Note: When a host has multiple hostnames, your users will only be able to ssh to the canonical $hostname, as shown by the step ssh hosts command.
If you need multiple hostnames in your host certificate (e.g., public and private hostnames, or a hostname and an IP address), you can pass each of them to step ssh certificate via the --principal flag:
This command will add a few lines of configuration to the end of your /etc/ssh/sshd_config to enable certificate authentication. These lines are annotated with a comment that says # autogenerated by step @ <timestamp> so you can identify them later if you need to modify or revert these changes.
Step 7. Activate PAM/NSS Modules & HUP SSHD
step-ssh activate "$hostname"
The step-ssh activate command will leverage a short-lived identity certificate to authenticate itself to the host inventory.
Step 8. Register the host and add tags(s)
This command will leverage the host identity certificate to authenticate itself to the host inventory.
step-ssh-ctl register --hostname "$hostname"
Registering a host with host tags
For access control in multi-user environments, host tags can be assigned via the --tag flag.
It is possible to rerun step-ssh-ctl register multiple times, to rename the host, replace its tags, or change the bastion settings. Note: This command replaces all existing tags and bastion settings for a host.
Registering a bastion host (jump boxes)
If the host you're registering is a bastion, add the --is-bastion flag: