Add an SSH Server With a Public Key

Last modified on October 4, 2023

Overview

An SSH server is a combination of a specific SSH destination and the credentials to access it. This guide describes how to set up an SSH Server with a public key in the Admin UI. Adding a server takes place in both the Admin UI and on the server you are connecting to via StrongDM.

Prerequisites

Before you begin, ensure that the server you are attempting to add is accessible from your StrongDM gateways or relays. You must have a properly functioning gateway or relay up and running, and it must be able to reach the target server before you can proceed.

To verify, go to the gateway or relay server and from a command prompt, type ping <YOUR_HOSTNAME>. If your gateway or relay can connect to this hostname, you can continue.

For more information see Nodes.

Add an SSH Public-Key Server

To add your new SSH public-key server as a StrongDM resource, use the following steps.

  1. Log in to the Admin UI and go to Infrastructure > Servers.

  2. Click the Add server button.

  3. Select SSH (Public Key) as the Server Type and set other resource properties to configure how the StrongDM relay connects to the server via SSH.

    Add SSH (Public Key) Server
    Add SSH (Public Key) Server
  4. Click create to save the resource.

  5. Click the resource name to view status, diagnostic information, and setting details.

  6. Click the Settings tab to view the Public Key field, which now contains data.

  7. Copy the Public Key value to your clipboard.

  8. Open a command prompt on the server you are adding. Edit the authorized_keys file for the user specified in the server configuration properties:

    sudo vi ~/.ssh/authorized_keys
    
  9. Append the generated public key value to the end of the file, write, and quit.

  10. Back in the Admin UI, click update. As the configuration is applied, the server status in the Admin UI appears unhealthy. It turns green or positive to signal a successful connection. If you have multiple servers to create, follow these steps for each server.

Resource properties

Configuration properties are visible when you add a Server Type or when you click to view the server’s settings. The following table describes the settings available for your SSH (Public Key) server.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSelect SSH (Public Key)
HostnameRequiredHostname or IP address to which you are connecting, such as testserver-01.example.org; relay server should be able to connect to your target server or hostname
PortRequiredPort to connect to the resource; default port value 22
Bind InterfaceRead onlyAutomatically generated IP address value in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1; preferred bind interface value can be modified later under Settings > Port Overrides
Port OverrideRead onlyAutomatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see Secret Store options
Key TypeRequiredSigning algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options
UsernameRequiredDisplays if Authentication is set to Leased Credentials; enter the username the relay should utilize to connect to the server via SSH (for example, bob.belcher)
Public KeyRequiredGenerated automatically after the server is created or updated; once generated, you must append the public key to the ~/.ssh/authorized_keys on the host
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Key Type options

The following table describes the different key types StrongDM can use to encrypt and secure SSH connections.

Key typeDescriptionAdditional information
RSA-20482048-bit key generated with RSA algorithmLowest security guarantees, but has broad support across hosts
RSA-40964096-bit key generated with RSA algorithmSlightly better than RSA-2048; still uses RSA, but larger keys can prolong the time to crack if an attacker gains access
ECDSA-256Key generated with 256-bit elliptic curve and ECDSA algorithmProvides better security guarantees than RSA
ECDSA-384Key generated with 384-bit elliptic curve and ECDSA algorithmSlightly better than ECSDA-256
ECDSA-521Key generated with 521-bit elliptic curve and ECDSA algorithmServes as the best ECDSA choice from a security standpoint
ED25519Key generated with ED25519 algorithmProvides the best performance and comparable security to ECDSA; much smaller keys, but not as widely supported as other options