Your IdP, our SSH

Seamless SSH access. Zero key management. Automated from your IdP Groups.


SSH like a professional

Manage SSH and sudo access easily in the cloud or on-premise.

Professionals know you need to SSH - but almost everyone does it wrong. With Smallstep SSH Professional, you use certificates to do SSH right. Remove the need to gather, ship, and rotate SSH public keys for all your users and hosts.

Smallstep delivers end-to-end SSH workflow that marries modern identity providers with short-lived SSH certificates and flexible access control. At the core is step-ca, our open-source certificate authority, and our step CLI toolkit that makes SSO for SSH a simple and elegant experience for users. Available on-premise or as a managed offering.

1st Screenshot@2x.png

Single Sign-On SSH

Users type ssh [host-name] and are sent through your identity provider before connecting to the host.

2nd Screenshot@2x.png

Sync With Your IdP

Identity provider user groups are automatically synchronized and used for SSH access control and compliance reporting.

3rd Screenshot@2x.png

Access Control

Map host access to users and groups from your identity provider. Revoking a user at the identity provider removes their SSH access immediately.

4th Screenshot@2x.png

SSH User Lifecycle Management

No more adding and removing POSIX users or synchronizing and auditing static public key files across your fleet of hosts.

5th Screenshot@2x.png

Compliance Included

Reporting and logging of user sessions, access to hosts, and privilege escalations simplify compliance audits.

Smallstep bridges the gap between your identity provider and your servers


Try free

Get started

Seamless SSH access. Zero key management.

Build With Open Source

Roll my own

DIY single sign-on for SSH

Smallstep SSH is exactly what we needed. It's as easy as adding or removing someone in an Okta Group.


Smallstep SSH Features


Keep using SSH like you’re used to

SSO login is seamlessly integrated when required.


Managed by Smallstep or run anywhere, you choose

Your own private SSH certificate authority


Seamless SSH credential management

Ephemeral SSH certificates replace manual deployment of static keys and passwords


POSIX user lifecycle management

Full lifecycle management of user accounts across your fleet of hosts and bastions.


Real-time access control

Central, fine-grained control of host and sudo access.


Effortless security hygiene

Short-lived certificates, generated on-demand, using your identity infrastructure.


Built on time-tested open standards

Our solution is built on top of OpenSSH, PAM, NSS, and our open source CA.


Bastion host support

Bastion hosts are transparently supported. You can SSH directly to any internal hostname.

Try free

Get started

Seamless SSH access. Zero key management.

Build With Open Source

Roll my own

DIY single sign-on for SSH