Infisical SSH
Learn how to securely provision user SSH access to your infrastructure using SSH certificates.
Concept
Infisical SSH can be configured to provide users on your team short-lived, secure SSH access to infrastructure. Under the hood, it uses SSH certificates and improves upon traditional SSH key-based authentication by mitigating private key compromise, static key management, unauthorized access, and SSH key sprawl.
The following entities and concepts are important to understand when using Infisical SSH:
- Administrator: An individual on your team who is responsible for configuring Infisical SSH.
- Users: Other individuals on your team that need access to the remote host.
- Host: A remote machine (e.g. EC2 instance, GCP VM, Azure VM, on-prem Linux server, Raspberry Pi, VMware VM, etc.) that users need SSH access to that is registered with Infisical SSH.
Workflow
The typical workflow for using Infisical SSH consists of the following steps:
- The administrator registers a remote host with Infisical using the Infisical CLI via the
infisical ssh add-hostcommand. - The administrator configures Infisical SSH to grant users access to the remote host.
- User(s) access the remote host using the Infisical CLI via the
infisical ssh connectcommand.
Admin Guide for Configuring Infisical SSH
In the following steps, we explore how to configure Infisical SSH to control and streamline your team’s SSH access to infrastructure. As part of this guide, we will register a remote host with Infisical through a machine identity and configure Infisical to grant user(s) access to the remote host.
Create an Infisical SSH project
1.1. Start by creating a new Infisical SSH project in Infisical.
1.2. Create a custom role in the project under Access Control > Project Roles to grant the machine identity that we will create in step 2 the ability to Create and Issue Host Certificates on the SSH Host resource; this will enable the linked machine identity to bootstrap a remote host with Infisical and establish the necessary configuration on it.
Create a machine identity for bootstrapping Infisical SSH
2.1. Follow the instructions here to configure a machine identity in Infisical with Universal Auth.
By the end of this step, you should have a Client ID and Client Secret on hand as part of the Universal Auth configuration for the identity to authenticate with Infisical as part of registering a remote host in step 3.
You may use other authentication methods as suitable (e.g. AWS Auth, Azure Auth, GCP Auth, etc.) as part of the machine identity configuration but, to keep this example simple, we will be using Universal Auth.
2.2. Add the machine identity to the Infisical SSH project you created in the previous step and assign it the custom role you created in step 1.2.
Configure the remote host
3.1. Follow the instructions here to install the Infisical CLI onto the remote host.
3.2. Run the commands below to register the remote host with Infisical.
Use the Client ID and Client Secret from the machine identity you created in step 2.1 as part of the infisical login command
to obtain an access token and save it as an environment variable.
Next, use the infisical ssh add-host command to register the remote host with Infisical. As part of this command, input the ID of the Infisical SSH project you created in step 1 for the --projectId flag and the hostname of the remote host for the --hostname flag.
Note that if you’re self-hosting Infisical, you can use the --domain flag on the infisical login command to specify the domain of your Infisical instance.
For more information on the infisical ssh add-host command, please refer to the Infisical CLI documentation.
If successful, you should see output similar to the following:
Finally, use the following command to reload the SSH daemon on the remote host to apply the changes:
The command may differ depending on the host. For older versions of Ubuntu/Debian/CentOS, you may need to use sudo service ssh reload instead;
for Alpine or minimal systems, /etc/init.d/sshd reload.
Back in Infisical, you should now see the remote host you just registered in the Infisical SSH project you created in step 1 under the Hosts tab.
Grant users access to the remote host
4.1. Add the user(s) you wish to grant access to the remote host to the Infisical SSH project under Access Control > Users.
4.2. On the registered host in the Hosts tab, click Edit SSH Host and add a login mapping for the user(s) you added in step 4.1.
The login mapping dictates what user(s) will be allowed access to the remote host and under a specific login user; in the allowed principals, you should select user(s) part of the Infisical SSH project that will be allowed to login to the remote host as the login user.
For instance, if you add a mapping with the login user ec2-user to some users John and Alice in Infisical, then they will be allowed to login to the remote host as ec2-user which is a system user that
exists on the remote host.
Note that you should configure authorized principals files for each login user you add to the remote host.
User Guide for SSHing to a Host
Once Infisical SSH is configured by an administrator, users can SSH to the remote host using the Infisical CLI.
Install the Infisical CLI
Follow the instructions here to install the Infisical CLI onto your local machine.
Log in with the CLI
Run the infisical login command to authenticate with Infisical.
Connect to the remote host
Run the infisical ssh connect command to connect to a remote host.
You’ll be prompted to select an SSH Host from a list of accessible hosts; this is based on project membership and login mappings configured on hosts by the administrator.
After selecting a host, you’ll be prompted to select a login user from a list of allowed login users:
If successful, you should be able to SSH to the remote host.
Was this page helpful?