SSH Professional

Adding Principals to certificates via Groups
Shared Credential might be restricted by most Information Security Policies but they are still necessary for specific use cases in most organizations. Not o...
Wed, 1 Mar, 2023 at 9:54 AM
How do I use Smallstep SSH on hosts behind a proxy server?
step-ssh-ctl uses mTLS to talk to Smallstep's API server—which complicates its use behind a proxy server. It authenticates to the server using the host...
Fri, 29 Apr, 2022 at 1:43 PM
Error: Permission denied (publickey)
This error could indicate that the config did not complete successfully.  To troubleshoot this issue you can run step ssh check-host <hostname>. T...
Mon, 29 Aug, 2022 at 11:23 AM
How to run step ssh on MacOS when also using GPG
This assumes you are using step ssh while you also need to use a hardware-backed GPG key (such as a Yubikey) to derive an SSH key and are using gpg-agent.  ...
Sun, 1 May, 2022 at 10:52 AM
Invalid Host Enrollment Token
Check that you are using a valid host enrollment token (you can generate or re-generate your token on the Hosts page in your team's dashboard.
Sat, 30 Apr, 2022 at 8:15 AM
How can I use a non-default SSH port?
On your server add the following line to your /etc/ssh/sshd_config:     Port 628 # change me to your new favorite ssh_port Whenever you SSH to your serve...
Sat, 30 Apr, 2022 at 7:47 PM
How do I remove step software and configuration from my machines?
For Smallstep SSH clients Depending on your install method, uninstall the step CLI, usually through a package manager uninstall. Delete your step config d...
Tue, 16 Aug, 2022 at 4:23 PM
How does "step-ssh-ctl session" work? What does it do?
step-ssh-ctl session runs via PAM. It registers the beginning and end of a login or sudo session with the Smallstep API, and exits. It reads from PAM_USER, ...
Sat, 30 Apr, 2022 at 8:04 PM
How can I configure hosts for emergency SSH access?
See our blog post SSH Emergency Access for instructions on adding offline CAs for emergency access.
Sat, 30 Apr, 2022 at 8:22 PM
How can I limit SSHD to only use certificate authentication?
If you only want certificate logins (via TrustedUserCAKeys CAs), set the following in sshd_config: AuthorizedKeysFile none PasswordAuthentication no
Sat, 30 Apr, 2022 at 8:10 PM