PingOne Privilege

Configuring certificate-based SSH

To enable passwordless access, you can configure your managed servers to trust SSH connections that are authenticated by short-lived certificates issued by PingOne Privilege. This process must be completed on each target server that you want to access via SSH.

Automation tools such as Ansible, Terraform, or custom scripting can help you apply these changes consistently across all your servers.

Step 1: Retrieve the PingOne Privilege SSH CA Public Key

First, you need to get the SSH Certificate Authority (CA) public key for your tenant. You can do this through the admin console or via an API call.

Method A: Using the Admin Console

  1. In the PingOne Privilege admin console, go to Accounts.

  2. Select the appropriate account and click View Public Key.

  3. Copy the public key content.

Method B: Using the API

You can use a curl command to fetch the key from the API endpoint. This method is ideal for automation.

  • For standard environments:

    $ curl https://console.tun.procyon.ai/api/{tenant}/v1/sshca

  • If VPN interop mode is enabled:

    $ curl https://local.procyon.ai:8643/api/{tenant}/v1/sshca

Replace {tenant} with your actual tenant name in the URL.

Step 2: Configure the Target Server

Next, apply the configuration to each target server.

  1. Connect to the server using a standard SSH client.

  2. Create a file to store the public key, for example /etc/ssh/ca.pub), and paste the CA public key you retrieved in the previous step into it.

  3. Open the SSH daemon’s configuration file for editing. On most Linux distributions, this file is located at /etc/ssh/sshd_config`.

    $ sudo vi /etc/ssh/sshd_config

  4. Add the TrustedUserCAKeys directive to the file, pointing to the CA public key file you just created.

    # Add this line to sshd_config
TrustedUserCAKeys /etc/ssh/ca.pub

    Ensure the path in this directive exactly matches the location where you saved the ca.pub file.

  5. Save your changes to the sshd_config file.

  6. Restart the SSH daemon to apply the new configuration. The command can vary depending on your operating system.

    For systems using systemd:

    $ sudo systemctl restart sshd

    For older systems, you might use:

    $ sudo service sshd restart

Your server is now configured to trust SSH certificates from PingOne Privilege.