Navigation
GuidesUpdated July 3, 2026

Setting Up SSH Access with Secondary ID

guidesshsecuritysecondary-idvaultauthenticationcertificatesaccess-controlcryptography

Setting Up SSH Access Using a Secondary ID

General considerations

In order to setup secure access to servers, a few guidelines must be followed:

  • Use strong cryptography
  • Use hardened network protocols
  • Use encrypted private keys
  • Use robust authentication
  • Use standard tools that ease the burden of password or passphrase management

The first four items above take care of the technical facets of the issue, while the last one addresses the human facet by increasing the adoption of good practices

By following this guide, you'll be able to securely connect to servers using the ssh protocol with passphrase-protected keys created with enough entropy to make them very difficult to break, and you will have to enter the key passphrase only during the initial setup and each time you first launch a shell session after a machine reboot

Before You Start

  • Ensure that you have the UNIX MSID PRIMARY and SECONDARY ID, apply for them through secure access before proceeding.

  • Ensure the UNIX MSID YOUR_SECONDARY_MSID is added to the groups required to access the server(s) you need to connect to (e.g. sre_omni_admin_linux, cl2_sre_omni_admin_linux,cl3_sre_omni_admin_linux, etc.)

  • Depending on your access setup, you may have to set ansible_user=YOUR_SECONDARY_MSID as a host/group variable in your inventories

Omni Model for SSH with Certificates

ssh-with-vault The original document, written by Hashicorp, can be found here

Here's how the workflow goes

  1. User creates a personal SSH key pair.
  2. User authenticates to Vault with their Identity Provider (IDP) credentials.
  3. Once authenticated, the user sends their SSH public key to Vault for signing.
  4. Vault signs the SSH key and return the SSH certificate to the user.
  5. User initiates SSH connection using the SSH certificate.
  6. Host verifies the client SSH certificate is signed by the trusted SSH CA and allows connection.

Procedure

1. SSH Key Pair Provisioning and Setup

When issuing the commands below, replace YOUR_SECONDARY_ID with your actual secondary MSID.

A good passphrase is:

  • Easy to remember and hard to guess
  • At least 12 characters long
  • At least 1 uppercase letter, 1 lowercase letter, 1 digit and 1 special character
  • Example: Lex:1&Yacc:2
# Generate a strong RSA key, create a STRONG passphrase
ssh-keygen -b 4096 -t rsa -f $HOME/.ssh/YOUR_SECONDARY_MSID.id_rsa

# Make a copy of the SSH key, as the next step will overwrite it in place
cp $HOME/.ssh/YOUR_SECONDARY_MSID.id_rsa $HOME/.ssh/YOUR_SECONDARY_MSID.openssh.id_rsa

# Convert the ssh key to RSA format
ssh-keygen -p -m PEM -f $HOME/.ssh/YOUR_SECONDARY_MSID.id_rsa

# Start the SSH Agent
eval "$(ssh-agent)"

# Add the SSH key to the SSH Agent. You will be prompted for the SSH key's passphrase
ssh-add $HOME/.ssh/YOUR_SECONDARY_MSID.id_rsa

Now that your public and private keys are created, a few guidelines should be followed:

  • Never disclose the key's passphrase
  • Never place a copy the private key in any server's file system or cloud storage platform
  • You may place a copy of the private key on EIS-approved secure vaulted storage like Optum's hosted CyberArk EPV/PAM or Hashicorp Vault

2. User authenticates to Vault

Login to Hashi Vault with your MS Primary userID, navigate to the place you're supposed to be but I dont know offhand

3. Vault your Public Key

Once logged in, upload your Public Key and have Vault sign and return it to you

4. Distribute your Signed Public Key via Ansible/AWX

load your SSH Key into the Ansible Mega SSH Blaster Playbook vars/config either locally or for AWX and let 'er buck

5. Validate SSH key works to login via your secondary on sample hosts

just as it says - flesh this out

6. Daily Ops - SSH-AGENT Initialization - Do once per boot

ssh-agent private key passphrase cache does not survive a machine reboot, so you'll have to issue the commands below each time your machine is rebooted and re-enter the SSH key's passphrase.

eval "$(ssh-agent)"
ssh-add $HOME/.ssh/YOUR_SECONDARY_MSID.id_rsa # Here, you’ll have enter the SSH key’s passphrase

Test ssh access via shell an Ansible

# Test ssh access via shell

ssh A_SERVER "uname -a && pwd"

# Test ssh access via ansible (can be done once your ssh key is already distributed)
ansible -i "A_SERVER," -b -m shell -a "uname -a && pwd"  all


# In both cases the output will look like this

Linux A_SERVER 4.18.0-513.11.1.el8_9.x86_64 #1 SMP Thu Dec 7 03:06:13 EST 2023 x86_64 x86_64 x86_64 GNU/Linux
/home/YOUR_SECONDARY_MSID