Add an SSH Server with Certificate Auth

Prerequisites

Before you begin, you must ensure that the server you are attempting to add is accessible from the strongDM relay or gateway. You must have a properly functioning relay up and running, and it must be able to reach the target server before you can proceed. Setting up a relay is out of the scope of this guide, but for more information, see Relays.

Steps

Add a server in the Admin UI

1. Log in to the Admin UI and go to Infrastructure > Servers.

2. Click Add server.

3. On the Add Server dialog, set the following properties to configure how the strongDM relay connects to the server via SSH.

   

   1. Display Name (Required): Enter a meaningful name for this resource, such as testserver-01. This name is shown in the Admin UI.
   2. Server Type (Required): Select SSH (Certificate Based).
   3. Hostname (Required): Enter the hostname or IP address to which you are connecting, such as testserver-01.example.org. It is imperative that the relay server can connect to the entry that you choose for the hostname. To verify that it can connect, hop on the relay server, and from a command prompt, type $ ping <YOUR_HOSTNAME>. If your relay can connect to this hostname, you can proceed.
   4. Port (Required): Enter the port to connect to the resource (default: 22).
   5. Port Override: After a resource is created, the port override is automatically generated. A value between 1024-59999 is assigned as long as it is not used by another resource. You can optionally overwrite it with your own preferred port later in the Port Overrides settings.
   6. Secret Store: If a Secret Store integration is configured, select where the credentials for this resource are stored.
   7. Authentication (Required): Select either Leased Credentials (default) or Remote Identities.
   8. Username (Required): This field is shown if Authentication is set to Leased Credentials. Enter the username that the relay will use to connect to the server via SSH (for example, bob.belcher).
   9. Healthcheck Username (Required): If Authentication is set to Remote Identity, enter the username that will be used to verify strongDM's connection to the server. Note that the username must exist on the target server.
   10. Allow Port Forwarding (Optional): Select the checkbox to enable port forwarding. Once enabled, SSH connections proxied by strongDM for this server accept local forwarding requests.
   11. Resource Tags (Optional): Assign tags to this resource by entering key-value pairs in the format <KEY>=<VALUE> (for example, env=dev).

4. Click create.

After the server is created, the Admin UI updates and shows your new server in a yellow state, as it is not quite ready yet. If everything has been configured correctly, the healthcheck turns green.

Add the strongDM CA to your hosts

If you have not already, add your organization's CA public key to the targeted host.

1. Create a file named /etc/ssh/sdm_ca.pub and add the CA public key. See SSH Certificate Auth for more information on keys.

2. Update the file's permissions because SSH can sometimes be unpredictable if permissions are not set correctly:

   sudo chmod 600 /etc/ssh/sdm_ca.pub

3. With your editor of choice, modify /etc/ssh/sshd_config by appending the following lines:

   # strongDM CA
   TrustedUserCAKeys /etc/ssh/sdm_ca.pub

4. Restart the SSH service on this host for the changes to take effect. The command may differ based on your system configuration. Here is an example:

   sudo systemctl restart ssh

For more settings, see SSH Certificate Auth.

If any errors occur, please copy them into an email and send them to support@strongdm.com.