How to configure automatic rotation for an Ed25519 SSH key

Use this document to enable automatic rotation on an SSH key that uses the Ed25519 algorithm in Segura® SaaS. Once configured, Segura® generates a new Ed25519 key pair on the defined schedule, updates the public key on the target host, stores the new private key, and invalidates the previous key.

Requirements

• An admin-level account on the Segura® SaaS platform.
• A target device already registered in PAM Core, reachable from the platform.
• The target host must run OpenSSH 6.5 or later, which is the minimum version that supports the Ed25519 algorithm.
• A credential or SSH key with permission to write to the target user's ~/.ssh/authorized_keys file on the host, unless the rotated key authenticates itself.
• A password policy assigned to the SSH key, because Set a password when renew the key is required.

Procedure

1. Open the SSH key registration form.

   • To configure rotation on an existing key: navigate to PAM Core > Credentials > SSH Keys, locate the key, and select Edit in the Actions column.
   • To create a new Ed25519 key and configure rotation in the same flow: navigate to PAM Core > Credentials > SSH Keys > Add.

2. Set the algorithm to Ed25519. On the Information tab, open the SSH Key Algorithm dropdown and select Ed25519.

3. Complete the remaining tabs as needed. Fill in the Key data, Devices, and Session settings tabs. For field-by-field details, see SSH key registration.

4. Open the Key renewal tab.

5. Activate the Enable automatic change toggle. Activating this toggle reveals the remaining rotation fields.

6. Activate the Set a password when renew the key toggle. This field is required when automatic change is enabled.

7. Choose the authentication path for the rotation operation:

   • To use the key being created or edited as the authentication key during rotation, activate the Use the key itself to connect toggle.
   • Otherwise, leave Use the key itself to connect off and select a credential or key from the Credential or SSH key for authentication dropdown.

8. Click Continue. The form advances to the Review tab.

9. Confirm the settings on the Review tab and submit the form. Click the Save button at the end of the page.

Confirm your results

• The key appears in the SSH Keys list with the SSH Key Algorithm column showing ED25519.
• On the next scheduled rotation, Segura® generates a new Ed25519 key pair, applies the public key to the target host, and stores the new private key. Subsequent SSH sessions through the Web Proxy and Terminal Proxy use the rotated key without further action.
• To verify a rotation operation, open the SSH key detail screen and check the events list. Each rotation event records the key type, result, timestamp, and target host. For details, see SSH keys details.

Troubleshooting

• Problem: Rotation fails with an error indicating the host does not support Ed25519.

  • Solution: Verify the target host runs OpenSSH 6.5 or later. Update the host's OpenSSH package, or change the key's SSH Key Algorithm to RSA or ECDSA (P-256) on the Information tab.

• Problem: Rotation fails with a permission error on the authorized_keys file.

  • Solution: Verify the credential or key selected in Credential or SSH key for authentication has write permission to the target user's ~/.ssh/authorized_keys file on the host.

• Problem: Rotation fails due to a network or connectivity error.

  • Solution: Verify connectivity from Segura® Platform to the target host. When rotation fails mid-operation, the previous key remains active and continues to authenticate sessions until the next scheduled attempt.

Related Links

• How to set up an SSH key
• SSH keys registration