Users can assign a default provisioner key (issuer) to bypass the Provisioner key selection menu during ssh login.
If users plan to log into SSH with the same authentication method (e.g., OIDC via OKTA, Google, Azure AD), they can bypass the Provisionser key selection menu that typically is presented when logging into Smallstep SSH.
Example of Provisioner key selection menu:
You can bypass the Provisioner key selection by adding an additional `issuer` attribute to the user's own `$(step path)/config/defaults.json` file.user@domain:~$ step ssh login
Use the arrow keys to navigate: ↓ ↑
What provisioner key do you want to use?
▸ SSH POP (SSHPOP)
okta (OIDC) [client: abc123xyzdef456lmnop]
Service Account (K8sSA)
- Run `step ssh logout` to remove all existing identities, which will trigger the Provisioner key the next time you log in.
- Run `step ssh login` and note which Provisioner key value you wish to make a default.
- Open the user's defaults.json file ($(step path)/config/defaults.json) to edit it.
- Add a new key-value pair with the key of, "issuer" with a value which typically (if OIDC) will be one of okta|gsuite|azure. Save the defaults.json file.
- Run `step ssh login` and you should immediately get the OIDC auth challenge flow instead of the Provisioner key selection menu.
{
"ca-url": "https://url-toca.smallstep.com",
"fingerprint": "abc123dc7a8070b9c6577b40",
"root": "$STEPHOME\.step\certs\root_ca.crt",
"redirect-url": "https://smallstep.com/app/teams/team_name/success", ⬅️comma separator
"issuer": "okta" ⬅️ new key/value for default provisioner
}