Infisical SSH

​

Concept

• Administrator: An individual on your team who is responsible for configuring Infisical SSH.
• Users: Other individuals that gain access to remote hosts through Infisical SSH.
• Host: A remote machine (e.g. EC2 instance, GCP VM, Azure VM, on-prem Linux server, Raspberry Pi, VMware VM, etc.) that users need SSH access to that is registered with Infisical SSH.

​

Workflow

1. The administrator registers a remote host with Infisical using the Infisical CLI via the infisical ssh add-host command.
2. The administrator configures Infisical SSH to grant users access to the remote host.
3. User(s) access the remote host using the Infisical CLI via the infisical ssh connect command.

​

Admin Guide for Configuring Infisical SSH

1

Create an Infisical SSH project

Start by creating a new Infisical SSH project in Infisical.

2

Create a machine identity for bootstrapping Infisical SSH

2.1. Follow the instructions here to configure a machine identity in Infisical with Universal Auth.By the end of this step, you should have a Client ID and Client Secret on hand as part of the Universal Auth configuration for the identity to authenticate with Infisical as part of registering a remote host in step 3.

You may use other authentication methods as suitable (e.g. AWS Auth, Azure Auth, GCP Auth, etc.) as part of the machine identity configuration but, to keep this example simple, we will be using Universal Auth.

2.2. Add the machine identity to the Infisical SSH project you created in the previous step and assign it the SSH Host Bootstrapper role.This role grants the ability to Create and Issue Host Certificates on the SSH Host resource; this will enable the linked machine identity to bootstrap a remote host with Infisical and establish the necessary configuration on it.

If you plan to use a custom role to bootstrap SSH hosts, ensure the role has the Create and Issue Host Certificates on the SSH Host resource.

3

Configure the remote host

3.1. Follow the instructions here to install the Infisical CLI onto the remote host.3.2. Run the commands below to register the remote host with Infisical.Use the Client ID and Client Secret from the machine identity you created in step 2.1 as part of the infisical login command to obtain an access token and save it as an environment variable.

Copy

Ask AI

export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain)

Next, use the infisical ssh add-host command to register the remote host with Infisical. As part of this command, input the ID of the Infisical SSH project you created in step 1 for the --projectId flag and the hostname of the remote host for the --hostname flag.

Copy

Ask AI

sudo infisical ssh add-host --projectId=<project-id> --hostname=<hostname> --token="$INFISICAL_TOKEN" --write-user-ca-to-file --write-host-cert-to-file --configure-sshd

Note that if you’re self-hosting Infisical, you can use the --domain flag on the infisical login command to specify the domain of your Infisical instance.For more information on the infisical ssh add-host command, please refer to the Infisical CLI documentation.

If successful, you should see output similar to the following:

Copy

Ask AI

✅ Successfully registered host: <hostname>
📁 Wrote User CA public key to: /etc/ssh/infisical_user_ca.pub
📁 Wrote host certificate to: /etc/ssh/ssh_host_ed25519_key-cert.pub
📄 Updated sshd_config entries

Finally, use the following command to reload the SSH daemon on the remote host to apply the changes:

Copy

Ask AI

sudo systemctl reload sshd

The command may differ depending on the host. For older versions of Ubuntu/Debian/CentOS, you may need to use sudo service ssh reload instead; for Alpine or minimal systems, /etc/init.d/sshd reload.

Back in Infisical, you should now see the remote host you just registered in the Infisical SSH project you created in step 1 under the Hosts tab.

4

Grant users access to the remote host

4.1. Add the user(s) you wish to grant access to the remote host to the Infisical SSH project under Access Control > Users.4.2. On the registered host in the Hosts tab, click Edit SSH Host and add a login mapping for the user(s) you added in step 4.1.The login mapping dictates what user(s) will be allowed access to the remote host and under a specific login user; in the allowed principals, you should select user(s) part of the Infisical SSH project that will be allowed to login to the remote host as the login user.For instance, if you add a mapping with the login user ec2-user to some users John and Alice in Infisical, then they will be allowed to login to the remote host as ec2-user which is a system user that exists on the remote host.

Note that you should configure authorized principals files for each login user you add to the remote host.

​

User Guide for SSHing to a Host

infisical login

infisical ssh connect

Use the arrow keys to navigate: ↓ ↑ → ←
? Select an SSH Host:
▸ ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com

? Select Login User:
▸ ec2-user

✔ ec2-54-199-104-116.ap-northeast-1.compute.amazonaws.com
✔ ec2-user
✔ SSH credentials successfully added to agent
Connecting to [email protected]...