Assign a default provisioner when logging into Smallstep SSH.

Users can assign a default provisioner key (issuer) to bypass the Provisioner key selection menu during ssh login.

If users plan to log into SSH with the same authentication method (e.g., OIDC via OKTA, Google, Azure AD), they can bypass the Provisionser key selection menu that typically is presented when logging into Smallstep SSH.

Example of Provisioner key selection menu:

user@domain:~$ step ssh login

Use the arrow keys to navigate: ↓ ↑
What provisioner key do you want to use?
    okta (OIDC) [client: abc123xyzdef456lmnop]
    Service Account (K8sSA)

You can bypass the Provisioner key selection by adding an additional `issuer` attribute to the user's own `$(step path)/config/defaults.json` file.
  • Run `step ssh logout` to remove all existing identities, which will trigger the Provisioner key the next time you log in.
  • Run `step ssh login` and note which Provisioner key value you wish to make a default.
  • Open the user's defaults.json file ($(step path)/config/defaults.json) to edit it.
  • Add a new key-value pair with the key of, "issuer" with a value which typically (if OIDC) will be one of okta|gsuite|azure. Save the defaults.json file.
  • Run `step ssh login` and you should immediately get the OIDC auth challenge flow instead of the Provisioner key selection menu.
The following example defaults.json file will trigger the `okta` flow
"ca-url": "",
"fingerprint": "abc123dc7a8070b9c6577b40",
"root": "$STEPHOME\.step\certs\root_ca.crt",
"redirect-url": "", ⬅️comma separator
"issuer": "okta" ⬅️ new key/value for default provisioner