Home / SSH SSO / Replace SSH Keys with Identity-Based Access
SSH Modernization
Local Agent
Gateway SSH Proxy
Zero-Day Shield

Eliminate SSH Key Sprawl — Authenticate SSH with Corporate Identity

Replace static SSH keys with SAML/OIDC-authenticated short-lived certificates. Eliminate authorized_keys management, key rotation, and orphan key cleanup. OnePAM issues certificates after IdP authentication — keys expire automatically.

How It Works
Overview

Why SSH Keys Are a Security Risk

SSH key sprawl is one of the most pervasive and underestimated security risks in modern infrastructure. Organizations accumulate thousands of SSH keys across hundreds of servers — many belonging to departed employees, expired contractors, or forgotten service accounts. The authorized_keys file on each server becomes an unauditable access list that grows indefinitely. Rotating SSH keys at scale is operationally painful, so it rarely happens. The result: anyone with a stolen or leaked SSH key has persistent access to your servers indefinitely. OnePAM solves this by replacing static SSH keys with short-lived certificates issued after SAML/OIDC authentication. Users authenticate via your corporate IdP (Okta, Azure AD, Google Workspace), and OnePAM's built-in certificate authority issues a certificate valid for 1-24 hours. The certificate encodes the user's identity, group memberships, and access permissions. When it expires, access stops automatically. When a user is disabled in your IdP, they can no longer obtain certificates. No authorized_keys cleanup. No key rotation schedules. No orphan key risk.

Local Agent

The agent configures sshd to trust OnePAM's certificate authority. Users authenticate via IdP and receive short-lived certificates that sshd accepts natively. No authorized_keys needed.

Gateway SSH Proxy

The gateway authenticates users and manages SSH credentials on their behalf. Servers continue using key-based auth internally, but keys are managed by the gateway — not users.

SSH Security Risks

The Dangers of SSH Key Sprawl

Without identity-based SSH access, these risks threaten your servers every day.

SSH private keys stored on developer laptops are exposed if the laptop is compromised, stolen, or lost
SSH keys embedded in CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI) persist indefinitely in build configurations
Former employees' SSH keys remain in authorized_keys files across servers unless manually removed from every server
SSH keys shared via Slack, email, or documentation create copies that cannot be tracked or revoked
Service account SSH keys are often shared among team members with no individual accountability
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

Key Sprawl at Scale

Organizations with 100+ servers accumulate thousands of SSH keys. Each server's authorized_keys file grows with every new developer, contractor, and service account.

Impossible Auditing

SSH key fingerprints in authorized_keys don't tell you who the key belongs to, when it was added, or if it's still needed. Auditing is manual and incomplete.

No Expiration

SSH keys don't expire. A key created 5 years ago still works. There's no built-in mechanism for automatic access revocation.

Painful Rotation

Rotating SSH keys requires generating new key pairs, distributing public keys to every authorized server, and coordinating with every user. Most organizations never do it.

Offboarding Gaps

When employees leave, their SSH keys must be removed from every server they had access to. Missing even one server leaves a persistent backdoor.

No MFA Possible

SSH keys authenticate without MFA. If someone has the private key, they have full access. Adding MFA to key-based SSH is complex and fragile.

Setup Guide

How OnePAM Replaces SSH Keys with Certificates

Step-by-step guide to deploying identity-based SSH access.

1

Deploy OnePAM Certificate Authority

OnePAM operates a built-in certificate authority (CA). Your servers trust the CA's public key.

Add OnePAM's CA public key to sshd_config's TrustedUserCAKeys. This is a one-time change. After this, sshd accepts certificates signed by OnePAM's CA alongside or instead of authorized_keys.
2

Connect Your Identity Provider

Link your SAML 2.0 or OIDC Identity Provider. OnePAM uses IdP authentication to gate certificate issuance.

Only authenticated, MFA-verified users from your IdP can obtain certificates. The certificate includes the user's email, username, and group memberships from the IdP.
3

Users Authenticate and Get Certificates

When a user wants to SSH, they authenticate via the IdP. OnePAM issues a short-lived certificate.

The certificate is valid for a configurable period (1-24 hours). It contains the user's identity (principals), permitted hostnames, and access restrictions. No private key is distributed — the certificate works with the user's existing SSH key pair.
4

SSH with Certificates

Users run 'onepam ssh' to connect. OnePAM obtains a certificate and establishes the SSH session.

'onepam ssh server.example.com' — OnePAM authenticates via IdP, obtains a short-lived certificate, and connects. sshd verifies the certificate signature against OnePAM's CA and grants access. No authorized_keys lookup needed.
5

Certificates Expire Automatically

When the certificate TTL expires, access stops. Users re-authenticate via the IdP to get a new certificate.

No key rotation, no authorized_keys cleanup, no orphan keys. Access lifecycle is tied to the certificate TTL and IdP session. Disable a user in the IdP = immediate access revocation (no valid certificate possible).
Key Benefits

Benefits of Eliminating SSH Keys

What changes when you deploy identity-based SSH access.

Zero Key Management

No SSH keys to distribute, rotate, audit, or revoke. Certificates issued on-demand and expire automatically.

Zero authorized_keys entries

Automatic Expiration

certificates expire after 1-24 hours. Access stops automatically. No orphan access, no lingering credentials.

Auto-expiring access

Identity-Verified Access

Every certificate is tied to a corporate identity verified by your IdP. Know exactly who accessed which server.

100% identity-attributed access

Instant Offboarding

Disable a user in your IdP. They cannot obtain new certificates. Existing certificates expire within hours. Zero cleanup needed.

Zero offboarding effort for SSH

MFA for Every Session

Certificate issuance requires IdP MFA. Every SSH session is MFA-protected. No per-server MFA configuration.

100% MFA-protected SSH

Compliance-Ready

Certificate-based access provides the identity verification, access logging, and automatic revocation that SOC 2, HIPAA, and PCI DSS require.

Audit-ready from day one
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

Built-in certificate authority
Short-lived certificates (1-24 hour TTL)
SAML 2.0 & OIDC authentication for certificate issuance
Certificate principals from IdP attributes
Host certificate support for server identity
Certificate-based access policies
Works with standard OpenSSH sshd and clients
Compatible with ssh-agent for certificate caching
API for CI/CD certificate issuance
Certificate audit trail with issuance logs
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Certificates expire automatically — no orphan risk
Certificate revocation list (CRL) for emergency revocation
IdP-gated issuance — only authenticated users get certs
MFA-verified before certificate issuance
Certificate principals restrict server access scope
Host certificates prevent server impersonation
HSM-compatible CA key storage
Certificate transparency logging
Real-World Scenarios

SSH Key Replacement Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
Enterprise replacing 5000+ SSH keys across 300 servers with short-lived certificates issued after Okta authentication
2
Startup eliminating authorized_keys management for a rapidly growing engineering team with weekly onboarding/offboarding
3
Financial institution meeting PCI DSS requirements for SSH key rotation by switching to auto-expiring certificates
4
DevOps team issuing certificates to CI/CD pipelines (Jenkins, GitHub Actions) with 1-hour TTL for build server access
5
Consulting firm providing time-limited certificates to contractors that expire after the engagement period
6
Healthcare company replacing shared SSH keys for service accounts with identity-attributed certificates for HIPAA compliance
Frequently Asked Questions

Replace SSH Keys with Identity-Based Access FAQ

Common questions about SSH SSO and zero-day protection.

How do certificates work?

certificates are signed by a certificate authority (CA) and presented alongside an SSH key during authentication. Instead of checking authorized_keys, sshd verifies the certificate signature against the CA's public key. OnePAM operates the CA and issues certificates after SAML/OIDC authentication.

Do users need to change their SSH workflow?

Users run 'onepam ssh server.example.com' instead of 'ssh server.example.com'. OnePAM handles IdP authentication, obtains a short-lived certificate, and establishes the SSH connection. The terminal experience is identical once connected.

Can I use certificates for CI/CD pipelines?

Yes. OnePAM provides an API for CI/CD systems to request short-lived certificates. Jenkins, GitHub Actions, GitLab CI, and other CI/CD tools can authenticate via service account credentials and receive certificates with 1-hour TTL for build server access.

What happens if OnePAM is unavailable?

Existing valid certificates continue to work until they expire. In agent mode, the agent caches certificates locally, ensuring access continues during transient outages.

Can I migrate gradually from SSH keys to certificates?

Yes. sshd can accept both authorized_keys and certificates simultaneously. Deploy OnePAM's CA, issue certificates to users who opt in, and gradually disable authorized_keys entries as users migrate. No big-bang cutover required.

How are service accounts handled?

Service accounts (Ansible, Terraform, monitoring agents) use OnePAM's Machine Identity feature. Each service account gets a dedicated machine identity with its own bearer token, scoped resource access, and full audit trail — replacing shared SSH keys with attributable, auditable, and expirable credentials. Machine identities are available on Business plans and above.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on Ubuntu Server
Linux Distribution
SSO for SSH on RHEL
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on Amazon Linux
Cloud Platform
SSO for SSH on SUSE Linux Enterprise
Linux Distribution

Replace SSH Keys with Identity-Based Certificates

Short-lived certificates tied to your corporate IdP.

Get Started All SSH SSO Guides