SSH Configuration

SSH Legacy Algorithm

As both classic SSH and RDP access are based on SSH certificates, to support legacy algorithms for SSH signing, you can set the SSH Legacy Algorithm to true via the CLI to sign SSH certificates using the legacy '[email protected]' signing algorithm.

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access.

akeyless gateway update remote-access --legacy-ssh-algorithm true --gateway-url <your-gateway-url:8000>

Key Exchange Algorithm

A Key Exchange Algorithm is a method used to securely exchange cryptographic keys between parties over an insecure channel such as a public network. The primary goal of these algorithms is to enable two or more parties to securely establish a shared secret key, which can then be used for encrypting and decrypting messages during communication.

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access.

akeyless gateway update remote-access --kexalgs <algorithm-name> --gateway-url <your-gateway-url:8000>

The options for this are:

• curve25519-sha256
• diffie-hellman-group-exchange-sha1
• diffie-hellman-group-exchange-sha256
• diffie-hellman-group14-sha1
• diffie-hellman-group14-sha256
• diffie-hellman-group16-sha512
• diffie-hellman-group18-sha512
• ecdh-sha2-nistp256
• ecdh-sha2-nistp384
• ecdh-sha2-nistp521

Concurrent Unauthenticated Connections

To specify the maximum number of concurrent unauthenticated connections to the SSH component, set the CONFIG_MAX_STARTUPS variable:

CONFIG_MAX_STARTUPS="200:30:300"

SSH Fingerprint

Use this parameter to store fingerprint information in a specific folder within your Akeyless account. This approach prevents the need to manually re-accept the SSH host key fingerprint after upgrades or other changes. In the example below, the fingerprints will be stored in the /MY_SSH_REMOTE_ACCESS_HOST_KEYS folder.

📘

Permissions

Ensure your remote access default Auth Method has the following permissions on that folder: create,read, list

SSH_HOST_KEYS_PATH=/MY_SSH_REMOTE_ACCESS_HOST_KEYS

RDP / SSH User Acces

Set the RDP / SSH Authentication with the relevant attribute that exists inside your IDP JWT, e.g. email, to set the connection to your target server using the current authenticated username. This can be done as follows from the CLI.

RDP:

akeyless gateway update remote-access --rdp-target-configuration <your-sub-claim> --ssh-target-configuration <your-sub-claim>

SSH:

akeyless gateway update remote-access --ssh-target-configuration <your-sub-claim> --ssh-target-configuration <your-sub-claim>

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access

This will take effect on all SSH-based sessions, both for RDP and Linux-based systems.

Support for Other Keyboard Layouts

To enable a keyboard layout in your remote sessions (ie Windows), use the following command (the default is en-us-qwerty):

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access

akeyless gateway update remote-access --keyboard-layout <layout-option>

value: da-dk-qwerty # Danish (Qwerty)
value: de-ch-qwertz # Swiss German (Qwertz)
value: de-de-qwertz # German (Qwertz)
value: en-gb-qwerty # UK English (Qwerty)
value: en-us-qwerty # US English (Qwerty) default
value: es-es-qwerty # Spanish (Qwerty)
value: es-latam-qwerty # Latin American (Qwerty)
value: fr-be-azerty # Belgian French (Azerty)
value: fr-ch-qwertz # Swiss French (Qwertz)
value: fr-fr-azerty # French (Azerty)
value: hu-hu-qwertz # Hungarian (Qwertz)
value: it-it-qwerty # Italian (Qwerty)
value: ja-jp-qwerty # Japanese (Qwerty)
value: no-no-qwerty # Norwegian (Qwerty)
value: pl-pl-qwerty # Polish (Qwerty)
value: pt-br-qwerty # Portuguese Brazilian (Qwerty)
value: sv-se-qwerty # Swedish (Qwerty)
value: tr-tr-qwerty # Turkish-Q (Qwerty)

For further configuration, please refer to the Akeyless official repository.