc/ssh/ssh_host_<type>_key-cert.pubDefault value: false--configure-sshd
--configure-sshd
Update
TrustedUserCAKeys, HostKey, and HostCertificate in the /etc/ssh/sshd_config fileDefault value: falseNote: This flag requires both —write-user-ca-to-file and —write-host-cert-to-file to be set--force
--force
Force overwrite of existing certificate files as part of
--write-user-ca-to-file and --write-host-cert-to-fileDefault value: false--token
--token
Use a machine identity access token