SSH target

The Octopus Server can communicate with Linux targets via SSH. When using SSH for deployments to a Linux server, the Tentacle agent is not required and doesn’t need to be installed.

Configuring SSH targets

Before you configure an SSH deployment target, review the SSH target requirements and ensure your SSH deployment targets have the required packages installed.

Create an SSH account

The SSH connection you configure will use an account with either an SSH Key Pair or a Username and Password that has access to the remote host.

See accounts for instructions to configure the account.

Add an SSH connection

  1. In the Octopus Web Portal, navigate to the Infrastructure tab, select Deployment Targets and click ADD DEPLOYMENT TARGET.
  2. Choose either LINUX or MAC and click ADD on the SSH Connection card.
  3. Enter the DNS or IP address of the deployment target, i.e., or
  4. Enter the port (port 22 by default) and click NEXT.

Make sure the target server is accessible by the port you specify.

The Octopus Server will attempt to perform the required protocol handshakes and obtain the remote endpoint’s public key fingerprint automatically rather than have you enter it manually. This fingerprint is stored and verified by the server on all subsequent connections.

If this discovery process is not successful, you will need to click ENTER DETAILS MANUALLY.

  1. Give the target a name.
  2. Select which environment the deployment target will be assigned to.
  3. Choose or create at least one target role for the deployment target and click Save. Learn about target tags.
  4. Select the account that will be used for the Octopus Server and the SSH target to communicate.
  5. If entering the details manually, enter the Host, Port and the host’s fingerprint.

From Octopus Server 2024.2.6856 both SHA256 and MD5 fingerprints are supported. We recommend using SHA256 fingerprints.

You can retrieve the fingerprint of the default key configured in your sshd_config file from the target server with the following command:

ssh-keygen -E sha256 -lf /etc/ssh/ | awk '{ print $2 }'

For Octopus Server prior to 2024.2.6856 use the following:

ssh-keygen -E md5 -lf /etc/ssh/ | awk '{ print $2 }' | cut -d':' -f2-
  1. Specify whether Mono is installed on the SSH target or not to determine which version of Calamari will be installed.
  1. Click Save.

Health check

Once the target is configured, Octopus will perform an initial health check. Health checks are done periodically or on demand and ensure the endpoint is reachable, configured correctly and the required dependencies are available (e.g. tar, for more details see requirements, and ready to perform deployment tasks.

If Calamari is not present or is out-of-date, a warning will be displayed, however, Calamari will be updated when it is next required by a task.

If the SSH target is healthy, the version that is displayed is the version of the Octopus Server instance.

If the fingerprint changes after initial configuration, the next health check will update the fingerprint. If the fingerprint returned during the handshake is different to the value stored in the database, the new fingerprint will show up in the logs. If you aren’t expecting a change and you see this error it could mean you have been compromised!

Learn more about health checks and machine policies

Running scripts on SSH endpoints

You can use raw scripting to run scripts on SSH endpoints without any additional Octopus dependencies. You can set machine policies to configure health checks that only test for SSH connectivity for the target to be considered healthy.

Learn more

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Sunday, January 1, 2023