Documentation
Access Guide

SSH Access

Secure SSH access with certificate-based authentication, session recording, and fine-grained RBAC. No more managing SSH keys or authorized_keys files.

Estimated time: 15 minutes

Key Features

Certificate Auth

Short-lived SSH certificates instead of static keys

RBAC

Fine-grained access control by role and labels

Session Recording

Record and replay all SSH sessions

SSO Integration

Use your existing identity provider

Setup Steps

1

Deploy SSH Agent

Install the TigerAccess agent on servers you want to access.

# Install agent
curl -sSL https://get.tigeraccess.io/agent | sh

# Start agent and connect to auth server
tigeraccess start --roles=agent \
  --auth-server=auth.company.com:3025 \
  --labels=env=production,team=platform
2

Configure SSH Access Role

Define who can access which servers with what permissions.

tacctl create -f - <<EOF
kind: role
metadata:
  name: developer
spec:
  allow:
    logins: [ubuntu, ec2-user]
    node_labels:
      env: [dev, staging]
      team: ["{{internal.logins}}"]

  options:
    max_session_ttl: 8h
    forward_agent: true
EOF
3

Enable Session Recording

Record all SSH sessions for audit and compliance.

tacctl create -f - <<EOF
kind: role
metadata:
  name: audited-access
spec:
  options:
    record_session:
      default: strict
      ssh: strict

    enhanced_recording:
      enabled: true
      command: true
      network: true
EOF
4

Login and Connect

Authenticate and access servers via SSH.

# Login to get a certificate
tac login --proxy=access.company.com

# List available servers
tac ls

# Connect to a server
tac ssh user@server-name

# Or use native SSH client
tac config --proxy=access.company.com
ssh user@server.company.com
5

Configure SSH Config (Optional)

Set up your SSH config for seamless access.

# Generate SSH config
tac config > ~/.ssh/tigeraccess.conf

# Add to ~/.ssh/config
Host *.company.com
    Include ~/.ssh/tigeraccess.conf

# Now use standard SSH
ssh user@prod-server.company.com

CLI Commands

CommandDescription
tac ssh user@hostConnect to a server via SSH
tac lsList available servers
tac ls --labels=env=prodFilter servers by labels
tac scp file.txt user@host:/pathCopy files via SCP
tac ssh user@host -L 8080:localhost:80Port forwarding
tac join session-idJoin an active session

SSH Access Configured

With SSH access configured, you have:

  • Certificate-based authentication (no more SSH keys)
  • Role-based access control for all servers
  • Session recording for compliance
  • Works with native SSH client

Related Guides

SSH Key Management

Eliminate SSH key sprawl

Session Recording

Record all SSH sessions

Zero Trust Security

Zero trust architecture