Single Sign-On SSH

Seamless SSH access. Zero key management.

SIGN UP, IT'S FREE
Smallstep
Overview
How It Works
Pricing
Sign Up

Pricing

Sign up, it's free. No credit card required.

Professional

$3.00

Per Host,
per Month

Self-service SaaS

GET 30-DAYS FREE
Basic
SIGN UP TODAY
Free

Self-service SaaS

  • Single user edition

  • Extend single sign-on to SSH access

  • Login to hosts with your Smallstep account

  • Automatic OpenSSH configuration

  • Direct connect and bastion support

Professional
GET 30-DAYS FREE

$3.00

Per Host,
per Month

Self-service SaaS

  • Built for businesses

  • Access control based upon IDP rules

  • Automatic user accounts on hosts

  • User and system event logging

  • Private keys in cloud KMS

Compliance
EARLY ACCESS
Coming Soon

Self-service SaaS

  • All Professional plus

  • Detailed shell history and session searching

  • POSIX user, session, and process controls

  • Dedicated HSM, SIEM logs & multiple cloud regions

Enterprise
CONTACT US
Request A Quote

On-Premise or Managed

  • All Compliance plus

  • Work directly with smallstep engineering

  • Custom configurations and long-term support

  • Professional services and training

Volume discounts available (1000+ hosts) Contact us.
Monthly Host pricing based on hourly metering at $0.0041 per hour.
Your data is safe with Smallstep, learn more.
Compare Features

The security benefits and time savings made it easy to justify the investment.

Compare Features

Professional

$3.00

Per Host,
per Month

<!--HubSpot Call-to-Action Code --><span class="hs-cta-wrapper" id="hs-cta-wrapper-41082b4b-bab6-4492-b914-5d084edfe429"><span class="hs-cta-node hs-cta-41082b4b-bab6-4492-b914-5d084edfe429" id="hs-cta-41082b4b-bab6-4492-b914-5d084edfe429"><!--[if lte IE 8]><div id="hs-cta-ie-element"></div><![endif]--><a href="https://cta-redirect.hubspot.com/cta/redirect/7748242/41082b4b-bab6-4492-b914-5d084edfe429" target="_blank" ><img class="hs-cta-img" id="hs-cta-img-41082b4b-bab6-4492-b914-5d084edfe429" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/7748242/41082b4b-bab6-4492-b914-5d084edfe429.png" alt="GET 30-DAYS FREE"/></a></span><script charset="utf-8" src="https://js.hscta.net/cta/current.js"></script><script type="text/javascript"> hbspt.cta.load(7748242, '41082b4b-bab6-4492-b914-5d084edfe429', {}); </script></span><!-- end HubSpot Call-to-Action Code -->
Single sign-on SSH
Y
Self-service SaaS offering
Y
Direct connect, bastion, and mixed environment support
Y
Login with Smallstep Account
Login with Okta, Azure AD, and G Suite (SSO+MFA)
Y
Identity provider (IDP) authentication & user group sync
Y
Compliance certifications
On-premise or managed
Automation
OpenSSH client configuration
Y
SSHD server configuration
Y
Enrollment token for easy host bootstrapping
Y
AWS, Azure, and Google Cloud automation
Y
Infrastructure automation (Ansible, Terraform, Puppet, Chef...)
Y
User command to display the list of SSH accessible Hosts
Y
Admin approved on-demand access
Access Control
Use Smallstep login for access to all hosts
Enforce access to host based on identity provider user groups
Y
Immediate deprovisioning of terminated user accounts
Y
Automatic synchronization of users and groups from IDP
Y
Host and host tags self-discovery
Y
Rules engine for user group to host tag permission mapping
Y
Sudo privileges based on identity provider groups
Y
Automated session management (bots and automations)
Granular sudo privileges
Terminate POSIX user processes
User Management
Transparently connect via bastion hosts
Y
Automatically create home directories on Hosts
Y
Create, modify, and deactivate user accounts on managed hosts
Y
Push IDP groups To POSIX groups
POSIX user removal
Best Practices
Short-lived host certificates with automated renewal
Y
Root certificate rotation
Y
Host certificate renewal/rekey
Y
Private keys in multi-tenant KMS
Y
Private Keys in dedicated in HSM with attestation
High Availability
Highly-available SSH certificate authority (CA)
Y
One cloud region
Y
Multiple cloud regions
Reporting
User session reporting
Y
Session summary metrics (Host, time, etc.)
Y
Host inventory and tags
Y
User and group lists
Y
Searchable shell history
Logging
Session summary metrics (host, time, etc.)
Y
Host and bastion additions, updates, and removals
Y
Host access
Y
User and user group additions, updates, and removals
Y
Sudo privileges escalations
Y
Full session audit logs
Export logs to webhook / SIEM
Certificate observability service
Support
Releases
Current Release
Channels
Ticket
Availability
48-hour Response
Pricing Table Image
Basic
Free
SIGN UP TODAY
Professional

$3.00

Per Host,
per Month

GET 30-DAYS FREE
Compliance
Coming Soon
EARLY ACCESS
Enterprise
Request A Quote
CONTACT US
Single sign-on SSH
Y
Y
Y
Y
Self-service SaaS offering
Y
Y
Y
Direct connect, bastion, and mixed environment support
Y
Y
Y
Y
Login with Smallstep Account
Y
Login with Okta, Azure AD, and G Suite (SSO+MFA)
Y
Y
Y
Identity provider (IDP) authentication & user group sync
Y
Y
Y
Compliance certifications
Y
Y
On-premise or managed
Y
Automation
OpenSSH client configuration
Y
Y
Y
Y
SSHD server configuration
Y
Y
Y
Y
Enrollment token for easy host bootstrapping
Y
Y
Y
Y
AWS, Azure, and Google Cloud automation
Y
Y
Y
Infrastructure automation (Ansible, Terraform, Puppet, Chef...)
Y
Y
Y
User command to display the list of SSH accessible Hosts
Y
Y
Y
Admin approved on-demand access
Y
Y
Access Control
Use Smallstep login for access to all hosts
Y
Enforce access to host based on identity provider user groups
Y
Y
Y
Immediate deprovisioning of terminated user accounts
Y
Y
Y
Automatic synchronization of users and groups from IDP
Y
Y
Y
Host and host tags self-discovery
Y
Y
Y
Rules engine for user group to host tag permission mapping
Y
Y
Y
Sudo privileges based on identity provider groups
Y
Y
Y
Automated session management (bots and automations)
Y
Y
Granular sudo privileges
Y
Y
Terminate POSIX user processes
Y
Y
User Management
Transparently connect via bastion hosts
Y
Y
Y
Y
Automatically create home directories on Hosts
Y
Y
Y
Y
Create, modify, and deactivate user accounts on managed hosts
Y
Y
Y
Push IDP groups To POSIX groups
Y
Y
POSIX user removal
Y
Y
Best Practices
Short-lived host certificates with automated renewal
Y
Y
Y
Y
Root certificate rotation
Y
Y
Y
Y
Host certificate renewal/rekey
Y
Y
Y
Y
Private keys in multi-tenant KMS
Y
Y
Private Keys in dedicated in HSM with attestation
Y
Y
High Availability
Highly-available SSH certificate authority (CA)
Y
Y
Y
Y
One cloud region
Y
Y
Multiple cloud regions
Y
Y
Reporting
User session reporting
Y
Y
Y
Y
Session summary metrics (Host, time, etc.)
Y
Y
Y
Y
Host inventory and tags
Y
Y
Y
Y
User and group lists
Y
Y
Y
Searchable shell history
Y
Y
Logging
Session summary metrics (host, time, etc.)
Y
Y
Y
Y
Host and bastion additions, updates, and removals
Y
Y
Y
Y
Host access
Y
Y
Y
Y
User and user group additions, updates, and removals
Y
Y
Y
Sudo privileges escalations
Y
Y
Y
Full session audit logs
Y
Y
Export logs to webhook / SIEM
Y
Y
Certificate observability service
Y
Y
Support
Releases
Current Release
Current Release
N-1 Minor Release
18 Months
Channels
Ticket
Ticket
Ticket
Phone, Ticket, Slack
Availability
Best Effort Response
48-hour Response
24-hour Response
24/7 with SLAs
GET 30-DAYS FREE
Open Source or Managed?
Use our open source tools and your existing Identity Provider (IDP) to bring single sign-on (SSO) and multi-factor authentication (MFA) to OpenSSH. Users SSH as normal directly to hosts or via bastion servers after a daily OAuth OIDC login. Read more about getting started with open source.

The Professional Edition is a managed offering that takes the open source and adds automatic access control, end-to-end user lifecycle management, event activity logging and reporting, and GitHub Enterprise integration.
SIGN UP, IT'S FREE
No credit card required.