Skip to main content

SSH authentication

You can use the authentik Agent to authenticate SSH connections ubetween endpoint devices using authentik credentials.

Currently, only Linux devices can serve as SSH endpoints. See Configure SSH authentication on an endpoint device section for more details.

When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent.

Prerequisites

How to SSH to an endpoint device

To SSH to a configured Linux host using the authentik Agent:

  1. Open a Terminal session and run the following command:
ak ssh <hostname>
  1. If not already authenticated, you will be prompted for authentik credentials.
  2. Once authenticated, the SSH session will connect.

Configure SSH authentication on an endpoint device

If you want a Linux Endpoint Device to support accepting SSH connections using authentik credentials, you will need to install the libpam-authentik package in addition to the authentik Agent. This is a PAM Module, which provides token-based and interactive authentication via authentik.

Authentication is only possible if the Linux device is aware of the authentik user which is attempting to authenticate. This can be achieved in one of two ways:

  1. Provision user accounts - Create users on the Linux device with usernames that match authentik users that need to authenticate to the device. This can be done manually or via automation tools like Ansible.
  2. libnss-authentik - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain.

Install the libpam-authentik package (required)

Prerequisites

You must have already deployed and configured the authentik Agent on the device.

Run the following command to install the libpam-authentik package:

sudo apt install libpam-authentik

Install the libnss-authentik package (optional)

Run the following command to install the libnss-authentik package:

sudo apt install libnss-authentik