Skip to main content
Infisical PAM supports secure, just-in-time access to SSH servers. This allows your team to access Linux/Unix servers without sharing static credentials, while maintaining a complete audit trail of all sessions.

How It Works

SSH access in Infisical PAM uses a Gateway deployed in your network to establish secure connections to your servers. The Gateway acts as a bridge between Infisical and your private infrastructure.

Authentication Methods

Infisical PAM supports three authentication methods for SSH:
MethodDescriptionUse Case
PasswordTraditional username/password authenticationLegacy systems, simple setups
SSH KeyPublic key authentication with a private keyStandard secure access
CertificateSSH certificates signed by a CAZero-trust, ephemeral credentials

Certificate-Based Authentication

Certificate-based authentication allows for the use of ephemeral credentials. Infisical generates short-lived SSH certificates on-demand for each session. Benefits:
  • Ephemeral access: Certificates are generated per-session and expire automatically
  • Centralized trust: Servers trust the Infisical CA to authorize connections
  • Simplified management: Infisical handles the certificate lifecycle for each connection
  • Audit trail: Each certificate is tied to a specific user and session

Prerequisites

Before configuring SSH access in Infisical PAM, ensure you have:
  1. An Infisical Gateway deployed with network reachability to your SSH servers
  2. Network connectivity from the Gateway to your SSH servers on port 22 (or custom SSH port)
  3. SSH server credentials (password, private key, or CA setup for certificate auth)

Create the PAM Resource

The PAM Resource represents the SSH server you want to protect.
1

Navigate to Resources

Go to your PAM project and click on the Resources tab.
2

Add SSH Resource

Click Add Resource and select SSH.
3

Configure Connection Details

Fill in the connection details:
Name
string
required
A friendly name for this resource (e.g., production-server, bastion-host)
Gateway
string
required
Select the Gateway that has network access to this SSH server
Host
string
required
The hostname or IP address of the SSH server (e.g., 192.168.1.100 or server.internal.example.com)
Port
number
required
The SSH port (default: 22)
4

Create the Resource

Click Create Resource. Infisical will validate that the Gateway can reach the SSH server.

Create PAM Accounts

A PAM Account represents a specific user account on the SSH server. You can create multiple accounts per resource with different authentication methods.

Password Authentication

1

Navigate to Accounts

Go to the Accounts tab in your PAM project.
2

Add Account

Click Add Account and select your SSH resource.
3

Configure Password Auth

Name
string
required
A friendly name for this account (e.g., ubuntu-admin, deploy-user)
Authentication Method
string
required
Select Password
Username
string
required
The SSH username on the server
Password
string
required
The SSH password for this user

SSH Key Authentication

1

Add Account

Click Add Account and select your SSH resource.
2

Configure Key Auth

Name
string
required
A friendly name for this account
Authentication Method
string
required
Select SSH Key
Username
string
required
The SSH username on the server
Private Key
string
required
The private key in OpenSSH format (begins with -----BEGIN OPENSSH PRIVATE KEY-----)

Certificate Authentication

Certificate authentication requires additional setup on your SSH server to trust the Infisical CA.
1

Configure the SSH Server

Before creating the account, you need to configure your SSH server to trust certificates signed by Infisical.Run the following command on your SSH server (requires root/sudo):
curl -H "Authorization: Bearer <YOUR_TOKEN>" \
  "https://app.infisical.com/api/v1/pam/resources/ssh/<RESOURCE_ID>/ssh-ca-setup" \
  | sudo bash
This script will:
  1. Download the CA public key for your SSH resource
  2. Save it to /etc/ssh/infisical_ca.pub
  3. Add TrustedUserCAKeys /etc/ssh/infisical_ca.pub to /etc/ssh/sshd_config
  4. Validate and restart the SSH service
First-time setup: The CA key pair is generated automatically when you first call the setup endpoint. Subsequent calls will return the same CA public key.
Manual setup: If you prefer to configure the server manually, you can download just the CA public key and configure sshd yourself:
curl -H "Authorization: Bearer <YOUR_TOKEN>" \
  "https://app.infisical.com/api/v1/pam/resources/ssh/<RESOURCE_ID>/ssh-ca-public-key" \
  | sudo tee /etc/ssh/infisical_ca.pub
Then configure sshd:
  1. Add to /etc/ssh/sshd_config: 
    TrustedUserCAKeys /etc/ssh/infisical_ca.pub
  2. Restart sshd: sudo systemctl restart sshd
2

Add Account in Infisical

Name
string
required
A friendly name for this account
Authentication Method
string
required
Select Certificate
Username
string
required
The SSH username that the certificate will be issued for. This user must exist on the SSH server.
Unlike password or key authentication, you don’t need to provide any credentials. Infisical will generate a new key pair and certificate for each session.

Access SSH Servers

Once your resource and accounts are configured, users can access SSH servers through the Infisical CLI.
1

Install the CLI

If you haven’t already, install the Infisical CLI:
# macOS
brew install infisical/get-cli/infisical

# Linux
curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | sudo -E bash
sudo apt-get install infisical
2

Login to Infisical

infisical login
3

Connect to SSH Server

infisical pam ssh access-account <account-path> --project-id <project-id> --duration <duration>
For example:
infisical pam ssh access-account /production-server/ubuntu-admin --project-id 00000000-0000-0000-0000-000000000000 --duration 1h