Documentation
Solutions Guide

SSH Key Management

Eliminate SSH key sprawl. Replace static keys with short-lived certificates for secure, manageable server access.

Estimated time: 20 minutes

Why Certificate-Based SSH

Eliminate key sprawl
No authorized_keys management
Automatic key expiration
Complete access visibility
Instant access revocation
No shared keys
Works with existing tools
Full audit trail

Configuration Steps

1

Deploy SSH CA

Configure the SSH certificate authority.

tacctl create -f - <<EOF
kind: cert_authority
metadata:
  name: user-ca
spec:
  type: user
  cluster_name: company-cluster
  key_type: ecdsa-sha2-nistp256
EOF
2

Configure Servers for Certificate Auth

Deploy agents on SSH servers.

# On each server
tigeraccess start --roles=agent \
  --auth-server=auth.company.com:3025 \
  --labels=env=production,team=platform

# Or configure sshd manually
# /etc/ssh/sshd_config
TrustedUserCAKeys /etc/tigeraccess/user-ca.pub
AuthorizedPrincipalsFile /etc/tigeraccess/principals/%u
3

Define SSH Access Roles

Configure who can access which servers.

tacctl create -f - <<EOF
kind: role
metadata:
  name: developer
spec:
  allow:
    logins: [ubuntu, ec2-user]
    node_labels:
      env: [dev, staging]

  options:
    max_session_ttl: 8h
    forward_agent: true
EOF
4

Discover Existing SSH Keys

Audit and inventory existing SSH keys.

# Scan for existing keys
tacctl ssh-keys discover --hosts=inventory.txt

# List discovered keys
tacctl ssh-keys ls

# Generate migration report
tacctl ssh-keys report --format=csv > ssh-keys-audit.csv
5

Use Certificate-Based SSH

Replace SSH keys with certificates.

# Login and get certificate
tac login

# Connect using certificate (automatic)
tac ssh user@server

# Or with native SSH client
tac config --proxy=access.company.com
ssh [email protected]

# Certificate details
tac status
# Shows certificate valid for 8h, principals: [ubuntu, ec2-user]

SSH Key Management Enabled

With certificate-based SSH configured, you have:

  • No more managing authorized_keys files
  • Short-lived certificates that auto-expire
  • Instant revocation when users leave
  • Complete audit trail of all SSH access

Related Guides

Certificate Management

Manage all certificates

Infrastructure Access

Unified access

Session Recording

Record SSH sessions