Skip to content

FS SSH Key Deployment - Jump Box Setup Process

Overview

This document covers the process for deploying your SSH public key to jump box/proxy hosts so that Royal TS and terminal sessions can authenticate via key-based auth instead of a password. All jump boxes are running RHEL 8.x or 9.x derivatives (RHEL, SUSE Liberty Linux, AlmaLinux, Rocky Linux).

Note: The .ssh directory does not get auto-created on RHEL 8 or 9 on first login. This is expected behavior and is handled automatically by the commands below.

Jump Box Key Architecture

All key relationships use your local machine's public key (id_ed25519.pub). The jump box acts as both a destination and a staging/distribution point for your key.

Inbound (Your Machine to Jump Box)
Your public key is placed in ~/.ssh/authorized_keys on the jump box. This allows you and Royal TS to connect to the jump box via key auth.

Outbound (Jump Box to Destination Servers)
Your same public key, stored as ~/.ssh/id_ed25519.pub on the jump box, is pushed to destination servers at that site. This allows you to authenticate to those servers using the same key.

Correct file layout on a configured jump box:

~/.ssh/
  authorized_keys      # Your public key - allows inbound connection from your machine
  id_ed25519.pub       # Your public key staged here for distribution to destination servers

Prerequisites

  • Your SSH keypair is already generated on your local machine (~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub)
  • The same keypair is configured in Royal TS as a credential
  • Git for Windows is installed, providing ssh-copy-id via Git Bash
  • Windows Terminal is configured with a Git Bash profile (see below)
  • Password authentication is enabled on the target jump box (required for initial bootstrap only)
  • You have your admin account credentials for the jump box

One-Time Setup: Add Git Bash to Windows Terminal

ssh-copy-id is a bash script and will not run in PowerShell. It must be run from a Git Bash shell. Follow these steps to add Git Bash as a profile in Windows Terminal:

  1. Open Windows Terminal
  2. Click the dropdown arrow next to the + button on the tab bar
  3. Click Settings
  4. In the left sidebar, click Add a new profile
  5. Click New empty profile
  6. Fill in the following fields:
  7. Name: Git Bash
  8. Command line: C:\Program Files\Git\bin\bash.exe -i -l
  9. Starting directory: %USERPROFILE%
  10. Icon: C:\Program Files\Git\mingw64\share\git\git-for-windows.ico
  11. Click Save

Git Bash will now appear in the Windows Terminal tab dropdown. All ssh-copy-id commands in this document must be run from a Git Bash tab.

Step 1: Deploy Your Public Key to the Jump Box

Open a Git Bash tab in Windows Terminal. Run the following command, substituting your username and the jump box hostname. You will be prompted for your password once.

ssh-copy-id -f -i ~/.ssh/id_ed25519.pub YOUR_USERNAME@JUMPBOX_HOST

Note: The -f flag is required because the private key (id_ed25519) only lives on your local machine and is not present on the jump box. Without -f, ssh-copy-id will refuse to copy the public key if it cannot find the corresponding private key.

This automatically handles .ssh directory creation, correct permissions, and writing your key to authorized_keys.

Next, SSH into the jump box to stage your public key for outbound distribution to destination servers:

ssh YOUR_USERNAME@JUMPBOX_HOST "cat ~/.ssh/authorized_keys > ~/.ssh/id_ed25519.pub"

Step 2: Verify Key Authentication Works

ssh YOUR_USERNAME@JUMPBOX_HOST

You should connect without being prompted for a password. If you are still prompted, see the Troubleshooting section.

Step 3: Configure Royal TS

  1. Open Royal TS and navigate to your SSH connection entry for the jump box
  2. Under Credentials, select the credential containing your id_ed25519 private key
  3. Ensure the username matches the account used in the steps above
  4. Test the connection -- it should authenticate via key with no password prompt

Step 4: Push Your Key from the Jump Box to Destination Servers

Log into the jump box first, then use ssh-copy-id to push your staged public key to each destination server.

Note: The -f flag is required here for the same reason as Step 1 -- the private key does not exist on the jump box, only the public key. Password auth must also still be enabled on destination servers for the initial push. Once the key is in place, password auth is no longer needed for your account on that host.

Single server:

ssh-copy-id -f -i ~/.ssh/id_ed25519.pub YOUR_USERNAME@DESTINATION_HOST

Multiple servers via loop:

for host in server1.example.com server2.example.com server3.example.com; do
    echo "Deploying to $host..."
    ssh-copy-id -f -i ~/.ssh/id_ed25519.pub YOUR_USERNAME@$host
done

Repeating for Additional Jump Boxes

For each additional jump box, repeat Steps 1 and 2 with the new hostname. The same key and same commands apply -- only the hostname changes.

Troubleshooting

Still being prompted for a password after running ssh-copy-id

Check permissions on the jump box:

ls -la ~/.ssh/
ls -la ~/.ssh/authorized_keys

Expected output:

drwx------. 2 youruser youruser   29 May  8 10:00 .ssh
-rw-------. 1 youruser youruser  571 May  8 10:00 authorized_keys

If permissions are wrong, fix them:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Verify your key content is actually in the file:

cat ~/.ssh/authorized_keys

It should contain a line starting with ssh-ed25519.

SELinux blocking key auth on RHEL 8 or 9

RHEL 8 and 9 both enforce SELinux by default. If permissions look correct but key auth still fails, check for SELinux denials:

sudo ausearch -m avc -ts recent | grep sshd

If SELinux is the issue, restore the correct context:

restorecon -Rv ~/.ssh

Check sshd logs for details

sudo journalctl -u sshd -n 50

Look for lines referencing your username and Authentication refused or bad ownership or modes.