eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-27 18:07:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx
Dominic R 090d09fcdd website: fix typos (#20996)
2026-03-20 16:43:34 +00:00

60 lines
2.8 KiB
Plaintext
Raw Blame History

---
title: SSH authentication
sidebar_label: SSH authentication
tags: [ssh, authentik Agent]
authentik_version: "2025.12.0"
---
You can use the [authentik Agent](../index.mdx) to authenticate SSH connections between endpoint devices using authentik credentials.
Currently, only [Linux](../agent-deployment/linux.mdx) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details.
When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent.
## Prerequisites
- The [authentik Agent must be deployed](../agent-deployment/index.mdx) on both the source and SSH target devices to use the `ak ssh` command. Alternatively, if you're using the standard SSH client (`ssh user@host`) instead of `ak ssh`, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively.
- The target device needs to be configured, see the [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section below.
## How to SSH to an endpoint device
To SSH to a configured [Linux host](../agent-deployment/linux.mdx) using the authentik Agent:
1. Open a Terminal session and run the following command:
```
ak ssh <hostname>
```
2. If not already authenticated, you will be prompted for authentik credentials.
3. Once authenticated, the SSH session will connect.
## Configure SSH authentication on an endpoint device
If you want a Linux endpoint device to support accepting SSH connections using authentik credentials, you will need to install the `libpam-authentik` package in addition to the authentik Agent. This is a PAM module, which provides token-based and interactive authentication via authentik.
Authentication is only possible if the Linux device is aware of the authentik user which is attempting to authenticate. This can be achieved in one of two ways:
1. **Provision user accounts** - Create users on the Linux device with usernames that match authentik users that need to authenticate to the device. This can be done manually or via automation tools like Ansible.
2. **`libnss-authentik`** - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain.
### Install the `libpam-authentik` package _(required)_
:::info Prerequisites
You must have already deployed and configured the authentik Agent on the device.
:::
Run the following command to install the `libpam-authentik` package:
```sh
sudo apt install libpam-authentik
```
### Install the `libnss-authentik` package _(optional)_
Run the following command to install the `libnss-authentik` package:
```sh
sudo apt install libnss-authentik
```
Reference in New Issue View Git Blame Copy Permalink