The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.


SSH Bastion

Akeyless SSH Bastion

SSH Bastion aims to traffic connections to servers that are not directly accessible via SSH, but instead directed through a bastion host, which proxies the connection between the SSH client and the remote servers.

Akeyless SSH bastion is based on a Docker container with two main features:

  • Support SSH signed certificate authentication with a simple setup
  • Can record all SSH sessions traffic, and expose them to the filesystem for log forwarding

command structure - host port:docker port
ports: (-p)

  • 9900 - Akeyless Restful API
  • 22 - SSH port

volumes: (-v)
-v {local_path}::/var/akeyless/conf/logand.conf ports: (-p) - configure your SSH log forwarding, see also SSH Log Forwarding
-v {local_path}::/var/akeyless/creds ports: (-p) - location of the credentials
-v <host_filesystem_logs>:/tmp/ssh_logs - logs are written to this directory

Bastion Installation

As mentioned before, the Akeyless SSH bastion is based on docker, so it's very simple to spin it up:

docker pull akeyless/ssh-proxy 
docker run -d -p<host_ssh_port>:22 -p -v <host_filesystem_creds>:/var/akeyless/creds -v <host_filesystem_logs>:/tmp/ssh_logs -v <conf_file>:/var/akeyless/conf/logand.conf akeyless/ssh-proxy:latest


docker pull akeyless/ssh-proxy 
docker run -d -p -p -v ~/ssh-proxy/creds:/var/akeyless/creds -v ~/ssh-proxy/logs:/tmp/ssh_logs -v ~/ssh/log_forwarding.conf:/var/akeyless/conf/logand.conf akeyless/ssh-proxy:latest


Please Note

If you wish to configure log forwarding for Syslog, Spunk, ELK / Logstash, and ELK Elasticsearch, please follow the relevant instructions.


Please Note

host_filesystem_creds - Make sure to keep your CA public key here, the file must be named
host_filesystem_logs - All the SSH sessions will be recorded here, file per session

Configure Target Server

Now configure the target remote server you wish to authenticate to, by completing the following steps:

  • Place your CA public key ( in the remote server under /etc/ssh/
  • Now configure your remote server to trust it by adding this line in /etc/ssh/sshd_config: TrustedUserCAKeys /etc/ssh/
  • Run the following command in the remote server: systemctl restart sshd
  • Run the following command, and make sure you replace remote_user and remote_server_host with the right values:
./akeyless-ssh <remote_user>@<remote_server_host> via localhost:2223 --cert-issuer-name akeyless-ssh-cert --profile ldap-compose

SSH Client Authentication Via Bastion

Use akeyless-ssh script to perform SSH authentication to the target server via Akeyless Proxy:

./akeyless-ssh <[email protected][:port]> via <bastion-server[:port]> --cert-issuer-name

After a successful login you should see Akeyless logo in the terminal, this indicates you managed to login via Akeyless bastion.

Updated 2 months ago

SSH Bastion

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.