website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx
You can use the authentik Agent to authenticate SSH connections between endpoint devices using authentik credentials.
Currently, only Linux devices can serve as SSH endpoints. See Configure SSH authentication on an endpoint device section for more details.
When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent.
ak ssh command. Alternatively, if you're using the standard SSH client (ssh user@host) instead of ak ssh, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively.To SSH to a configured Linux host using the authentik Agent:
ak ssh <hostname>
If you want a Linux Endpoint Device to support accepting SSH connections using authentik credentials, you will need to install the libpam-authentik package in addition to the authentik Agent. This is a PAM Module, which provides token-based and interactive authentication via authentik.
Authentication is only possible if the Linux device is aware of the authentik user which is attempting to authenticate. This can be achieved in one of two ways:
libnss-authentik - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain.libpam-authentik package (required):::info Prerequisites You must have already deployed and configured the authentik Agent on the device. :::
Run the following command to install the libpam-authentik package:
sudo apt install libpam-authentik
libnss-authentik package (optional)Run the following command to install the libnss-authentik package:
sudo apt install libnss-authentik