NAME

step ssh login – adds a SSH certificate into the authentication agent

USAGE

step ssh login identity [–token=token] [–provisioner=name] [–provisioner-password-file=file] [–not-before=time|duration] [–not-after=time|duration] [–force] [–ca-url=uri] [–root=file] [–offline] [–ca-config=path]

DESCRIPTION

step ssh login generates a new SSH key pair and send a request to step certificates to sign a user certificate. This certificate will be automatically added to the SSH agent.

With a certificate servers may trust only the CA key and verify its signature on a certificate rather than trusting many user keys.

POSITIONAL ARGUMENTS

identity
The certificate identity. If no principals are passed we will use the identity as a principal, if it has the format abc@def then the principal will be abc.

OPTIONS

–token=token
The one-time token used to authenticate with the CA in order to create the certificate.
–add-user
Create a user provisioner certificate used to create a new user.
–provisioner=name, –issuer=name
The provisioner name to use.
–provisioner-password-file=file, –password-file=file
The path to the file containing the password to decrypt the one-time token generating key.
–not-before=time|duration
The time|duration when the certificate validity period starts. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–not-after=time|duration
The time|duration when the certificate validity period ends. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–offline
Creates a certificate without contacting the certificate authority. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using ‘–ca-config`’ flag.
–ca-config=path
The path to the certificate authority configuration file. Defaults to $STEPPATH/config/ca.json
-f, –force
Force the overwrite of files without asking.

EXAMPLES

Request a new SSH certificate and add it to the agent:

$ step ssh login joe@example.com

Request a new SSH certificate valid only for 1h:

$ step ssh login --not-after 1h joe@smallstep.com