Home / SSH SSO / SSO for SSH on FreeBSD
BSD
Gateway SSH Proxy
Local Agent
Zero-Day Shield

SAML/OIDC SSO for SSH on FreeBSD

FreeBSD is a trademark of The FreeBSD Foundation.

Add SAML/OIDC Single Sign-On to SSH on FreeBSD. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via gateway SSH proxy for network appliances and servers, or local agent for FreeBSD systems with persistent installations. Protect FreeBSD infrastructure from SSH zero-day vulnerabilities.

Quick Start Guide How It Works
Quick Start

Get Started in Minutes

Install the OnePAM agent with a single command. No packages to download, no repositories to configure.

Step 1 — Install
pkg install onepam-agent
Step 2 — Verify
systemctl status onepam-agent
The installer auto-registers the endpoint. Confirm the service is active.
Before OnePAM
SSH keys sprawl across FreeBSD servers and jails
# Keys for each jail and host ssh-copy-id [email protected] ssh-copy-id [email protected] ssh-copy-id [email protected] # Keys inside jails are separate from host keys
FreeBSD jails multiply the SSH key management problem
No SAML/OIDC for FreeBSD SSH
# FreeBSD's OpenSSH has no native SAML/OIDC # LDAP via nss_ldap is complex and fragile # No built-in MFA for SSH sessions # PAM configuration is different from Linux
FreeBSD's authentication stack differs from Linux and lacks cloud IdP support
Network appliance SSH is unaudited
# SSH to FreeBSD-based firewalls and routers # Shared keys for network operations team # No session recording on network devices # No centralized audit trail
Network infrastructure SSH access is often the least audited
After OnePAM
Deploy OnePAM gateway
docker run -d --name onepam-gw \ -p 2222:2222 \ -e ONEPAM_ORG=YOUR_ORG_UUID \ onepam/gateway:latest
Gateway runs on any host — proxies SSH to FreeBSD systems
Or install agent on FreeBSD
pkg install onepam-agent service onepam-agent enable service onepam-agent start
Native FreeBSD pkg installation with rc.d service management
SSH with corporate identity
onepam ssh fbsd-web01.corp.com # → Redirected to Okta/Azure AD/Google Workspace # → MFA verified, short-lived certificate issued # → Session recorded automatically
Use 'onepam ssh' — identity-based access to FreeBSD hosts and jails
Overview

Why FreeBSD Systems Need Identity-Based SSH Access

FreeBSD powers critical internet infrastructure — Netflix's CDN, WhatsApp's messaging backend, Juniper and NetApp appliances, and countless hosting providers, firewalls, and storage systems worldwide. FreeBSD's ZFS, jails, and network stack make it the OS of choice for high-performance servers, network appliances, and storage systems. SSH access to FreeBSD systems is managed via authorized_keys files and local accounts — creating key sprawl across servers, firewalls, and jails. OnePAM adds SAML/OIDC SSO to SSH on FreeBSD via the gateway SSH proxy — no agent installation required on the FreeBSD host. The gateway authenticates users via your corporate IdP, enforces MFA, issues short-lived certificates, records sessions, and shields FreeBSD's OpenSSH from zero-day exploits. For FreeBSD servers with persistent installations, the OnePAM agent can also be installed via pkg. Both modes provide the centralized audit trails required by SOC 2, PCI DSS, and ISO 27001.

Gateway SSH Proxy

Deploy a OnePAM gateway to proxy SSH connections to FreeBSD systems. No agent required. Ideal for network appliances, firewalls, jails, and FreeBSD systems where agent installation is impractical or unsupported.

Local Agent

Install the OnePAM agent on FreeBSD via pkg. Uses rc.d for service management. Supports FreeBSD 12 and later. Compatible with ZFS, jails, and bhyve.

SSH Security Risks

SSH Security Risks on FreeBSD

Without identity-based SSH access, these risks threaten your servers every day.

FreeBSD servers running network infrastructure (firewalls, routers, load balancers) are high-value targets — SSH compromise grants control of network traffic
FreeBSD's OpenSSH port receives patches on a different cadence than Linux distributions, creating windows of vulnerability exposure
SSH key sprawl across FreeBSD jails multiplies the access management problem — each jail has its own authorized_keys
Long-running FreeBSD servers accumulate SSH keys from former administrators who retain access indefinitely
Network appliances based on FreeBSD often cannot be patched quickly due to uptime requirements and change control processes
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

Jails Multiply Key Sprawl

FreeBSD jails each have independent SSH configurations and authorized_keys. A server running 20 jails has 20 sets of SSH keys to manage.

Network Appliance Access

FreeBSD-based firewalls, routers, and load balancers require SSH for management. These devices are network-critical and SSH access is often shared among operators.

Different Auth Stack from Linux

FreeBSD's PAM and authentication stack differs from Linux. SSH security tools designed for Linux often cannot be installed on FreeBSD without significant porting work.

ZFS Administration

FreeBSD ZFS storage servers require privileged SSH access for dataset management, snapshot operations, and replication configuration. Static keys grant persistent root access.

Long Uptime Requirements

FreeBSD servers and appliances often run for years without reboots. SSH security updates are delayed by uptime requirements and change control.

bhyve VM Management

FreeBSD's bhyve hypervisor is managed via SSH. Hypervisor-level SSH access provides control over all guest VMs and their storage.

Setup Guide

How OnePAM Adds SSO to SSH on FreeBSD

Step-by-step guide to deploying identity-based SSH access.

1

Deploy Gateway or Install Agent

Run the OnePAM gateway to proxy SSH to FreeBSD systems, or install the agent via pkg on FreeBSD 12+.

Gateway: Deploy as Docker container or standalone binary. Proxies SSH to FreeBSD hosts and jails. Agent: 'pkg install onepam-agent && service onepam-agent enable && service onepam-agent start'. Uses rc.d for service management.
2

Connect Your Identity Provider

Configure your corporate IdP (Okta, Azure AD, Google Workspace, or any SAML 2.0/OIDC provider) for SSH authentication.

OnePAM handles the SAML/OIDC handshake. Users authenticate via the IdP and receive short-lived certificates. IdP attributes map to FreeBSD user accounts.
3

Register FreeBSD Hosts and Jails

Add FreeBSD hosts and individual jails to OnePAM's inventory. Define access policies per host, jail, or group.

Register servers, jails, appliances, and bhyve hypervisors. Policies control which IdP groups can access which FreeBSD systems with what privileges.
4

SSH with Corporate Identity

Users SSH to FreeBSD systems using corporate credentials. Short-lived certificates replace static SSH keys.

Run 'onepam ssh fbsd-web01.corp.com'. OnePAM authenticates the user via the IdP, issues a certificate, and establishes the SSH session — or proxies through the gateway.
5

Audit and Comply

Every SSH session is logged with full IdP context. Optional session recording captures every keystroke.

Centralized audit trail for all FreeBSD system access, including jails and bhyve hypervisors. Export to your SIEM for compliance reporting.
Key Benefits

Benefits of SSH SSO on FreeBSD

What changes when you deploy identity-based SSH access.

Secure Jails and Hosts

Unified SSH access control across FreeBSD hosts and jails. One identity layer replaces per-jail SSH key management.

Centralized access for all jails

Protect Network Infrastructure

Identity-verified SSH to FreeBSD-based firewalls, routers, and load balancers. No shared keys. Full session audit.

100% identity-verified network access

Shield from SSH Zero-Days

Gateway mode prevents direct access to FreeBSD's sshd. Vulnerabilities in OpenSSH are unexploitable — even on unpatched appliances.

100% of unauthenticated SSH attacks blocked

ZFS Administration Security

Privileged SSH access to ZFS storage servers is identity-verified, MFA-protected, and session-recorded. No persistent root SSH keys.

MFA-protected storage admin

Instant Deprovisioning

Disable a user in your IdP and SSH access to every FreeBSD system stops immediately. No manual key cleanup across jails.

Real-time access revocation

Compliance-Ready Logging

Identity-verified audit trails satisfy SOC 2, PCI DSS, and ISO 27001 requirements for SSH access to BSD infrastructure.

Audit-ready from day one
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

SAML 2.0 & OIDC authentication for SSH on FreeBSD
Gateway-based architecture — no agent required on FreeBSD systems
Native FreeBSD pkg installation with rc.d service management
Compatible with FreeBSD 12 and later
SSH access control for jails and bhyve VMs
Short-lived certificates (1-24 hour TTL)
IdP group-to-FreeBSD-user mapping
SSH session recording with keystroke replay
IP and geo-restriction for SSH access
Device trust verification before granting access
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Gateway shields FreeBSD's sshd from network-based exploits
Zero-day protection for FreeBSD network appliances
SSH protocol inspection at the gateway
Command filtering and blocklists for privileged operations
Real-time session monitoring and termination
Automatic certificate expiration (no key rotation needed)
Encrypted session recordings with tamper detection
Integration with SIEM (Splunk, Datadog, Elastic)
Real-World Scenarios

FreeBSD SSH SSO Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
Hosting provider managing SSH access to 500+ FreeBSD servers and jails with centralized identity-based authentication and session recording
2
Network operations team securing SSH to FreeBSD-based firewalls and routers with corporate SSO and MFA enforcement
3
Storage team requiring identity-verified SSH access to FreeBSD ZFS storage servers with sudo elevation auditing
4
CDN operator managing SSH access to FreeBSD edge nodes across multiple data centers with time-limited access policies
5
ISP using gateway SSH proxy to control SSH access to FreeBSD routers and DNS servers without installing agents on network devices
6
Cloud provider securing SSH to bhyve hypervisors on FreeBSD with identity-based access and session recording
7
University research lab managing SSH access to FreeBSD HPC nodes with IdP group-based access control
8
Financial institution enforcing PCI DSS-compliant SSH access to FreeBSD servers processing transaction data
Frequently Asked Questions

SSO for SSH on FreeBSD FAQ

Common questions about SSH SSO and zero-day protection.

Does OnePAM work with FreeBSD's rc.d init system?

Yes. The OnePAM agent includes a native rc.d service script for FreeBSD. Install via pkg, enable with 'service onepam-agent enable', and start with 'service onepam-agent start'. The service starts automatically on boot.

Can OnePAM protect SSH to individual FreeBSD jails?

Yes. The gateway SSH proxy can proxy SSH connections to individual jails within a FreeBSD host. Each jail can have its own access policies, user mappings, and session recording settings.

Does OnePAM work with FreeBSD-based network appliances?

Yes. The gateway SSH proxy requires no software installation on the FreeBSD appliance. The gateway authenticates users and proxies SSH connections. This works with any FreeBSD-based device including pfSense, OPNsense, and custom network appliances.

How does OnePAM handle FreeBSD's different PAM stack?

The OnePAM agent supports FreeBSD's PAM implementation. For gateway deployments, PAM is not involved — authentication is handled entirely at the gateway before the SSH connection reaches the FreeBSD host.

Can OnePAM secure SSH to ZFS storage servers?

Yes. OnePAM provides identity-verified, MFA-protected SSH access to FreeBSD ZFS servers. Session recording captures ZFS administrative operations (zpool, zfs commands) for compliance and audit purposes.

Does OnePAM support FreeBSD on ARM or embedded platforms?

The gateway SSH proxy is platform-independent and can protect SSH connections to FreeBSD running on any architecture, including ARM-based SBCs and embedded devices. The gateway runs on a separate host and proxies connections.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on Ubuntu Server
Linux Distribution
SSO for SSH on RHEL
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on Amazon Linux
Cloud Platform
SSO for SSH on SUSE Linux Enterprise
Linux Distribution

Add SSO to SSH on FreeBSD

Deploy identity-based SSH access for FreeBSD in minutes.

Quick Start Guide All SSH SSO Guides