Identity Alias for SSH

Last modified on June 10, 2024

You can use an Identity Alias, instead of a leased credential, with StrongDM to proxy authentication with your SSH resources. Actions are executed via the user’s account (that is, the Identity Alias) with the resource, while user-level auditing and monitoring occur on the resource side via native logging.

Utilizing an Identity Alias results in your native server logs identifying the particular user performing an action, rather than identifying all actions conducted via StrongDM connections as being performed by the single leased user account. The username employed is the user’s Identity Alias set in their StrongDM user account.

Set Up Identity Aliases

Set up your server and user account

  1. Create your server if you do not have one already.
  2. Create or identify an account on the server that StrongDM can use to check its health. This user should have SSH access to the machine. Built-in accounts such as ubuntu or ec2-user are a good choice.

Add the resource in StrongDM

  1. In the Admin UI, create the resource by going to Infrastructure > Servers and clicking Add server.
  2. Select SSH (Certificate Based) server or SSH (Certificate Based with User Provisioning) as the server type.
  3. Set all required properties for the selected server type (SSH (Certificate Based) server or SSH (Certificate Based with User Provisioning)). Pay particular attention to the following:
    • For Authentication, set Identity Aliases. Select an Identity Set name from the list.
    • For Healthcheck Username, set the SSH user account name (for example, ubuntu).
  4. After you have set all the required properties, click Create to save the resource.

Add the Identity Alias to the user’s settings

  1. In the Admin UI, go to Access > Users and select the user who is going to use an Identity Alias.

  2. In that user’s Identity Aliases tab, for Identity Alias enter the user’s username, which can be any string that is not already in use.

  3. For Identity Set, enter the name of the Identity Set that the Identity Alias will be used for. A user can only have one alias per set.

  4. For Roles, optionally enter the name of the group(s) that the user will use to connect to the Identity Alias-enabled resource.

Configuration is now complete. You may now start using Identity Aliases to authenticate with your SSH resource.