POST SSH Users Access

The POST /SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption./Users/Access method is used to create a mapping of one or more Linux logons to a Keyfactor Command user or service account. This method returns HTTP 200 OK on a success with the details of the user to logon mapping, if any.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/ssh/server_admin/

/ssh/enterprise_admin/

SSH actions are affected by ownership on the server group with which user to logon mappings are associated and limited for users with only the Server Admin (/ssh/server_admin/) role. For more information, see SSH Permissions.

Tip: Before creating a logon to user mapping, be sure that you have switched the server to which you will add your mapping (or its server group) to inventory and publish policy mode so that the key for the user will be published to the server. If the server is in inventory only mode and you add a mapping for it in Keyfactor Command, the mapping will appear in Keyfactor Command only and the key for the user will not be published out to the server.

Table 823: POST SSH Users Access Input Parameters

Name	In	Description
ID	Body	Required. An integer indicating the Keyfactor Command reference ID of the SSH user. Use the GET /SSH/Users method (see GET SSH Users) to retrieve a list of all the SSH users to determine the user's ID.
LogonIds	Body	An array of integers indicating the Keyfactor Command reference IDs for the Linux logons to map to the user to cause the user's SSH public key to be published out to the Linux servers on which those logons reside. These are provided in the following format: [12,27,39] Use the GET /SSH/Logons method (see GET SSH Logons) to retrieve a list of all the SSH logons to determine the logon's ID(s). Important: Logon IDs you provide here replace any existing logon IDs associated with the user. To avoid accidentally removing access for users, check existing logons for the user (see GET SSH Users) before updating and provide both existing and new logon IDs.

Name

Description

Body

Required. An integer indicating the Keyfactor Command reference ID of the SSH user.

Use the GET /SSH/Users method (see GET SSH Users) to retrieve a list of all the SSH users to determine the user's ID.

LogonIds

Body

An array of integers indicating the Keyfactor Command reference IDs for the Linux logons to map to the user to cause the user's SSH public key to be published out to the Linux servers on which those logons reside.

These are provided in the following format:

[12,27,39]

Use the GET /SSH/Logons method (see GET SSH Logons) to retrieve a list of all the SSH logons to determine the logon's ID(s).

Important: Logon IDs you provide here replace any existing logon IDs associated with the user. To avoid accidentally removing access for users, check existing logons for the user (see GET SSH Users) before updating and provide both existing and new logon IDs.

Table 824: POST SSH Users Access Response Data

Name

Description

An integer indicating the Keyfactor Command reference ID of the SSH user.

Key

An object containing information about the key for the user. Show key details.

Name	Description
Id	An integer indicating the Keyfactor Command reference ID of the SSH user's key.
Fingerprint	A string indicating the fingerprint of the public key. Each SSH public key has a single cryptographic fingerprint that can be used to uniquely identify the key.
PublicKey	A string indicating the public key of the key pair for the SSH user.
KeyType	A string indicating the cryptographic algorithm used to generate the SSH key. Possible values are: RSA ECDSA Ed25519
KeyLength	An integer indicating the key length for the SSH key. The key length supported depends on the key type selected. Keyfactor Command supports 256 bits for Ed25519 and ECDSA and 2048 or 4096 bits for RSA.
CreationDate	A string containing the date, in UTC, on which the SSH key pair was created.
StaleDate	A string containing the date, in UTC, after which the SSH key pair is considered to be out of date based on the key lifetime defined by the Key Lifetime (days) application setting. See Application Settings: SSH Tab in the Keyfactor Command Reference Guide for more information.
Email	A string containing the email address of the user, for user accounts, or administrator or group of administrators responsible for managing the key, for service accounts. This email address is used to alert the user or administrator when the key pair is approaching the end of its lifetime.
Comments	An array of strings containing one or more strings with the user-defined descriptive comments, if any, on the key. Although entry of an email address in the comment field of an SSH key is traditional, this is not a required format. The comment may can contain any characters supported for string fields, including spaces and most punctuation marks. Keys created through the Keyfactor Command Management Portal or with the POST /SSH/Keys/MyKey or POST /SSH/ServiceAccounts method will contain only one string in the array.
LogonCount	An integer indicating the number of Linux logons associated with the SSH key pair.

Username

A string indicating the full username of the user or service account. For a user account, the username appears in DOMAIN\\username format (e.g. KEYEXAMPLE\\jsmith). For a service account, the username is made up of the user name and ClientHostname entered when the service account is created (e.g. myapp@appsrvr75).

Access

An object containing information about the Linux logons mapped to the user. Show Linux logon mapping details.

Name	Description
Id	An integer indicating the Keyfactor Command reference ID of the Linux logon.
Username	A string indicating the user's logon name on the Linux server.
KeyCount	An integer indicating the number of SSH keys associated with the Linux logon.
Access	An object containing information about the users mapped to the Linux logon.

IsGroup

A Boolean indicating whether the user is an Active Directory group (true) or not (false).

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: