Assign a default provisioner when logging into Smallstep SSH

Suppose users plan to log into SSH with the same authentication method (e.g., OIDC via OKTA, Google, Azure AD). In that case, they can bypass the Provisionser Key selection menu.

Example of Provisioner key selection menu:

user@domain:~$ step ssh login

Use the arrow keys to navigate: ↓ ↑
What provisioner key do you want to use?
  ▸ SSH POP (SSHPOP)
    okta (OIDC) [client: abc123xyzdef456lmnop]
    Service Account (K8sSA)

You can bypass the Provisioner key selection by adding the issuer attribute to the user's own $(step path)/config/defaults.json file.

• Run step ssh logout to remove all existing identities, triggering the Provisioner key the next time you log in.

• Run step ssh login and note which Provisioner key value you wish to make a default.

• Edit the user's defaults.json file ($(step path)/config/defaults.json).

• Add a new key-value pair with the key of, "issuer" with a value which typically (if OIDC) will be one of okta|gsuite|azure. Save the defaults.json file.

• Run step ssh login and you should immediately get the OIDC auth challenge flow instead of the Provisioner key selection menu.

The following example defaults.json file will trigger the okta flow

{
  "ca-url": "https://url-toca.smallstep.com",
  "fingerprint": "abc123dc7a8070b9c6577b40",
  "root": "$STEPHOME\.step\certs\root_ca.crt",
  "redirect-url": "https://smallstep.com/app/teams/team_name/success", ⬅️comma
  "issuer": "okta" ⬅️ new key:value for default provisioner
}