Using SSH with Vault

SSH enables users to securely connect to different environments and machines to perform any number of different operations. Utilizing SSH, however, can oftentimes be difficult to manage across companies and teams. Managing SSH keys for hundreds or thousands of users and environments can be a painful and time-consuming job for infrastructure operators.

Vault SSH provides users a secure way to authenticate, authorize, and automate access to machines via the SSH protocol. Users can securely manage access to machine infrastructure via two primary SSH modes to issue SSH credentials dynamically: signed SSH certificates and one-time SSH passwords. See below for getting started guides and documentation.

Learn how to integrate SSH in Vault

SSH Secrets Engine: One-Time SSH Password

The Vault SSH secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. This guide demonstrates the one-time SSH password mode.

Vault Agent with AWS

Vault provides a number of different authentication methods to assist in delivery of this initial token. Getting the first secret to the consumer, is the secure introduction challenge.

Docker OpenLDAP Secrets Engine with SSH Demonstration

You can use the information in this guide to build a demonstration for testing authentication of SSH connections using LDAP and PAM in a Docker environment with OpenLDAP credentials managed by Vault.


SSH - Secrets Engines

The Vault SSH secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. The Vault SSH secrets engine helps manage access to machine infrastructure, providing several ways to issue SSH credentials.

Signed SSH Certificates

The signed SSH certificates is the simplest and most powerful in terms of setup complexity and in terms of being platform agnostic. By leveraging Vault's powerful CA capabilities and functionality built into OpenSSH, clients can SSH into target hosts using their own local SSH keys.

One-Time SSH Passwords

The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to issue a One-Time Password every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.

Vault SSH Agent

`vault-ssh-helper` is a counterpart to HashiCorp Vault's SSH backend. It allows a machine to consume One-Time-Passwords (OTP) created by Vault servers by allowing them to be used as client authentication credentials at SSH connection time.


This documentation assumes the SSH secrets engine is enabled at the /ssh path in Vault. Since it is possible to enable secrets engines at any location, please update your API calls accordingly.

SSH Commands

The ssh command establishes an SSH connection with the target machine.

When to consider Vault Enterprise?

Open Source

Technical Complexity

Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.

View Open Source Features

Organizational Complexity

Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features.

View Enterprise Features

Ready to get started?