diff --git a/locale/en/dictionaries/software-terms.txt b/locale/en/dictionaries/software-terms.txt index b6571992c3..51f3d0ba30 100644 --- a/locale/en/dictionaries/software-terms.txt +++ b/locale/en/dictionaries/software-terms.txt @@ -93,6 +93,7 @@ frie gcsp geoip glpi +gosaml grecaptcha guac guacd @@ -113,6 +114,7 @@ microsoft mmdb noopener noreferrer +oktadev openidc ouia ouid diff --git a/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx b/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx index 4062e090ce..5c82fcffbc 100644 --- a/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx +++ b/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx @@ -58,15 +58,7 @@ Output help information about any command. ak help ``` -Where `` is any authentik CLI command you want help with, for example: `ak help ssh` - -### ssh - -Establish an SSH connection with the target endpoint device. - -```bash -ak ssh -``` +Where `` is any authentik CLI command you want help with, for example: `ak help whoami` ### system diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx b/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx index 0905aef103..941359c751 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx @@ -2,9 +2,12 @@ title: SSH authentication sidebar_label: SSH authentication tags: [ssh, authentik Agent] -authentik_version: "2025.12.0" +authentik_version: "2026.2.4" --- +import TabItem from "@theme/TabItem"; +import Tabs from "@theme/Tabs"; + You can use the [authentik Agent](../index.mdx) to authenticate SSH connections between endpoint devices using authentik credentials. Currently, only [Linux](../agent-deployment/linux.mdx) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details. @@ -13,17 +16,43 @@ When connected to an endpoint device in this way, sudo authorization can be hand ## Prerequisites -- The [authentik Agent must be deployed](../agent-deployment/index.mdx) on both the source and SSH target devices to use the `ak ssh` command. Alternatively, if you're using the standard SSH client (`ssh user@host`) instead of `ak ssh`, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively. +- The [authentik Agent must be deployed](../agent-deployment/index.mdx) on both the source and SSH target devices. - The target device needs to be configured, see the [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section below. ## How to SSH to an endpoint device To SSH to a configured [Linux host](../agent-deployment/linux.mdx) using the authentik Agent: -1. Open a Terminal session and run the following command: +1. Configure your SSH config to use the authentik Agent's SSH Identity Agent: + + + +Edit `~/.ssh/config` and add the following: + +```shell +Host * + IdentityAgent "~/Library/Application Support/authentik/agent-ssh.sock" ``` -ak ssh + + + + +Edit `~/.ssh/config` and add the following: + +```shell +Host * + ForwardAgent yes + IdentityAgent "~/.local/share/authentik/agent-ssh.sock" +``` + + + + +2. Open a Terminal session and run the following command: + +```shell +ssh ``` 2. If not already authenticated, you will be prompted for authentik credentials. @@ -31,29 +60,7 @@ ak ssh ## Configure SSH authentication on an endpoint device -If you want a Linux endpoint device to support accepting SSH connections using authentik credentials, you will need to install the `libpam-authentik` package in addition to the authentik Agent. This is a PAM module, which provides token-based and interactive authentication via authentik. - Authentication is only possible if the Linux device is aware of the authentik user which is attempting to authenticate. This can be achieved in one of two ways: 1. **Provision user accounts** - Create users on the Linux device with usernames that match authentik users that need to authenticate to the device. This can be done manually or via automation tools like Ansible. 2. **`libnss-authentik`** - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain. - -### Install the `libpam-authentik` package _(required)_ - -:::info Prerequisites -You must have already deployed and configured the authentik Agent on the device. -::: - -Run the following command to install the `libpam-authentik` package: - -```sh -sudo apt install libpam-authentik -``` - -### Install the `libnss-authentik` package _(optional)_ - -Run the following command to install the `libnss-authentik` package: - -```sh -sudo apt install libnss-authentik -```