ssh command

The ssh command allows you to manage SSH certificates and provides helpers to connect to an OpenSSH server protected by Microsegmentation.

cert subcommand

The cert subcommand will use the current token and exchange it for an SSH identity certificate containing the claims and the permissions configured in the Microsegmentation Console.
You need to pass a public SSH key for this API to work. By default, apoctl will look in ~/.ssh/ You can pass a different public key with the flag --public-key.
If you need to create a new ssh key, you can use the ssh tool ssh-keygen.
The delivered SSH certificate will be printed in stdout.
apoctl ssh cert > ~/.ssh/

connect subcommand

The connect subcommand is a wrapper around the system SSH command. You can use it to connect to a remote host protected by a enforcer. The command will automatically request a SSH certificate from the Microsegmentation Console according to your authorizations based on your JWT Token. It will use this certificate immediately to connect to the SSH host.
By default, it will look for ssh keys in ~/.ssh. You can set a different key to use with the flag --public-key.
You can bypass the certificate issuing process if you already have one on file by setting the flag --cert (in that case --public-key has no effect). If you pass --cert you need either your SSH agent to known the ssh key used to generate the cert, or you need to pass it using the --key flag.
You then pass any arguments, they will be forwarded to the ssh command.
apoctl ssh connect apoctl ssh connect -- -p 2222 apoctl ssh connect --cert my-cert.cert apoctl ssh connect --cert my-cert.cert --key ~/.ssh/id_ed25519

inspect subcommand

The inspect subcommand can be used to print information about an existing SSH identity certificate.
The inspect subcommand can read the data from stdin when the flag --cert is set to - (default) or can be given a path.
cat ~/.ssh/ | apoctl ssh inspect apoctl ssh inspect --cert ~/.ssh/

Recommended For You