infisical ssh
Generate SSH credentials with the CLI
Description
Infisical SSH lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure.
This command enables you to obtain SSH credentials used to access a remote host; we recommend using the issue-credentials
sub-command to generate dynamic SSH credentials for each SSH session.
Sub-commands
This command is used to issue SSH credentials (SSH certificate, public key, and private key) against a certificate template.
We recommend using the --addToAgent
flag to automatically load issued SSH credentials to the SSH agent.
$ infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<principals> --addToAgent
Flags
The ID of the SSH certificate template to issue SSH credentials for.
A comma-separated list of principals (i.e. usernames like ec2-user
or hostnames) to issue SSH credentials for.
Whether to add issued SSH credentials to the SSH agent.
Default value: false
Note that either the --outFilePath
or --addToAgent
flag must be set for the sub-command to execute successfully.
The path to write the SSH credentials to such as ~/.ssh
, ./some_folder
, ./some_folder/id_rsa-cert.pub
. If not provided, the credentials will be saved to the current working directory where the command is run.
Note that either the --outFilePath
or --addToAgent
flag must be set for the sub-command to execute successfully.
The key algorithm to issue SSH credentials for.
Default value: RSA_2048
Available options: RSA_2048
, RSA_4096
, EC_prime256v1
, EC_secp384r1
.
The certificate type to issue SSH credentials for.
Default value: user
Available options: user
or host
The time-to-live (TTL) for the issued SSH certificate (e.g. 2 days
, 1d
, 2h
, 1y
).
Defaults to the Default TTL value set in the certificate template.
A custom Key ID to issue SSH credentials for.
Defaults to the autogenerated Key ID by Infisical.
An authenticated token to use to issue SSH credentials.
This command is used to sign an existing SSH public key against a certificate template; the command outputs the corresponding signed SSH certificate.
$ infisical ssh sign-key --certificateTemplateId=<certificate-template-id> --publicKey=<public-key> --principals=<principals> --outFilePath=<out-file-path>
The ID of the SSH certificate template to issue the SSH certificate for.
The public key to sign.
Note that either the --publicKey
or --publicKeyFilePath
flag must be set for the sub-command to execute successfully.
The path to the public key file to sign.
Note that either the --publicKey
or --publicKeyFilePath
flag must be set for the sub-command to execute successfully.
A comma-separated list of principals (i.e. usernames like ec2-user
or hostnames) to issue SSH credentials for.
The path to write the SSH certificate to such as ~/.ssh/id_rsa-cert.pub
; the specified file must have the .pub
extension. If not provided, the credentials will be saved to the directory of the specified --publicKeyFilePath
or the current working directory where the command is run.
The certificate type to issue SSH credentials for.
Default value: user
Available options: user
or host
The time-to-live (TTL) for the issued SSH certificate (e.g. 2 days
, 1d
, 2h
, 1y
).
Defaults to the Default TTL value set in the certificate template.
A custom Key ID to issue SSH credentials for.
Defaults to the autogenerated Key ID by Infisical.
An authenticated token to use to issue SSH credentials.