Add an SSH Server with a Customer-Managed Key

Last modified on October 4, 2023

An SSH server is a combination of a specific SSH destination and the credentials to access it. This guide describes how to set up an SSH server with your own key in the Admin UI.

Prerequisites

Before you begin, you must ensure that the server you are attempting to add is accessible from the StrongDM relay or gateway. You must have a properly functioning relay up and running, and it must be able to reach the target server before you can proceed. Setting up a relay is out of the scope of this guide, but for more information, see Nodes.

Generate the Key

First generate your key. Use PEM or OpenSSH formatting to generate your key.

Add a Server in the Admin UI

  1. Log in to the Admin UI and select Infrastructure > Servers.

  2. Click the add server button.

  3. On the Add Server dialog, select SSH (Customer Managed Key) as the Server Type and set other resource properties to configure how the StrongDM relay connects to the server via SSH.

    Add SSH Customer-Managed Key Configuration Properties
    Add SSH Customer-Managed Key Configuration Properties
  4. Click create to save the resource.

Resource properties

Configuration properties are visible when you add a Server Type or when you click to view the server’s settings. The following table describes the settings available for your SSH (Customer Managed Key) server.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSelect SSH (Customer Managed Key)
HostnameRequiredHostname or IP address to which you are connecting, such as testserver-01.example.org; relay server should be able to connect to your target server or hostname
PortRequiredPort to connect to the resource; default port value 22
Bind InterfaceRead onlyAutomatically generated IP address value in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1; preferred bind interface value can be modified later under Settings > Port Overrides
Port OverrideRead onlyAutomatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see Secret Store options
UsernameRequiredThe username the relay should utilize to connect to the server via SSH (for example, bob.belcher)
Username (path)RequiredPath to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional); required when using a non-StrongDM Secret Store type
Private KeyRequiredThe key in either plaintext or Base64 encoding; paste the key or import the key
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Add Your Key to Your Hosts

If you have not already, add your public key to the targeted host.

  1. Open a command prompt on the server you are adding and edit the authorized keys file for the user specified during server setup.

     sudo vi ~/.ssh/authorized_keys
    
  2. Append the generated public key to the end of the file, save, and exit.

  3. Back in the Admin UI, go to the Servers section and click the server’s name to view status, diagnostic information, and setting details.

  4. In the server settings, click the Update button.

The Admin UI displays that resource as unhealthy while the configuration is being applied. When the resource is ready, the Health icon indicates a positive, green status.