To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too.
vSSH CLI is a command line utility designed to simplify generation and enrollment of machine identities for SSH access. System administrators can enroll SSH certificates from Palo Alto Networks SSH Manager and use them to connect to their infrastructure. vSSH CLI can be used to enroll SSH certificates for applications and hosts.
vSSH CLI releases are tested using the latest version of Palo Alto Networks SSH Manager. General functionality of the latest vSSH CLI release should be compatible with SSH Manager 21.4 or higher.
Use these to quickly jump to a relevant section:
- Installation of vSSH CLI
- Initial configuration
- Using the vSSH CLI
- Tutorials of using vSSH CLI with SSH Manager
Download the appropriate archive from the latest release and extract it manually.
- Linux x64 (zip)
- Linux ARM64 (zip)
- macOS x64 (zip)
- macOS ARM64 (zip)
- Windows x64 (zip)
- Windows x86 (zip)
Every release includes a checksums.txt file containing SHA-256 hashes for all
release artifacts, a checksums.txt.bundle cosign signature bundle, and a
CycloneDX SBOM (sbom.cdx.json).
1. Verify the checksum of a downloaded archive:
# Download checksums.txt from the same release
sha256sum --check --ignore-missing checksums.txt2. Verify the cosign signature on the checksums file:
cosign verify-blob \
--bundle checksums.txt.bundle \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github\.com/[Vv]enafi/vssh-cli/' \
checksums.txtThe examples bellow applies to the latest version of vSSH CLI.
- Create a configuration profile in vSSH CLI, so that you can use vSSH CLI without passing any parameters to the
vsshcommand.
user@workstation:~$ vssh profile configure --url tpp.example.com --user alice --template-login "Users - Web Admins"
? Profile name: default
? Service URL: tpp.example.com
? Username for authentication: alice
? [Login Operation] Template name: Users - ENG Admins
? [Enroll Operation] Template name:
? Do you want to configure more settings? No
? Do you want to save the configuration (as 'default')? Yes
Configuration profile 'default' was successfully saved.- Enroll an SSH certificate for interactive logins. Before you perform the step below you need to complete the prerequisites to use vSSH CLI with SSH Manager
user@workstation:~$ vssh login
Logging in as alice...
? Enter password for user alice: [? for help] ************
Authenticating...
Logged in as alice
One template (Users - Web Admins) found. Using it.
Your identity is alice
Your role is Users - Web Admins (expires in 12 hours)
Credentials have been added to your OpenSSH agent.
Now you can perform SSH logins to remote servers.- Open an interactive SSH session to a remote host.
user@workstation:~$ ssh alice@web.example.com
Linux web.example.com 5.10.0-10-amd64
You have new mail.
Last login: Tue May 17 13:20:12 2022 from 172.17.254.151
alice@web:~$ Copyright © 2026 Palo Alto Networks, Inc. All rights reserved.
vSSH CLI is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.
Please direct questions/comments to security@venafi.com.