strackt docs
Browse docs

How To

SSH into a server from the CLI

Open a shell on a managed server with one command — no keys to install, no certificate flags to assemble.

SSH into a server from the CLI

strackt ssh stk-abc12345

That's the whole thing. No key to copy onto the server, no long ssh -i … -o CertificateFile=… line to assemble — strackt ssh takes your existing SSH key, gets it signed into a short-lived certificate for that server, and drops you straight into a shell.

Running commands

Open an interactive shell, or run a single command and come back:

strackt ssh stk-abc12345                 # interactive shell
strackt ssh stk-abc12345 -- hostname     # run one command and exit

The first time you connect to a server, you'll be asked once to confirm its host — the standard prompt you get the first time you SSH anywhere. After that it connects without prompting.

Choosing a key

By default the CLI uses the first usable key it finds in ~/.ssh/ (preferring an ed25519 key). To point it at a specific key:

strackt ssh stk-abc12345 --identity ~/.ssh/work_ed25519

If you don't have an SSH key at all, the CLI creates one for you automatically and uses that — there's nothing you need to set up first.

Shorter-lived access

Certificates last 4 hours by default. To request a shorter one:

strackt ssh stk-abc12345 --ttl 30m       # 30m, 1h, 2h, or 4h

The CLI caches each certificate and reuses it until it expires, so repeat connections are instant. To skip the cache and sign a fresh one:

strackt ssh stk-abc12345 --refresh

If you rotate your SSH key, every cached certificate is invalidated automatically — the next connection signs a new one.

What you need

  • A team with SSH access enabled. If it's turned off, you'll see a clear message telling you to enable it in team settings. Access is scoped to your team — a server in another team can't be reached with your token.
  • A token with SSH permission. Certificates are signed against your CLI token. If the token was created before SSH was available, you'll get a permission error — create a fresh one with strackt auth:token and try again.
  • macOS or Linux. Windows isn't supported yet.

Good to know

  • Certificates are short-lived by design — at most 4 hours. There's no way to request a longer one. That ceiling is also how access is wound down: turn SSH off for the team and outstanding certificates stop working as they expire.
  • There's a rate limit. If you sign a lot of certificates in quick succession you may briefly be asked to wait — the message tells you how long.

Was this helpful?

Related docs

Manage secrets from the CLI List, set, remove, and round-trip your environment's secrets with the strackt CLI. Manage environment variables Set the environment variables and secrets your application reads at runtime.