Add an SSH Server With Certificate Auth

Last modified on November 3, 2022


An SSH server is a combination of a specific SSH destination and the credentials to access it. This guide describes how to set up an SSH server with a certificate in the Admin UI.


Before you begin, ensure that the server you are attempting to add is accessible from your StrongDM gateways or relays. You must have a properly functioning gateway or relay up and running, and it must be able to reach the target server before you can proceed.

To verify, go to the gateway or relay server and from a command prompt, type ping <YOUR_HOSTNAME>. If your gateway or relay can connect to this hostname, you can continue.

For more information see Gateways or Relays.

Add an SSH Certificate-Based Server

To add your new SSH certificate-based server as a StrongDM resource, use the following steps.

  1. Log in to the Admin UI and go to Infrastructure > Servers.
  2. Click Add server.
  3. Select SSH (Certificate Based) as the Server Type and set other resource properties to configure how the StrongDM relay connects to the server via SSH.
Add SSH Certificate-Based Server Configuration Properties
Add SSH Certificate-Based Server Configuration Properties
  1. Click create to save the resource.
  2. Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

Resource properties

Configuration properties are visible when you add a Server Type or when you click to view the server’s settings. The following table describes the settings available for your SSH (Certificate Based) server.

Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSelect SSH (Certificate Based)
HostnameRequiredHostname or IP address to which you are connecting, such as; relay server should be able to connect to your target server or hostname
PortRequiredPort to connect to the resource; default port value 22
Bind InterfaceRead onlyAutomatically generated IP address value in the to IP address range; default is; preferred bind interface value can be modified later under Settings > Port Overrides
Port OverrideRead onlyAutomatically generated with a value between 1024 to 59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides
Secret StoreRequiredCredential store location with the default set to StrongDM; to learn more, see Secret Store options
Key TypeRequiredSigning algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options
AuthenticationRequiredSelect Leased Credentials (default) or Remote Identities
UsernameRequiredDisplays if Authentication is set to Leased Credentials; enter the username the relay should utilize to connect to the server via SSH (for example, bob.belcher)
Username (path)RequiredPath to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional); required when using a non-StrongDM Secret Store type
Healthcheck UsernameRequiredDisplays if Authentication is set to Remote Identity; enter the username that will be utilized to verify StrongDM’s connection to the server; username must exist on the target server
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Key Type options

The following table describes the different key types StrongDM can use to encrypt and secure SSH connections.

Key typeDescriptionAdditional information
RSA-20482048-bit key generated with RSA algorithmLowest security guarantees, but has broad support across hosts
RSA-40964096-bit key generated with RSA algorithmSlightly better than RSA-2048; still uses RSA, but larger keys can prolong the time to crack if an attacker gains access
ECDSA-256Key generated with 256-bit elliptic curve and ECDSA algorithmProvides better security guarantees than RSA
ECDSA-384Key generated with 384-bit elliptic curve and ECDSA algorithmSlightly better than ECSDA-256
ECDSA-521Key generated with 521-bit elliptic curve and ECDSA algorithmServes as the best ECDSA choice from a security standpoint
ED25519Key generated with ED25519 algorithmProvides the best performance and comparable security to ECDSA; much smaller keys, but not as widely supported as other options

Add the StrongDM CA to Your Host

If you have not already, add your organization’s certificate authority (CA) public key to the targeted host.

  1. Create a /etc/ssh/ file and add the CA public key. See SSH Certificate Auth for more information on keys.

  2. SSH can sometimes be unpredictable if permissions are not set correctly. Therefore, update the file’s permissions:

    sudo chmod 600 /etc/ssh/
  3. With your editor of choice, modify /etc/ssh/sshd_config by appending the following lines:

    # StrongDM CA
    TrustedUserCAKeys /etc/ssh/
  4. Restart the SSH service on this host for the changes to take effect. The command may differ based on your system configuration. Here is an example:

    sudo systemctl restart ssh

For more settings, see SSH Certificate Auth.

If any errors occur, please copy them into an email and send them to