Setting up principals in Smallstep SSH Pro

Principal names map to the users ssh certificate allowing users the ability to access hosts as that user (e.g. admin, root, intern, consultant). Principals are part of the flow when a user types ssh [hostname]

• The host machine has the username that matches the principals. For example if the principal is consultants then there needs to be a matching user on the host.

• Configuring Smallstep SSH user groups with one or more principals in the console.

• The step-cli toolchain for end users to authenticate and use ssh to access hosts with principal names. (Existing SSH users already have this and can test by running the command, step.

Navigate to your teams user/groups in the Smallstep console (quick link) and under the Groups tab, click the name of the desired group to modify, clicking the ‘kabob menu’ and selecting edit You can add one or more principals, comma separated. Now save your changes.

End users may have to request a new certificate. This can be done by running step ssh logout and step ssh login .

Once logged in, the user can type ssh [principal]@[hostname] and the session should log into the the host as the principal user, versus passing their typical username in regular use cases.

Example: ssh intern@192.168.23.2

The session should show their principal username in the destination shell or by running whoami