Skip to main content

Deploy authentik Agent on Linux

What it can do

Prerequisites

You must configure your authentik deployment to support the authentik Agent.

Create an enrollment token

If you have already created have an enrollment token, skip to the next section.

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Endpoint Devices > Connectors.
  3. Click on the authentik Agent connector that you created when configuring your authentik deployment to support the authentik agent.
  4. Under Enrollment Tokens, click Create, and configure the following settings:
    • Token name: provide a descriptive name for the token
    • Device group (optional): select a device access group for the device to be added to after completing enrollment
    • Expiring (optional): set whether or not the enrollment token will expire
  5. Click Create.
  6. (Optional) Click the Copy icon in the Actions column to copy the enrollment token. This value will be required if enabling a device for device compliance.

Install the authentik Agent on Linux

Follow these steps to install the authentik Agent on your Linux device:

  1. Open a Terminal session and install the required GPG key:
curl -fsSL https://pkg.goauthentik.io/keys/gpg-key.asc | sudo gpg --dearmor -o /usr/share/keyrings/authentik-keyring.gpg
  1. Add the repository:
echo "deb [signed-by=/usr/share/keyrings/authentik-keyring.gpg] https://pkg.goauthentik.io stable main" | sudo tee /etc/apt/sources.list.d/authentik.list
  1. Update your repositories and install the authentik Agent packages:
sudo apt update
sudo apt install authentik-cli authentik-agent authentik-sysd
  1. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: ak You should see a response that starts with: authentik CLI v<version_number>

Enable device compliance, SSH server authentication, and local device login

To enable device compliance features and the device accepting SSH connections, you must join the device to an authentik domain.

  1. Open a Terminal session and run the following command:
sudo ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
  • deployment_name is the name that will be used to identify the authentik deployment on the device.
  • https://authentik.company is the fully qualified domain name of the authentik deployment.
  1. You will be prompted to enter your enrollment token.
  2. Once provided, the device will be enrolled with your authentik deployment and should appear on the Devices page after a check-in is completed.

Enable SSH client authentication and CLI application authentication

To enable initiating SSH connections and CLI application authentication, the device must be connected to an authentik deployment. To do so, follow these steps:

  1. Open a Terminal session and run the following command:
ak config setup --authentik-url https://authentik.company
  1. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.

Logging

authentik Agent logs are available via the system journal (systemd) or syslog, depending on the distribution.