open-vault/website/content/docs/secrets/ssh/index.mdx

---
layout: docs
page_title: SSH - Secrets Engines
description: |-
  The Vault SSH secrets engine provides secure authentication and authorization
  for access to machines via the SSH protocol. There are two modes to the Vault
  SSH secrets engine including signed SSH certificates and one-time passwords.
---

# SSH Secrets Engine

Name: `ssh`

The Vault SSH secrets engine provides secure authentication and authorization
for access to machines via the SSH protocol. The Vault SSH secrets engine helps
manage access to machine infrastructure, providing several ways to issue SSH
credentials.

The Vault SSH secrets engine supports the following modes. Each mode is
individually documented on its own page.

- [Signed SSH Certificates](/vault/docs/secrets/ssh/signed-ssh-certificates)
- [One-time SSH Passwords](/vault/docs/secrets/ssh/one-time-ssh-passwords)

All guides assume a basic familiarity with the SSH protocol.

## Removal of Dynamic Keys feature

Per [Vault 1.12's deprecation notice page](/vault/docs/v1.12.x/deprecation),
the dynamic keys functionality of this engine has been removed in Vault 1.13.

## API

The SSH secrets engine has a full HTTP API. Please see the
[SSH secrets engine API](/vault/api-docs/secret/ssh) for more
details.
Vault SSH: Website doc v1. Removed path_echo 2015-08-12 16:25:28 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: SSH - Secrets Engines`
Vault SSH: Website doc v1. Removed path_echo 2015-08-12 16:25:28 +00:00			`description: \|-`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Vault SSH secrets engine provides secure authentication and authorization`
Remove dynamic keys from SSH Secrets Engine (#18874) * Remove dynamic keys from SSH Secrets Engine This removes the functionality of Vault creating keys and adding them to the authorized keys file on hosts. This functionality has been deprecated since Vault version 0.7.2. The preferred alternative is to use the SSH CA method, which also allows key generation but places limits on TTL and doesn't require Vault reach out to provision each key on the specified host, making it much more secure. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dynamic ssh references from documentation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dynamic key secret type entirely Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Clarify changelog language Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add removal notice to the website Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2023-01-31 21:02:22 +00:00			`for access to machines via the SSH protocol. There are two modes to the Vault`
			`SSH secrets engine including signed SSH certificates and one-time passwords.`
Vault SSH: Website doc v1. Removed path_echo 2015-08-12 16:25:28 +00:00			`---`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`# SSH Secrets Engine`
Vault SSH: Website doc v1. Removed path_echo 2015-08-12 16:25:28 +00:00
			Name: `ssh`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Vault SSH secrets engine provides secure authentication and authorization`
			`for access to machines via the SSH protocol. The Vault SSH secrets engine helps`
			`manage access to machine infrastructure, providing several ways to issue SSH`
Break SSH types into their own pages (#3157) @jefferai and I discussed this on Friday. With three fully-documented SSH backends, the page is lengthy, ungreppable, and intimidating. This commit separates the SSH backends into their own pages with as little text changes as possible. 2017-08-14 14:49:41 +00:00			`credentials.`
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Vault SSH secrets engine supports the following modes. Each mode is`
Break SSH types into their own pages (#3157) @jefferai and I discussed this on Friday. With three fully-documented SSH backends, the page is lengthy, ungreppable, and intimidating. This commit separates the SSH backends into their own pages with as little text changes as possible. 2017-08-14 14:49:41 +00:00			`individually documented on its own page.`
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`- [Signed SSH Certificates](/vault/docs/secrets/ssh/signed-ssh-certificates)`
			`- [One-time SSH Passwords](/vault/docs/secrets/ssh/one-time-ssh-passwords)`
Vault SSH: Website page for SSH backend 2015-08-14 19:41:26 +00:00
Break SSH types into their own pages (#3157) @jefferai and I discussed this on Friday. With three fully-documented SSH backends, the page is lengthy, ungreppable, and intimidating. This commit separates the SSH backends into their own pages with as little text changes as possible. 2017-08-14 14:49:41 +00:00			`All guides assume a basic familiarity with the SSH protocol.`
docs: Elaborate the steps for SSH CA backend with 'sshd_config' changes (#2507) 2017-03-19 22:52:15 +00:00
Remove dynamic keys from SSH Secrets Engine (#18874) * Remove dynamic keys from SSH Secrets Engine This removes the functionality of Vault creating keys and adding them to the authorized keys file on hosts. This functionality has been deprecated since Vault version 0.7.2. The preferred alternative is to use the SSH CA method, which also allows key generation but places limits on TTL and doesn't require Vault reach out to provision each key on the specified host, making it much more secure. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dynamic ssh references from documentation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dynamic key secret type entirely Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Clarify changelog language Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add removal notice to the website Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2023-01-31 21:02:22 +00:00			`## Removal of Dynamic Keys feature`

			`Per [Vault 1.12's deprecation notice page](/vault/docs/v1.12.x/deprecation),`
			`the dynamic keys functionality of this engine has been removed in Vault 1.13.`

Vault SSH: Website page for SSH backend 2015-08-14 19:41:26 +00:00			`## API`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The SSH secrets engine has a full HTTP API. Please see the`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`[SSH secrets engine API](/vault/api-docs/secret/ssh) for more`
Break out API documentation for secret backends 2017-03-09 02:47:35 +00:00			`details.`