Extend SSO & device identity to SSH

Embrace short-lived certificates for better security, less hassle, and real cost savings. Smallstep SSH is the flexible, modern approach to secure remote access in cloud, on-prem, or hybrid environments. Give your developers the frictionless experience they deserve while giving your business the peace of mind it demands.

Contact us
background graphic
Static keys iconNo more static keys
Easy onboarding & offboardingEasy onboarding & offboarding
API iconAPI for ephemeral container spin-ups
Rotation iconDaily renewals & automated rotation
Integrations iconSCIM integrations
Arrow up iconNo SSH bastion overhead

Bridge the gap between your IdPs and your servers

A diagram of Smallstep integrations
SSH keys

Automate SSH key management

Replace long-lived SSH keys with ephemeral certificates that regenerate each day. Static SSH keys often linger in servers and laptops for months or years, creating a ticking time bomb for unauthorized access. They’re easy to lose track of, hard to rotate, and seldom rekeyed.

Add MFA with your IdP

Add MFA with your IdP

Connect to popular IdPs like Okta, Google Workspace, or Microsoft Entra ID with just a few clicks, and map existing identity provider groups directly to server roles. Assign granular access based on familiar group structures and user roles, no separate password or SSH key needed. Add or remove a user in your IdP, and that change propagates to all SSH access instantly.

See how it works
Short-Lived Certificates for Strong Security

Short-lived certificates for strong security

(Try saying that 10x fast.) Smallstep SSH replaces static keys with ephemeral certificates that renew daily to lower risk exposure. Think of it like a backstage pass that automatically expires every day. Each certificate is valid for hours, not months, preventing unintentional long-term access. Certificates also automatically rotate without manual intervention or downtime.

Offline Access

Break-glass emergency and offline access

Worried about losing SSH access if your SSO provider is offline? Smallstep SSH supports hardware-backed offline certificates. In an emergency, create a short-lived backup certificate stored on a secure device. This ensures you always have a fallback plan for critical infrastructure—even during an identity provider outage.

Cisco logo

Smallstep SSH is exactly what we needed, significantly reducing the work required to manage SSH keys

Joe Doss, Director of Engineering OpsKenna Security by CISCO

Read full case study
background gradient
Abstract laptop with connections

Centralize your SSH auditing

Get a single source of truth for SSH connections across your fleet. Track all SSH activities and sessions from a single dashboard for compliance and troubleshooting. From one dashboard, use simple rules to let developers connect only to which servers they need, exactly when they need it. View active sessions, manage user groups, and generate usage reports to keep stakeholders informed.

Abstract charts

Lower operational overhead

No one likes toil. Reduce the time spent adding, removing, and rotating static keys. By removing manual key handling, you can reclaim engineering hours and limit downtime. New employees can be up and running in minutes, without specialized key setup required.

Inventory list view UI

Learn more about the platform

The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.

Learn more
gradient background

Enforce device identity everywhere

Whether you’re working towards a compliance standard, closing gaps in policy enforcement, or preventing nation-state attacks, our team is here to show you how Smallstep can help.

Contact us