How-To: Login with EZSSH

Prerequisites

1. Download and install the EZSSH client
2. Register the Keytos application in your tenant

Authentication Methods

EZSSH supports three authentication methods. Choose the one that matches your environment.

Interactive Browser Login (Default)

The default login method opens your browser and authenticates you with your Entra ID (formerly Azure AD) account. This is the recommended method for human users working on a workstation.

ezssh login

EZSSH will open a browser window where you can sign in with your Azure AD credentials. Once authenticated, your session is cached and you will not need to log in again until the session expires.

Managed Identity (MSI)

Use this method when running EZSSH on an Azure resource (such as a VM, container, or Azure DevOps agent) that has a managed identity assigned to it. No credentials are needed — Azure provides the token automatically.

ezssh login --identity

Service Principal

Use this method for automated pipelines, CI/CD systems, or any non-interactive workload where you have a service principal registered in Azure AD.

Authenticate with a Client Secret

ezssh login --service-principal \
  --username <CLIENT_ID> \
  --password <CLIENT_SECRET> \
  --tenant <TENANT_ID>

Authenticate with a Certificate

If you prefer certificate-based authentication instead of a client secret, provide the path to a PEM certificate file:

ezssh login --service-principal \
  --username <CLIENT_ID> \
  --certificate /path/to/cert.pem \
  --tenant <TENANT_ID>

Logging Out

To log out of all cached accounts, run:

ezssh logout

To log out of a specific account only, pass the username with the -u flag:

ezssh logout -u <USERNAME>

Next Steps

Once authenticated, you can start connecting to your SSH endpoints:

• SSH to an Endpoint
• Interactive Mode
• Connect to Multiple Endpoints at Once