Authentication Methods

This topic describes which methods users can use to authenticate to PSM for SSH.

Supported authentication methods

Users can authenticate to PSM for SSH using any of the following authentication methods:



CyberArk password

You can log onto the Vault with a password that was defined for you in the Vault.


You can log onto the Vault with a user and password that were defined for you in an LDAP directory that is integrated with the Vault.

RADIUS including Challenge - Response

You can log onto the Vault with Radius authentication. After supplying your Vault username and password, if any more logon credentials are required, you will be prompted for them.


You can log onto the Vault with a private SSH key. A corresponding public SSH key must be assigned to your Vault user to allow authentication.

For a description of authenticating with a private SSH key, refer to Privileged Single Sign-On.

Administrators can manage users’ public SSH keys either through LDAP, or in the Vault. The private SSH key is provided by the user during the connection. For further information refer to Managing Users' Public SSH Keys for Vault Authentication.

Integrated mode requires the ssh client to support an ssh authentication method of type publickey,keyboard-interactive.

Smart card authentication

You can connect to target systems through PSM for SSH by authenticating to the Vault with a certificate. The certificate can be stored on a smart card such as CAC or PIV cards.

To use certificate authentication, connect with a client that supports migrating certificates to SSH keys, such as Putty CAC.

As with regular SSH key authentication, a public SSH key that corresponds to your certificate must be assigned to your user in the Vault to enable authentication.

For further information refer to Managing Users' Public SSH Keys for Vault Authentication.

The Vault administrator can enforce a specific authentication method for all users, or enable users to authenticate one of the above authentication methods that is configured for their Vault user account. This is useful when different users in the organization use different authentication methods.

Configure user authentication method

Required products

To configure PSM for SSH to use SSH Key authentication or smart card authentication, upgrade all the PSM and PSM for SSH servers in your environment to v9.6 or above.