Log in with SSH¶

Server configuration¶

To enable SSH access with authd you must configure sshd and the broker.

SSH configuration¶

To configure SSH, create a file /etc/ssh/sshd_config.d/authd.conf with the following content:

UsePAM yes
KbdInteractiveAuthentication yes

Alternatively, you can directly set the keys in the sshd configuration file /etc/ssh/sshd_config.

Then restart the SSH server:

sudo systemctl restart ssh

Broker configuration¶

To configure the broker edit the file /var/snap/authd-msentraid/current/broker.conf and set the key ssh_allowed_suffixes with the list of domains that you want to allow.

[oidc]
issuer = https://login.microsoftonline.com/<ISSUER_ID>/v2.0
client_id = <CLIENT_ID>

[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
# home_base_dir = /home

# The username suffixes that are allowed to log in via ssh without existing previously in the system.
# The suffixes must be separated by commas.
ssh_allowed_suffixes = <ALLOWED DOMAINS>

You can set several domains separated by a comma. For instance:

ssh_allowed_suffixes = @example.com,@ubuntu.com

Usage¶

Once this is all set up, you can ssh to the server in the same way you’d do with any server: ssh <username>@<host>. The format of <username> is the user handle on Entra ID such as user@domain.tld.

For instance:

ssh [email protected]@remote.host

Terminal interface showing option to authentice by login code or QR scan when user tries to ssh into server