The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.


SSH Access

Certificate authentication eliminates key approval and distribution. Instead of scattering public keys across static files, you bind a public key to a name with a certificate.

Akeyless SSH Secure Remote Access enables traffic connections to servers that are not directly accessible via SSH, but instead directed through a bastion host, which proxies the connection between the SSH client and the remote servers. In addition, you can record all SSH sessions traffic, and expose them to the filesystem for log forwarding


Legacy mode

For legacy applications that do not support SSH certificate, Akeyless offers a unique hybrid solution which involves certificates and keys. For more details, please refer to Legacy mode section at the bottom of this page.


To enable Secure Remote Access for SSH servers you need:

Set Up Remote Access to an SSH server from the Akeyless CLI

Let's set up remote access to an SSH server using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.

  1. Run the update-item command to set the following fields on the SSH Certificate Issuer item:
$ akeyless update-item --name <SSH Cert Issuer Name > /
--secure-access-enable true /
--secure-access-bastion-api <SSH Bastion control API endpoint URL> /
--secure-access-bastion-ssh  <SSH Bastion server IP and Port> /
--secure-access-ssh-creds-user <SSH username > /


  • secure-access-bastion-api: SSH Bastion control API endpoint URL. (Default port 9900).
  • secure-access-bastion-ssh: SSH Bastion server IP and Port . (Default port 2222).
  • secure-access-ssh-creds-user: SSH username to connect to target server, based on 'Allowed Users' list.

Set Up Remote Access to an SSH server from the Akeyless Console

Let's set up remote access to an SSH server from the Akeyless Console. If you'd prefer, see how to do this from Akeyless CLI instead.

  1. Log in to the Akeyless Console and go to Secrets & Keys.

  2. Select the SSH Cert Issuer item that specifies the SSH server details and access credentials.

  3. Expend the Secure Remote Access menu, select the pencil icon and enable the Secure Remote Access ,then fill the following fields:

  • Host(s) : The hostname (or IP address) of your SSH target servers.
  • Bastion API URL : SSH Bastion control API endpoint URL. (Default port 9900).
  • Bastion SSH : SSH Bastion server IP and Port . (Default port 2222).
  • Username : SSH username to connect to target server, based on 'Allowed Users' list.
  1. To the right of the Enable Secure Remote Access field, select the tick mark icon to save your changes.

Akeyless Secure Access from CLI

Akeyless enables CLI access from any UNIX terminal.



Starting from Windows 10, Microsoft supports native feature "Windows subsystem for Linux".
This feature enable users to utilize their Windows OS environment as a UNIX like system.

To work with Akeyless connect command from Windows machine, place the .akeyless-connect.rc script on your home directory.

  1. Download and install the latest version of Akeyless CLI.

  2. Create your ~/.akeyless-connect.rc :

# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
# All rights reserved
# ----------------------------------------------------------------------

# This file is a user-specific configuration file for akeyles-connect Secure Remote Access
# it should be located in user home directory named .akeyless-connect.rc

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session

# AKEYLESS_PROFILE - Akeyless CLI profile to be used

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)

# Following are used for control service, to configure the temporary session:

# Allow caching of temp session creds

# Display connection stages

# Allow using external (OS) ssh client
  1. Use akeyless connect command to perform SSH authentication to the target server via Akeyless Professional Bastion :
akeyless connect -t  <[[email protected]]target/hostname/ip[:port]> -n [/path/to/dynamic-secret] -v <bastion-hostname/ip[:port]>

Legacy Mode



SSH password authentication brings with it risks. Please make sure you are connecting to the correct target server.

To support legacy applications, Akeyless enables an hybrid mode based on SSH certificates and SSH keys. Where your client will connect to Akeyless Professional bastion via SSH certificate, and Akeyless Professional bastion will utilize your SSH keys\password to connect to your legacy server.

In order to work with SSH keys, you will have to create a static secret in Akeyless vault, to store your SSH private key, or SSH password. i.e. the secret value should be either your SSH password, or your SSH private key.

To enable Secure SSH Access for your target, set the following fields on your secret:

Run the update-item command to set the following fields on the static secret that stores the ssh password or private key details:

$ akeyless update-item --name <Path/to/static/secret> /
--secure-access-enable true /
--secure-access-ssh-creds  <[password/private-key> /
--secure-access-bastion-issuer </Path/of/SSH Cert Issuer> /
--secure-access-host <Target SSH server >


  • secure-access-ssh-creds: Static-Secret values contains SSH Credentials, either Private Key or Password [password/private-key].
  • *secure-access-bastion-issuer ** Path to the SSH Certificate Issuer for your Akeyless Bastion.
  • secure-access-host: Target servers for connections. For multiple values repeat this flag.

Now, you can connect to your target SSH server via Akeyless connect command:

akeyless connect -t  <[[email protected]]target/hostname/ip[:port]> -n [/path/to/secret] -v <professional-bastion-hostname/ip[:port]>

Updated about a month ago

SSH Access

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.