Add an SSH Server With a Public Key
Last modified on September 17, 2024
Overview
An SSH server is a combination of a specific SSH destination and the credentials to access it. This guide describes how to set up an SSH Server with a public key in the Admin UI. Adding a server takes place in both the Admin UI and on the server you are connecting to via StrongDM.
Prerequisites
Before you begin, ensure that the server you are attempting to add is accessible from your StrongDM gateways or relays. You must have a properly functioning gateway or relay up and running, and it must be able to reach the target server before you can proceed.
To verify, go to the gateway or relay server and from a command prompt, type ping <YOUR_HOSTNAME>. If your gateway or relay can connect to this hostname, you can continue.
For more information see Nodes.
Add an SSH Public-Key Server
To add your new SSH public-key server as a StrongDM resource, use the following steps.
Log in to the Admin UI and go to Resources > Servers.
Click the Add server button.
Select SSH (Public Key) as the Server Type and set other resource properties to configure how the StrongDM relay connects to the server via SSH.
Add SSH (Public Key) Server Click create to save the resource.
Click the resource name to view status, diagnostic information, and setting details.
Click the Settings tab to view the Public Key field, which now contains data.
Copy the Public Key value to your clipboard.
Open a command prompt on the server you are adding. Edit the
authorized_keysfile for the user specified in the server configuration properties:sudo vi ~/.ssh/authorized_keysAppend the generated public key value to the end of the file, write, and quit.
Back in the Admin UI, click update. As the configuration is applied, the server status in the Admin UI appears unhealthy. It turns green or positive to signal a successful connection. If you have multiple servers to create, follow these steps for each server.
Resource properties
Configuration properties are visible when you add a Server Type or when you click to view the server’s settings. The following table describes the settings available for your SSH (Public Key) server.
| Property | Requirement | Description |
|---|---|---|
| Display Name | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) |
| Server Type | Required | Select SSH (Public Key) |
| Hostname | Required | Hostname or IP address to which you are connecting, such as testserver-01.example.org; relay server should be able to connect to your target server or hostname |
| Port | Required | Port to connect to the resource; default port value 22 |
| Bind Interface | Read only | Automatically generated IP address value in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1; preferred bind interface value can be modified later under Settings > Port Overrides |
| Port Override | Read only | Automatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides |
| Secret Store | Optional | Credential store location; defaults to Strong Vault; to learn more, see Secret Store options |
| Key Type | Required | Signing algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options |
| Username | Required | Displays if Authentication is set to Leased Credentials; enter the username the relay should utilize to connect to the server via SSH (for example, bob.belcher) |
| Public Key | Required | Generated automatically after the server is created or updated; once generated, you must append the public key to the ~/.ssh/authorized_keys on the host |
| Resource Tags | Optional | Resource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev) |
Secret Store options
By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.
Key Type options
The following table describes the different key types StrongDM can use to encrypt and secure SSH connections.
| Key type | Description | Additional information |
|---|---|---|
| RSA-2048 | 2048-bit key generated with RSA algorithm | Lowest security guarantees, but has broad support across hosts |
| RSA-4096 | 4096-bit key generated with RSA algorithm | Slightly better than RSA-2048; still uses RSA, but larger keys can prolong the time to crack if an attacker gains access |
| ECDSA-256 | Key generated with 256-bit elliptic curve and ECDSA algorithm | Provides better security guarantees than RSA |
| ECDSA-384 | Key generated with 384-bit elliptic curve and ECDSA algorithm | Slightly better than ECSDA-256 |
| ECDSA-521 | Key generated with 521-bit elliptic curve and ECDSA algorithm | Serves as the best ECDSA choice from a security standpoint |
| ED25519 | Key generated with ED25519 algorithm | Provides the best performance and comparable security to ECDSA; much smaller keys, but not as widely supported as other options |