Single Sign-On SSH

Seamless SSH access. Zero key management.

Smallstep

Pricing

Sign up, it's free. No credit card required.

Professional

$3.00

Per Host,
per Month

Self-service SaaS

Free

Self-service SaaS

  • Single user edition

  • Extend single sign-on to SSH access

  • Login to hosts with your Smallstep account

  • Automatic OpenSSH configuration

  • Direct connect and bastion support

$3.00

Per Host,
per Month

Self-service SaaS

  • Built for businesses

  • Access control based upon IDP rules

  • Automatic user accounts on hosts

  • User and system event logging

  • GitHub SSH certificate authority

Coming Soon

Self-service SaaS

  • All Professional plus

  • Detailed shell history and session searching

  • POSIX user, session, and process controls

  • Dedicated HSM, SIEM logs & multiple cloud regions

Request A Quote

On-Premise or Managed

  • All Compliance plus

  • Work directly with smallstep engineering

  • Custom configurations and long-term support

  • Professional services and training

Volume discounts available (1000+ hosts) Contact us.
Monthly Host pricing based on hourly metering at $0.0041 per hour.
Your data is safe with Smallstep, learn more.
Compare Features

The security benefits and time savings made it easy to justify the investment.

Compare Features

Professional

$3.00

Per Host,
per Month

Single sign-on SSH
Y
Self-service SaaS offering
Y
Direct connect, bastion, and mixed environment support
Y
Login with Smallstep Account
Login with Okta, Azure AD, and G Suite (SSO+MFA)
Y
Identity provider (IDP) authentication & user group sync
Y
GitHub SSH certificate authority
Y
Compliance certifications
On-premise or managed
Automation
OpenSSH client configuration
Y
SSHD server configuration
Y
Enrollment token for easy host bootstrapping
Y
AWS, Azure, and Google Cloud automation
Y
Infrastructure automation (Ansible, Terraform, Puppet, Chef...)
Y
User command to display the list of SSH accessible Hosts
Y
Admin approved on-demand access
Access Control
Use Smallstep login for access to all hosts
Enforce access to host based on identity provider user groups
Y
Immediate deprovisioning of terminated user accounts
Y
Automatic synchronization of users and groups from IDP
Y
Host and host tags self-discovery
Y
Rules engine for user group to host tag permission mapping
Y
Sudo privileges based on identity provider groups
Y
Automated session management (bots and automations)
Granular sudo privileges
Terminate POSIX user processes
User Management
Transparently connect via bastion hosts
Y
Automatically create home directories on Hosts
Y
Create, modify, and deactivate user accounts on managed hosts
Y
Push IDP groups To POSIX groups
POSIX user removal
Best Practices
Short-lived host certificates with automated renewal
Y
Root certificate rotation
Y
Host certificate renewal/rekey
Y
Private keys in multi-tenant KMS
Y
Private Keys in dedicated in HSM with attestation
High Availability
Highly-available SSH certificate authority (CA)
Y
One cloud region
Y
Multiple cloud regions
Reporting
User session reporting
Y
Session summary metrics (Host, time, etc.)
Y
Host inventory and tags
Y
User and group lists
Y
Searchable shell history
Logging
Session summary metrics (host, time, etc.)
Y
Host and bastion additions, updates, and removals
Y
Host access
Y
User and user group additions, updates, and removals
Y
Sudo privileges escalations
Y
Full session audit logs
Export logs to webhook / SIEM
Certificate observability service
Support
Releases
Current Release
Channels
Ticket
Availability
48-hour Response
Single sign-on SSH
Y
Y
Y
Y
Self-service SaaS offering
Y
Y
Y
Direct connect, bastion, and mixed environment support
Y
Y
Y
Y
Login with Smallstep Account
Y
Login with Okta, Azure AD, and G Suite (SSO+MFA)
Y
Y
Y
Identity provider (IDP) authentication & user group sync
Y
Y
Y
GitHub SSH certificate authority
Y
Y
Y
Compliance certifications
Y
Y
On-premise or managed
Y
Automation
OpenSSH client configuration
Y
Y
Y
Y
SSHD server configuration
Y
Y
Y
Y
Enrollment token for easy host bootstrapping
Y
Y
Y
Y
AWS, Azure, and Google Cloud automation
Y
Y
Y
Infrastructure automation (Ansible, Terraform, Puppet, Chef...)
Y
Y
Y
User command to display the list of SSH accessible Hosts
Y
Y
Y
Admin approved on-demand access
Y
Y
Access Control
Use Smallstep login for access to all hosts
Y
Enforce access to host based on identity provider user groups
Y
Y
Y
Immediate deprovisioning of terminated user accounts
Y
Y
Y
Automatic synchronization of users and groups from IDP
Y
Y
Y
Host and host tags self-discovery
Y
Y
Y
Rules engine for user group to host tag permission mapping
Y
Y
Y
Sudo privileges based on identity provider groups
Y
Y
Y
Automated session management (bots and automations)
Y
Y
Granular sudo privileges
Y
Y
Terminate POSIX user processes
Y
Y
User Management
Transparently connect via bastion hosts
Y
Y
Y
Y
Automatically create home directories on Hosts
Y
Y
Y
Y
Create, modify, and deactivate user accounts on managed hosts
Y
Y
Y
Push IDP groups To POSIX groups
Y
Y
POSIX user removal
Y
Y
Best Practices
Short-lived host certificates with automated renewal
Y
Y
Y
Y
Root certificate rotation
Y
Y
Y
Y
Host certificate renewal/rekey
Y
Y
Y
Y
Private keys in multi-tenant KMS
Y
Y
Private Keys in dedicated in HSM with attestation
Y
Y
High Availability
Highly-available SSH certificate authority (CA)
Y
Y
Y
Y
One cloud region
Y
Y
Multiple cloud regions
Y
Y
Reporting
User session reporting
Y
Y
Y
Y
Session summary metrics (Host, time, etc.)
Y
Y
Y
Y
Host inventory and tags
Y
Y
Y
Y
User and group lists
Y
Y
Y
Searchable shell history
Y
Y
Logging
Session summary metrics (host, time, etc.)
Y
Y
Y
Y
Host and bastion additions, updates, and removals
Y
Y
Y
Y
Host access
Y
Y
Y
Y
User and user group additions, updates, and removals
Y
Y
Y
Sudo privileges escalations
Y
Y
Y
Full session audit logs
Y
Y
Export logs to webhook / SIEM
Y
Y
Certificate observability service
Y
Y
Support
Releases
Current Release
Current Release
N-1 Minor Release
18 Months
Channels
Ticket
Ticket
Ticket
Phone, Ticket, Slack
Availability
Best Effort Response
48-hour Response
24-hour Response
24/7 with SLAs
Open Source or Managed?
Use our open source tools and your existing Identity Provider (IDP) to bring single sign-on (SSO) and multi-factor authentication (MFA) to OpenSSH. Users SSH as normal directly to hosts or via bastion servers after a daily OAuth OIDC login. Read more about getting started with open source.

The Professional Edition is a managed offering that takes the open source and adds automatic access control, end-to-end user lifecycle management, event activity logging and reporting, and GitHub Enterprise integration.
SIGN UP, IT'S FREE
No credit card required.