Single Sign-On SSH

Say Goodbye to SSH Key Management

Smallstep

Pricing

Try for free for 30 days, no credit card required

Professional

$3.00

Per Host,
per Month

Self-service SaaS

$0.00

Build with open-source

  • Extend single sign-on to SSH access

  • Automatic OpenSSH configuration

  • Manual access control and host user management

$3.00

Per Host,
per Month

Self-service SaaS

  • All Open Source plus

  • Access control based upon IDP rules

  • End-to-end User lifecycle management

  • User and system event logging

Coming Soon

Self-service SaaS++

  • All Professional plus

  • Detailed shell history and session searching

  • FedRamp, FIPS-140, and other compliance

  • Dedicated HSM, CT logs & multiple cloud regions

Request A Quote

On-Premise or Managed

  • All Compliance plus

  • Work directly with smallstep engineering

  • Custom configurations and long-term support

  • Professional services and training

Volume discounts available (1000+ hosts) Contact us.
Monthly Host pricing based on hourly metering at $0.0041 per hour.
Compare Features

The security benefits and time savings made it easy to justify the investment.

Open Source or Managed, You Choose
Use Smallstep SSO SSH Open Source and your existing Identity Provider (IDP) to bring single sign-on (SSO) and multi-factor authentication (MFA) to SSH access. Users SSH as normal directly to hosts or via bastion servers after a daily OIDC login. Setup is easy with the Open Source step-cli tool that configures (not replaces) OpenSSH on clients and hosts for certificate authentication. Read more about getting started with open source. The Professional Edition is a managed offering that takes step-ca and adds automatic access control, end-to-end user lifecycle management from IDP to Host, and event activity logging and reporting
Try for free
30 days, no credit card required.
Use with

Compare Features

Professional

$3.00

Per Host,
per Month

Single Sign-On SSH
Y
Identity Provider Authentication
Y
OpenSSH Client Configuration Tool
Y
Direct Connect, Bastion, and Mixed Environment support
Y
Synchronize user groups from Azure AD, G Suite, and Okta
Y
SSHD Server Configuration Tool
Y
Automation
AWS, Azure, and Google Cloud Automation
Y
Infrastructure automation (Ansible, Terraform, Puppet, Chef...)
Y
Enrollment token for easy Host bootstrapping
Y
User command to display the list of SSH accessible Hosts
Y
Access Control
Passive revocation of terminated User accounts
Y
Immediate access removal for terminated User accounts
Y
Enforce access to Host based on IdP User Groups
Y
Automatic synchronization of Users and Groups from IdP
Y
Host and Host Tags self-discovery
Y
Rules engine for User Group to Host Tag permission mapping
Y
Sudo privileges based on IdP rules
Y
User Management
Transparently connect via Bastion Hosts
Y
Create, modify, and deactivate User accounts on managed Hosts
Y
Automatically create home directories on Hosts
Y
Best Practices
Short-lived Host certificates with automated renewal
Y
Root certificate rotation
Y
Host certificate renewal/rekey
Y
Private Keys in multi-tenant KMS
Y
Private Keys in dedicated in HSM with attestation
High Availability
Highly-available Certificate Authority (CA)
Y
One Cloud Region
Y
Multiple Cloud Regions
Reporting
User session reporting
Y
Session summary metrics (Host, time, etc.)
Y
Hosts Inventory Reporting
Y
User Inventory Reporting
Y
Logging
User and User Group additions, updates, and removals
Y
Host and Host Group additions, updates, and removals
Y
Host access
Y
Session summary metrics (Host, time, etc.)
Y
Sudo privileges escalations
Y
Compliance
Searchable shell history
Certificate Transparency service
FIPS-140 Compliance
FedRamp Compliance
Support
Releases
Current Release
Channels
Ticket
Availability
48-hour Response
Single Sign-On SSH
Y
Y
Y
Y
Identity Provider Authentication
Y
Y
Y
Y
OpenSSH Client Configuration Tool
Y
Y
Y
Y
Direct Connect, Bastion, and Mixed Environment support
Y
Y
Y
Y
Synchronize user groups from Azure AD, G Suite, and Okta
Y
Y
Y
SSHD Server Configuration Tool
Y
Y
Y
Automation
AWS, Azure, and Google Cloud Automation
Y
Y
Y
Y
Infrastructure automation (Ansible, Terraform, Puppet, Chef...)
Y
Y
Y
Y
Enrollment token for easy Host bootstrapping
Y
Y
Y
User command to display the list of SSH accessible Hosts
Y
Y
Y
Access Control
Passive revocation of terminated User accounts
Y
Y
Y
Y
Immediate access removal for terminated User accounts
Y
Y
Y
Enforce access to Host based on IdP User Groups
Y
Y
Y
Automatic synchronization of Users and Groups from IdP
Y
Y
Y
Host and Host Tags self-discovery
Y
Y
Y
Rules engine for User Group to Host Tag permission mapping
Y
Y
Y
Sudo privileges based on IdP rules
Y
Y
Y
User Management
Transparently connect via Bastion Hosts
Y
Y
Y
Y
Create, modify, and deactivate User accounts on managed Hosts
Y
Y
Y
Automatically create home directories on Hosts
Y
Y
Y
Best Practices
Short-lived Host certificates with automated renewal
Y
Y
Y
Y
Root certificate rotation
Y
Y
Y
Y
Host certificate renewal/rekey
Y
Y
Y
Y
Private Keys in multi-tenant KMS
Y
Private Keys in dedicated in HSM with attestation
Y
Y
High Availability
Highly-available Certificate Authority (CA)
Y
Y
Y
One Cloud Region
Y
Multiple Cloud Regions
Y
Y
Reporting
User session reporting
Y
Y
Y
Session summary metrics (Host, time, etc.)
Y
Y
Y
Hosts Inventory Reporting
Y
Y
Y
User Inventory Reporting
Y
Y
Y
Logging
User and User Group additions, updates, and removals
Y
Y
Y
Host and Host Group additions, updates, and removals
Y
Y
Y
Host access
Y
Y
Y
Session summary metrics (Host, time, etc.)
Y
Y
Y
Sudo privileges escalations
Y
Y
Y
Compliance
Searchable shell history
Y
Y
Certificate Transparency service
Y
Y
FIPS-140 Compliance
Y
Y
FedRamp Compliance
Y
Y
Support
Releases
Community
Current Release
N-1 Minor Release
18 Months
Channels
Community
Ticket
Ticket
Phone, Ticket, Slack
Availability
Community
48-hour Response
24-hour Response
24/7 with SLAs