SSH enables users to securely connect to different environments and
machines to perform any number of different operations. Utilizing
SSH, however, can oftentimes be difficult to manage across companies
and teams. Managing SSH keys for hundreds or thousands of users and
environments can be a painful and time-consuming job for
Vault SSH provides users a secure way to authenticate, authorize,
and automate access to machines via the SSH protocol. Users can
securely manage access to machine infrastructure via two primary SSH
modes to issue SSH credentials dynamically: signed SSH certificates
and one-time SSH passwords. See below for getting started guides and
The Vault SSH secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. The Vault SSH secrets engine helps manage access to machine infrastructure, providing several ways to issue SSH credentials.
The signed SSH certificates is the simplest and most powerful in terms of setup complexity and in terms of being platform agnostic. By leveraging Vault's powerful CA capabilities and functionality built into OpenSSH, clients can SSH into target hosts using their own local SSH keys.
The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to issue a One-Time Password every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.
`vault-ssh-helper` is a counterpart to HashiCorp Vault's SSH backend. It allows a machine to consume One-Time-Passwords (OTP) created by Vault servers by allowing them to be used as client authentication credentials at SSH connection time.