Agent Configuration
Agent Configuration
Section titled “Agent Configuration”Configure the SSH-KLM agent for optimal operation in your environment.
Configuration File
Section titled “Configuration File”Location: /etc/ssh-klm-agent/config.yaml
# Server connectionserver: url: https://ssh-klm.example.com token: ${SSHKLM_TOKEN} # From environment
# Agent identificationagent: hostname: ${HOSTNAME} labels: environment: production team: platform datacenter: us-east-1
# Discovery settingsdiscovery: enabled: true interval: 1h paths: - /home/*/.ssh - /root/.ssh - /etc/ssh excludePaths: - /home/*/.ssh/known_hosts includeSystemKeys: true
# Rotation settingsrotation: enabled: true backupKeys: true backupPath: /var/lib/ssh-klm-agent/backups
# Logginglogging: level: info # debug, info, warn, error format: json output: /var/log/ssh-klm-agent/agent.log
# Resource limitsresources: maxConcurrentScans: 2 scanTimeout: 5mEnvironment Variables
Section titled “Environment Variables”| Variable | Description | Default |
|---|---|---|
SSHKLM_SERVER | Server URL | Required |
SSHKLM_TOKEN | Registration token | Required |
SSHKLM_LOG_LEVEL | Log verbosity | info |
SSHKLM_CONFIG | Config file path | /etc/ssh-klm-agent/config.yaml |
Discovery Configuration
Section titled “Discovery Configuration”Custom Scan Paths
Section titled “Custom Scan Paths”discovery: paths: - /home/*/.ssh - /opt/apps/*/.ssh - /var/lib/services/*/.sshExclude Patterns
Section titled “Exclude Patterns”discovery: excludePaths: - /home/*/.ssh/known_hosts - /home/*/.ssh/config - "*.pub" # Exclude public keys from some scansLabels
Section titled “Labels”Labels help organize and filter hosts:
agent: labels: environment: production team: platform region: us-east-1 compliance: pci-dssProxy Configuration
Section titled “Proxy Configuration”server: proxy: http: http://proxy.example.com:8080 https: http://proxy.example.com:8080 noProxy: - localhost - 127.0.0.1TLS Configuration
Section titled “TLS Configuration”server: tls: insecureSkipVerify: false # Never true in production caCert: /etc/ssh-klm-agent/ca.crt clientCert: /etc/ssh-klm-agent/client.crt clientKey: /etc/ssh-klm-agent/client.keyApply Configuration
Section titled “Apply Configuration”# Validate configsudo ssh-klm-agent config validate
# Reload configurationsudo systemctl reload ssh-klm-agent
# Or restartsudo systemctl restart ssh-klm-agent