1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Apoctl
    6. ssh command

    ssh command

    The ssh command allows you to manage SSH certificates and provides helpers to connect to an OpenSSH server protected by Microsegmentation.

    cert subcommand

    The cert subcommand will use the current token and exchange it for an SSH identity certificate containing the claims and the permissions configured in the Microsegmentation Console.
    You need to pass a public SSH key for this API to work. By default, apoctl will look in ~/.ssh/id_rsa.pub. You can pass a different public key with the flag --public-key.
    If you need to create a new ssh key, you can use the ssh tool ssh-keygen.
    The delivered SSH certificate will be printed in stdout.
    Example:
    apoctl ssh cert > ~/.ssh/my-cert.pub

    connect subcommand

    The connect subcommand is a wrapper around the system SSH command. You can use it to connect to a remote host protected by a enforcer. The command will automatically request a SSH certificate from the Microsegmentation Console according to your authorizations based on your JWT Token. It will use this certificate immediately to connect to the SSH host.
    By default, it will look for ssh keys in ~/.ssh. You can set a different key to use with the flag --public-key.
    You can bypass the certificate issuing process if you already have one on file by setting the flag --cert (in that case --public-key has no effect). If you pass --cert you need either your SSH agent to known the ssh key used to generate the cert, or you need to pass it using the --key flag.
    You then pass any arguments, they will be forwarded to the ssh command.
    Examples:
    apoctl ssh connect user@host.com
apoctl ssh connect -- user@host.com -p 2222
apoctl ssh connect --cert my-cert.cert user@host.com
apoctl ssh connect --cert my-cert.cert --key ~/.ssh/id_ed25519 user@host.com

    inspect subcommand

    The inspect subcommand can be used to print information about an existing SSH identity certificate.
    The inspect subcommand can read the data from stdin when the flag --cert is set to - (default) or can be given a path.
    Example:
    cat ~/.ssh/my-cert.pub | apoctl ssh inspect
apoctl ssh inspect --cert ~/.ssh/my-cert.pub

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo