Remote Identity for SSH
Last modified on July 27, 2023
You can use a Remote Identity, instead of a leased credential, with StrongDM to proxy authentication with your SSH resources. Actions are executed via the user’s account (that is, the Remote Identity) with the resource, while user-level auditing and monitoring occur on the resource side via native logging.
Utilizing a Remote Identity results in your native server logs identifying the particular user performing an action, rather than identifying all actions conducted via StrongDM connections as being performed by the single leased user account. The username employed is the user’s Remote Identity set in their StrongDM user account.
The option to authenticate with Remote Identities is available for only the SSH (Certificate Based) server resource type.
Set Up Remote Identities
Set up your server and user account
- Create your server if you do not have one already.
- Create or identify an account on the server that StrongDM can use to check its health. This user should have SSH access to the machine. Built-in accounts such as
ec2-userare a good choice.
Add the resource in StrongDM
In the Admin UI, create the resource by going to Infrastructure > Servers and clicking Add server.
Select SSH (Certificate Based) server as the server type.
Set all required SSH server properties. Pay particular attention to the following:
- For Authentication, set Remote Identities.
- For Healthcheck Username, set the SSH user account name (for example,
After you have set all the required properties, click Create to save the resource.
Add the Remote Identity to the user’s settings
In the Admin UI, go to Access > Users and select the user who is going to use a Remote Identity.
In that user’s settings, for Remote Identity, enter the SSH user account name (for example,
ubuntu).If Remote Identities are configured on a resource, a Remote Identity also must be set for any user that is given access to that resource. If it is not, that user is unable to connect to the resource.Individual users must have their own accounts on the server. The account name must match the Remote Identity value specified in the user’s settings.
Configuration is now complete. You may now start using Remote Identities to authenticate with your SSH resource.
If any errors occur, please copy them into an email and send it to email@example.com.