Managing Users' Public SSH Keys for Vault Authentication

This topic describes how to manage users' public SSH keys for Vault authentication.


Users can connect to target systems through PSM for SSH by authenticating to the Vault with a private SSH key. A corresponding public SSH key must be assigned to the Vault user to allow authentication.

Users can be assigned one or more public SSH keys.If one of these keys matches the private SSH key provided by the user during authentication, the connection through PSM for SSH will be approved and the user will be able to access their target system.

The Vault administrator can manage the users’ public SSH key in the Vault. Managing public SSH keys for external LDAP users is also available through the LDAP directory, which requires additional configuration.

To manage users public SSH keys in the Vault, using dedicated web services, refer to Public SSH authentication.

Configure management of LDAP user’s public SSH keys

By default, LDAP users’ public SSH keys are managed in the Vault. The following procedure describes how to define that management of the public SSH keys is in the LDAP directory.

To manage users’ public SSH keys in the LDAP directory for LDAP users only, use your LDAP management tools. To enable management of public SSH keys through LDAP, first perform the following procedures:

Customize how public SSH keys are defined in the LDAP directory

When LDAP users’ public SSH keys are managed in the LDAP directory, PSM for SSH assumes by default that each key is managed in the attribute sshPublicKey which is in the users’ details entry in the LDAP directory. If keys are managed in a different attribute in your LDAP directory, you can configure the name of the attribute. Use the following procedure to configure the name of the attribute to match the name of the attribute used in your LDAP directory.