Documentation
SecureBaseline Cloud
SSH Credentials

SSH Credentials

Overview

SSH credentials are used to authenticate when connecting to managed hosts. The platform supports two types of authentication:

  • Password - Username and password
  • SSH Key - Username and private key

Managing Credentials

Accessing Credential Manager

  1. Go to Hosts page
  2. Click Manage Credentials button
  3. The credential management modal opens

Creating a Credential

  1. Click Add New Credential
  2. Fill in the fields:
FieldDescription
Credential NameDescriptive name (e.g., “Production SSH Key”)
TypePassword or SSH Key
UsernameSSH username (e.g., root, ubuntu)
Password(For password type) SSH password
Private Key(For SSH key type) Full private key content
  1. Click Create

Password Authentication

For password-based authentication:

  1. Select Password type
  2. Enter the SSH username
  3. Enter the SSH password
  4. Save the credential

SSH Key Authentication

For key-based authentication:

  1. Select SSH Key type
  2. Enter the SSH username
  3. Paste the entire private key including headers:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
...
-----END RSA PRIVATE KEY-----
  1. Save the credential

Supported key formats:

  • RSA (recommended)
  • ED25519
  • ECDSA

Deleting a Credential

  1. Find the credential in the list
  2. Click the Delete button
  3. Confirm the deletion

Warning: You cannot delete a credential that is in use by hosts. First reassign or delete those hosts.

Security Best Practices

Use SSH Keys Instead of Passwords

SSH keys provide:

  • Stronger authentication
  • No password transmission over network
  • Better audit trail
  • Easier rotation

Use Dedicated Service Account

Create a dedicated user for the platform:

# On each managed server
sudo useradd -m -s /bin/bash haas-service
sudo mkdir -p /home/haas-service/.ssh
sudo chmod 700 /home/haas-service/.ssh

Grant Minimal Required Permissions

The service account needs sudo access for hardening operations:

# /etc/sudoers.d/haas-service
haas-service ALL=(ALL) NOPASSWD: ALL

For scan-only access (no hardening):

haas-service ALL=(ALL) NOPASSWD: /usr/bin/oscap

Rotate Credentials Regularly

  1. Generate new SSH key pair
  2. Add new public key to servers
  3. Create new credential in the platform
  4. Update hosts to use new credential
  5. Remove old public key from servers
  6. Delete old credential from platform

Protect Private Keys

  • Never share private keys
  • Use passphrase-protected keys for local storage
  • Store keys in secure vault when not in use
  • Limit access to credential management

Credential Usage

Assigning to Hosts

When creating or editing a host:

  1. Select the credential from dropdown
  2. The host will use this credential for all SSH connections

Checking Credential Works

  1. Create the credential
  2. Add a host using the credential
  3. Click Check on the host
  4. If successful, the host shows as Online

Generating SSH Key 

# Ed25519 (recommended)
ssh-keygen -t ed25519 -C "haas-automation"

# RSA (4096 bits)
ssh-keygen -t rsa -b 4096 -C "haas-automation"

Copying Key to Server 

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@host

Viewing Private Key 

cat ~/.ssh/id_ed25519

Copy the full output including BEGIN and END lines.

Troubleshooting

Authentication Failed

  1. Verify username is correct
  2. For password: check password is correct
  3. For SSH key: verify the private key matches the public key on server
  4. Check the user exists on the target server
  5. Verify SSH is enabled for this user

Permission Denied

  1. Check the user has shell access
  2. Verify sudo permissions if running hardening
  3. Check /etc/ssh/sshd_config allows this user

Key Format Error

  1. Ensure full key is pasted including BEGIN/END lines
  2. Check for extra whitespace or line breaks
  3. Verify key is in PEM format (not PPK or other formats)

Host Key Verification

The platform automatically accepts host keys on first connection. If a host key changes (server reinstalled), the connection may fail. Contact your administrator to clear the known hosts cache.

SettingsTroubleshooting