A new platform for documentation and tutorials is launching soon.
We are migrating Vault documentation into HashiCorp Developer, our new developer experience.
ssh command establishes an SSH connection with the target machine.
This command uses one of the SSH secrets engines to authenticate and automatically establish an SSH connection to a host. This operation requires that the SSH secrets engine is mounted and configured.
The user must have
ssh installed locally - this command will exec out to it
with the proper commands to provide an "SSH-like" consistent experience.
SSH using the OTP mode (requires sshpass for full automation):
$ vault ssh -mode=otp -role=my-role firstname.lastname@example.org
SSH using the CA mode:
$ vault ssh -mode=ca -role=my-role email@example.com
SSH using CA mode with host key verification:
$ vault ssh \ -mode=ca \ -role=my-role \ -host-key-mount-point=host-signer \ -host-key-hostnames=example.com \ firstname.lastname@example.org
For step-by-step guides and instructions for each of the available SSH auth methods, please see the corresponding SSH secrets engine.
The following flags are available in addition to the standard set of flags included on all commands.
(string: "")- Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.
(string: "table")- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the
(string: "")- Name of the authentication mode (ca, dynamic, otp)."
(string: "ssh/")- Mount point to the SSH secrets engine.
(bool: false)- Print the generated credentials, but do not establish a connection.
(string: "")- Name of the role to use to generate the key.
(string: "")- Value to use for the SSH configuration option "StrictHostKeyChecking". The default is ask. This can also be specified via the
(string: "~/.ssh/known_hosts")- Value to use for the SSH configuration option "UserKnownHostsFile". This can also be specified via the
»CA Mode Options
(string: "*")- List of hostnames to delegate for the CA. The default value allows all domains and IPs. This is specified as a comma-separated list of values. This can also be specified via the
(string: "")- Mount point to the SSH secrets engine where host keys are signed. When given a value, Vault will generate a custom "known_hosts" file with delegation to the CA at the provided mount point to verify the SSH connection's host keys against the provided CA. By default, host keys are validated against the user's local "known_hosts" file. This flag forces strict key host checking and ignores a custom user known hosts file. This can also be specified via the
(string: "~/.ssh/id_rsa")- Path to the SSH private key to use for authentication. This must be the corresponding private key to
(string: "~/.ssh/id_rsa.pub")- Path to the SSH public key to send to Vault for signing.