SSH targets

Enterprise

This feature requires Boundary Enterprise.

SSH targets use injected application credentials to authenticate an SSH session between the client and end host. Injected credentials allow users to securely connect to remote hosts using SSH, while never being in the possession of a valid credential for that target host. The injected credentials can be a username/password or username/private key credential from a Vault credential library, static credentials, or an SSH certificate from a Vault SSH credential library.

To set up an SSH target, you must:

Use HCP Boundary or Boundary Enterprise
Configure an SSH target type
Configure credential injection for the SSH target

You can configure any networked service available with an address and port as a TCP target. Boundary must have access to the target to start a session. If your service is not publicly available, you will need to deploy a worker to give Boundary access to the target network.

Create an SSH target

The following examples use a direct target address for simplicity, but HashiCorp recommends that you configure host catalogs and host sets for scaled production deployments.

Complete the following steps to create an SSH target.

Log in to Boundary.
Select an org, and then select the project where you want to create a target.
Select Targets under Project Actions.
Click New Target.
Complete the following fields:
- Name: (Required) A name for identification purposes. The name must be unique.
- Description: (Optional) An optional description of the target for identification purposes.
- Type: (Required) Select SSH to create an SSH target.
- Target Address (Optional) If you are not using host catalogs and host sets, you can enter a target address instead to map the target to a single address. This must be a valid IP address or DNS name.
- Default Port (Required) The default port on which to connect, such as 22.
- Aliases (Optional) A globally-scoped unique identifier for the target, which makes the target easier to connect to using the CLI or transparent sessions. If you create an alias, click Add to assign it.
Click Save.

Log in to Boundary.
Set the BOUNDARY_PROJECT_ID environment variable, or provide the scope ID (such as p_1234567890) in the next step.
Use the following command to create an SSH target named ubuntu-ssh-test with an alias ubuntu, with a direct target address of 10.0.0.20 and a default connection port of 22:
```
$ boundary targets create ssh \
  -scope-id $BOUNDARY_PROJECT_ID \
  -name "ubuntu-ssh-test" \
  -with-alias-value "ubuntu" \
  -address "10.0.0.20" \
  -default-port 22
```
You must provide the scope-id field when you create a target.
Refer to the targets domain model documentation for more fields that you can use when you create targets, and the targets create command for all the CLI options.

You can define a target and target alias using the Boundary Terraform provider:

resource "boundary_target" "ubuntu_target" {
  name         = "ubuntu-ssh-test"
  description  = "Ubuntu 20.04 dev server"
  type         = "ssh"
  address      = "10.0.0.20"
  default_port = "22"
  scope_id     = boundary_scope.project.id
  injected_application_credential_source_ids = [
    boundary_credential_library_vault.vault_host_cred_library_ubuntu.id
  ]
}

resource "boundary_alias_target" "ubuntu_target_alias" {
  name                      = "ubuntu"
  description               = "Target alias for ubuntu-ssh-test"
  scope_id                  = "global"
  value                     = "ubuntu"
  destination_id            = boundary_target.ubuntu_target.id
}

Configure an injected application credential

You must configure an SSH target with an injected application credential for end users to connect to the target.

You can configure credentials for the SSH target using:

Static credentials (username_password or ssh_private_key)
Vault generic credential library
Vault SSH certificate credential library

Refer to the Configure targets with credential injection page to learn how to configure a target with credential injection.

Next steps

For an in-depth example of configuring SSH targets with credential injection, refer to the HCP credential injection with private Vault tutorial.

To learn how to connect to a target, refer to Connection workflows.

To use target aliases to connect to targets:

Create a target alias
Connect to a target using an alias
After you set up a target alias, you can optionally Configure transparent sessions for end users. ^HCP/ENT