Documentation Suite v11.7

Submit Search

POST SSH Service Accounts

The POST /SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption./ServiceAccounts method is used to create a new SSH service account in Keyfactor Command. This method returns HTTP 200 OK on a success with details for the new SSH service account.

Before adding a new SSH service account, be sure that you have added at least one server group (see POST SSH Server Groups) and that your Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. has been registered and approved in Keyfactor Command (see GET Agents).

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/ssh/server_admin/

/ssh/enterprise_admin/

SSH actions are affected by ownership on the server group with which the key is associated and limited for users with only the Server Admin (/ssh/server_admin/) role. For more information, see SSH Permissions.

Table 717: POST SSH Service Accounts Input Parameters

Name

Description

KeyGenerationRequest

Body

Required. An object that set the information to include in the SSH key pair request. Show key generation request details.

Name

Description

KeyType

Required. A string indicating the cryptographic algorithm used to generate the SSH key. Show key type details.

Numeric Value	Text Value
1	ECDSA
2	Ed25519
3	RSA

The KeyType may be specified using either the numeric value or text value.

PrivateKeyFormat

Required. A string indicating the format to use for the downloadable private key. Show private key format details.

The PrivateKeyFormat may be specified using either the numeric value or text value.

KeyLength

Required^*. An integer indicating the key length for the SSH key. The key length supported depends on the key type selected. Keyfactor Command supports 256 bits for Ed25519 and ECDSA and 2048 or 4096 bits for RSA. This field is optional if the KeyType is set to ECDSA or Ed25519 and required if the KeyType is set to RSA.

Required. A string containing the email address of the administrator or group of administrators responsible for managing the key. This email address is used to alert the administrator or group of administrators when the key pair is approaching the end of its lifetime.

Password

Required. A string that sets a password used to secure the private key of the SSH key pair for download.

Comment

A string containing the user-defined descriptive comment, if any, on the key. Although entry of an email address in the comment field of an SSH key is traditional, this is not a required format. The comment may can contain any characters supported for string fields, including spaces and most punctuation marks.

User

Body

Required. An object containing information about the service account user. Show user details.

Name	Description
Username	Required. A string indicating the short name of the SSH service account user (e.g. myapp). This, together with the ClientHostname, is used to build the full user name (e.g. myapp@appsrvr75).
LogonIds	An array of integers indicating the Keyfactor Command reference IDs of Linux logons that should be associated with the service account in order to publish the service account's public key to the servers on which the logons are located.

ClientHostname

Body

Required. A string indicating the client hostname reference for the service account key. This field is used for reference only and does not need to match an actual client hostname. It is used when building the full user name of the service account key for mapping to Linux logons for publishing to Linux servers (e.g. username@client_hostname). The naming convention is to use the hostname of the server on which the application that will use the private key resides (e.g. appsrvr12), but you can put anything you like in this field (e.g. cheesetoast).

ServerGroupId

Body

Required. A string indicating the Keyfactor Command reference GUID for the SSH server group for the service account. The server group is used to control who has access in Keyfactor Command to the service account key. It does not limit where the key can be published. See SSH Permissions in the Keyfactor Command Reference Guide for more information.

Table 718: POST SSH Service Accounts Response Data

Name Description

ID An integer indicating the Keyfactor Command reference ID for the SSH service account. This ID is automatically set by Keyfactor Command.

Client Hostname A string indicating the client hostname reference for the service account key. This field is used for reference only and does not need to match an actual client hostname. It is used when building the full user name of the service account key for mapping to Linux logons for publishing to Linux servers (e.g. username@client_hostname). The naming convention is to enter the hostname of the server on which the application that will use the private key resides (e.g. appsrvr12), but you can put anything you like in this field (e.g. cheesetoast).

Server Group

An object that indicates the SSH server group for the service account. The server group is used to control who has access in Keyfactor Command to the service account key. It does not limit where the key can be published. See SSH Permissions in the Keyfactor Command Reference Guide for more information. Show server group details.

Name

Description

A string indicating the Keyfactor Command reference GUID of the SSH server group.

Owner

An object indicating the Active Directory user who owns the server group. See SSH Server Groups in the Keyfactor Command Reference Guide for more information.

Name	Description
Id	An integer indicating the Keyfactor Command reference ID of the user who holds the owner role on the SSH server group.

Group Name

A string indicating the name of the SSH server group.

Sync Schedule

An object providing the inventory schedule for the SSH server group. The schedule can be off (unset) or one of the supported values. Show schedule details.

Name Description

Off Turn off a previously configured schedule.

Interval

A dictionary that indicates a job scheduled to run every x minutes with the specified parameter. Any interval that is selected in the UI will be converted to minutes when stored in the database.

Name	Description
Minutes	An integer indicating the number of minutes between each interval.

For example, every hour:

Copy

"Interval": {
   "Minutes": 60
}

Daily

A dictionary that indicates a job scheduled to run every day at the same time with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z).

For example, daily at 11:30 pm:

Copy

"Daily": {
   "Time": "2023-11-25T23:30:00Z"
}

Weekly

A dictionary that indicates a job scheduled to run on a specific day or days every week at the same time with the parameters:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z).
Days	An array of values representing the days of the week on which to run the job. These can either be entered as integers (0 for Sunday, 1 for Monday, etc.) or as days of the week (e.g. “Sunday”).

For example, every Monday, Wednesday and Friday at 5:30 pm:

Copy

"Weekly": {
   "Days": [
      "Monday",
      "Wednesday",
      "Friday"
   ],
   "Time": "2023-11-27T17:30:00Z"
}

Monthly

A dictionary that indicates a job scheduled to run on a specific day or days every month at the same time with the parameters:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z).
Day	The number of the day, in the month, to run the job.

For example, on the first of every month at 5:30 pm:

Copy

"Monthly": {
   "Day": 1
   "Time": "2023-11-27T17:30:00Z"
}

Under Management A Boolean indicating whether the SSH server group is in inventory only mode (False) or inventory and publish policy mode (True).

User

An object containing information about the service account user. Show service account user details.

Name

Description

An integer indicating the Keyfactor Command reference ID of the SSH service account user.

Key

An object containing information about the key for the service account user. Show key details.

Name	Description
Id	An integer indicating the Keyfactor Command reference ID of the SSH service account's key.
Fingerprint	A string indicating the fingerprint of the public key. Each SSH public key has a single cryptographic fingerprint that can be used to uniquely identify the key.
Public Key	A string indicating the public key of the key pair for the SSH service account.
KeyType	A string indicating the cryptographic algorithm used to generate the SSH key. Possible values are: RSA ECDSA Ed25519
Key Length	An integer indicating the key length for the SSH key. The key length supported depends on the key type selected. Keyfactor Command supports 256 bits for Ed25519 and ECDSA and 2048 or 4096 bits for RSA.
Creation Date	A string indicating the date, in UTC, on which the SSH key pair was created.
Stale Date	A string indicating the date, in UTC, after which the SSH key pair is considered to be out of date based on the key lifetime defined by the Key Lifetime (days) application setting. See Application Settings: SSH Tab in the Keyfactor Command Reference Guide for more information.
Email	A string containing the email address of the administrator or group of administrators responsible for managing the key. This email address is used to alert the administrator or group of administrators when the key pair is approaching the end of its lifetime.
Comments	An array of strings containing one or more strings with the user-defined descriptive comments, if any, on the key. Although entry of an email address in the comment field of an SSH key is traditional, this is not a required format. The comment may can contain any characters supported for string fields, including spaces and most punctuation marks. Keys created through the Keyfactor Command Management Portal or with the POST /SSH/ServiceAccounts method will contain only one string in the array.
Logon Count	An integer indicating the number of Linux logons associated with the SSH key pair.

Username A string indicating the full username of the service account. The username is made up of the user name and ClientHostname entered when the service account is created (e.g. myapp@appsrvr75).

LogonIds An array of integers indicating the Keyfactor Command reference IDs of Linux logons that are associated with the service account in order to publish the service account's public key to the servers on which the logons are located.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Version v11.7

On this page: