Configure Default Shell on SSH Hosts (OKTA)

You can override the SSH default shell for users logging into registered hosts.

Edit Smallstep User Profile in OKTA
  • From the OKTA admin, go to Directory --> Profile Editor
  • Click to open the Smallstep User profile to add a new Attribute

Add a `shell` Attribute for mapping to SSH home directory for OKTA users

Use the following settings to add an Attribute.

Screenshot 2023-12-12 151809

🗒️ The External Name and External Namespace are specific to Smallstep. The other naming options are customizable.

Configuration Fields

  • Data type = String
  • Display Name = [anything you choose]
  • Variable Name = [anything you choose]
  • External Name = shell
  • External Namespace = urn:scim:smallstep:ssh:schema
  • Description = [anything you choose]
  • Enum = [unchecked]
  • Attribute Length = [unset]
  • Attribute required = [optional yes]
  • Scope = [optional] (help page)
  • User Permission = [READ ONLY]


Map New Attribute to OKTA sync

  • After the attribute is created, select Mappings and select the OKTA User to Smallstep option
  • Add an expression that concatenates the static home directory and the user.login attribute. Many expressions can be used, but here's one: toLowerCase("toLowerCase("/bin/bash")" + user.login) 
  • Save your Mapping and decide if you wish to push the changes now or wait for them to sync.

Test if the shell value is updated when user SSH sessions begins

  • From an end-user machine, rerun the configuration for step ssh
step ssh config --team [your_team_slug] --force
  • SSH into a registered host and check that your shell is updated as configured in OKTA.