SSH Professional

How do I use Smallstep SSH on hosts behind a proxy server?
step-ssh-ctl uses mTLS to talk to Smallstep's API server—which complicates its use behind a proxy server. It authenticates to the server using the host...
Fri, 29 Apr, 2022 at 1:43 PM
Error: Permission denied (publickey)
This error could indicate that the config did not complete successfully.  To troubleshoot this issue you can run step ssh check-host <hostname>. T...
Mon, 29 Aug, 2022 at 11:23 AM
How to run step ssh on MacOS when also using GPG
This assumes you are using step ssh while you also need to use a hardware-backed GPG key (such as a Yubikey) to derive an SSH key and are using gpg-agent.  ...
Sun, 1 May, 2022 at 10:52 AM
Invalid Host Enrollment Token
Check that you are using a valid host enrollment token (you can generate or re-generate your token on the Hosts page in your team's dashboard.
Sat, 30 Apr, 2022 at 8:15 AM
How can I use a non-default SSH port?
On your server add the following line to your /etc/ssh/sshd_config:     Port 628 # change me to your new favorite ssh_port Whenever you SSH to your serve...
Sat, 30 Apr, 2022 at 7:47 PM
How do I remove step software and configuration from my machines?
For Smallstep SSH clients Depending on your install method, uninstall the step CLI, usually through a package manager uninstall. Delete your step config d...
Tue, 16 Aug, 2022 at 4:23 PM
How does "step-ssh-ctl session" work? What does it do?
step-ssh-ctl session runs via PAM. It registers the beginning and end of a login or sudo session with the Smallstep API, and exits. It reads from PAM_USER, ...
Sat, 30 Apr, 2022 at 8:04 PM
How can I configure hosts for emergency SSH access?
See our blog post SSH Emergency Access for instructions on adding offline CAs for emergency access.
Sat, 30 Apr, 2022 at 8:22 PM
How can I limit SSHD to only use certificate authentication?
If you only want certificate logins (via TrustedUserCAKeys CAs), set the following in sshd_config: AuthorizedKeysFile none PasswordAuthentication no
Sat, 30 Apr, 2022 at 8:10 PM
How to map/shorten hostnames for SSH connections
When SSH exec's `step ssh check-host ...` under the hood, it only accepts the host's full FQDN as a valid input.  $ step ssh check-host 1234 ; e...
Thu, 19 May, 2022 at 1:14 PM