Home / SSH SSO / SSH Access for Contractors & Third Parties
Access Management
Gateway SSH Proxy
Local Agent
Zero-Day Shield

Temporary, Audited SSH Access for Contractors — No SSH Keys to Distribute or Revoke

Grant contractors and third-party vendors temporary SSH access to Linux servers with automatic expiration. No SSH keys to distribute, share, or clean up. Identity-verified, MFA-protected, fully recorded SSH sessions. Revoke access instantly when the engagement ends.

How It Works
Overview

Why Contractor SSH Access Is a Security Challenge

Granting SSH access to contractors, vendors, MSPs, and temporary workers is one of the most challenging access management problems in enterprise IT. Traditional approaches require distributing SSH keys to external parties, creating local accounts on servers, and manually revoking access when engagements end. Keys are often shared among contractor team members, stored in insecure locations, and forgotten in authorized_keys files long after the contractor has left. OnePAM solves contractor SSH access with identity-based temporary access. Contractors authenticate via your corporate IdP (you can add them as external users in Okta, Azure AD, or Google Workspace) or via their own organization's IdP through federated authentication. OnePAM issues short-lived certificates with configurable expiration tied to the engagement period. All contractor SSH sessions are recorded and tied to individual identities. When the engagement ends, disable the contractor in your IdP and access stops immediately — no server-by-server key cleanup.

Gateway SSH Proxy

Ideal for contractor access. Contractors SSH through the gateway — no agent installation on your servers. Gateway handles authentication, recording, and access expiration. Contractors never have direct server access.

Local Agent

Suitable when contractors need direct SSH access. The agent authenticates contractors via IdP and issues time-limited certificates. Access policies restrict which servers contractors can reach.

SSH Security Risks

Risks of Contractor SSH Access

Without identity-based SSH access, these risks threaten your servers every day.

Contractor SSH keys distributed via email, Slack, or shared documents are impossible to track and revoke completely
Multiple contractors sharing a single SSH key eliminates individual accountability for server actions
Contractor SSH keys remain in authorized_keys files long after engagement ends — creating persistent backdoors
Third-party vendors with SSH access to your servers are a primary target for supply chain attacks
Contractor SSH sessions are rarely recorded or audited, creating compliance gaps and forensic blind spots
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

Key Distribution

Distributing SSH keys to contractors securely is difficult. Keys are often sent via email, Slack, or shared drives — all insecure channels that create uncontrolled copies.

Shared Keys

Multiple contractors from the same vendor share a single SSH key. When one person leaves the vendor, the key must be rotated for everyone. It rarely is.

Access Lingering

When contracts end, SSH keys must be removed from every server the contractor accessed. This cleanup is manual, incomplete, and often forgotten entirely.

No Individual Accountability

Shared SSH keys make it impossible to determine which contractor performed a specific action. Audit trails show a key fingerprint, not a person.

No Session Visibility

Contractor SSH sessions are not recorded. If a contractor causes damage (intentional or accidental), there's no evidence of what they did.

Compliance Exposure

SOC 2, HIPAA, and PCI DSS require controlled third-party access with audit trails. Unmanaged contractor SSH keys create compliance violations.

Setup Guide

How OnePAM Manages Contractor SSH Access

Step-by-step guide to deploying identity-based SSH access.

1

Add Contractor to IdP

Add the contractor as an external user in your IdP (Okta, Azure AD, Google Workspace) or configure federated authentication.

External users in your IdP authenticate with their own credentials but are subject to your MFA and access policies. Federated authentication lets contractors use their own organization's IdP through SAML/OIDC federation.
2

Create Time-Limited Access Policy

Define a OnePAM access policy for the contractor: which servers, what privilege level, for how long.

Example: Contractor 'J. Smith from Acme Consulting' gets SSH access to the staging database server with read-only privileges, valid from Jan 15 to Feb 28, with all sessions recorded. Access expires automatically.
3

Contractor SSHs via OnePAM

Contractor authenticates via IdP, completes MFA, and SSH session begins. No SSH keys needed.

OnePAM issues a short-lived certificate or proxies the connection via the gateway. The contractor uses a standard SSH client. No special software installation required.
4

Sessions Are Recorded

Every contractor SSH session is recorded with identity verification. Keystroke-by-keystroke capture.

Recordings are tied to the contractor's individual identity. Searchable by command, timestamp, or server. Available for compliance review and incident investigation.
5

Access Expires Automatically

When the engagement period ends, access stops. No manual cleanup. Disable contractor in IdP for immediate revocation.

Short-lived certificates cannot be renewed after policy expiration. Gateway mode blocks new sessions immediately. No authorized_keys to clean up on any server.
Key Benefits

Benefits of Identity-Based Contractor Access

What changes when you deploy identity-based SSH access.

Zero Key Distribution

No SSH keys to distribute, share, or manage. Contractors authenticate via IdP and get temporary certificates.

Zero SSH keys to distribute

Automatic Expiration

Contractor access expires automatically based on engagement dates. No manual cleanup, no forgotten keys.

Auto-expiring contractor access

Individual Accountability

Every contractor has their own identity and their own session recordings. Know exactly who did what.

100% individual attribution

Full Session Recording

All contractor sessions are recorded. Review, search, and replay sessions for quality assurance and security.

Every session recorded

Instant Revocation

End an engagement early? Disable the contractor in your IdP. SSH access stops immediately across all servers.

Instant access revocation

Compliance-Ready

Third-party access with identity verification, MFA, session recording, and automatic expiration satisfies SOC 2, HIPAA, and PCI DSS.

Audit-ready third-party access
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

Time-limited access policies with automatic expiration
External user support in major IdPs
Federated authentication with contractor's own IdP
Per-contractor access policies (servers, privileges, time)
Mandatory session recording for all contractor sessions
No SSH key distribution or management
Short-lived certificates with engagement-bound TTL
Approval workflow for contractor access requests
Dashboard showing active contractor access
Automatic access removal on engagement end date
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Individual identity verification for every contractor
MFA enforcement (no exceptions for external users)
Session recording with tamper-proof storage
Command filtering to prevent destructive operations
IP restriction to contractor's known network
Real-time session monitoring by internal security team
Automatic alerts on suspicious contractor activity
Compliance reporting for third-party access audits
Real-World Scenarios

Contractor SSH Access Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
Enterprise granting 3-month SSH access to a database migration contractor with full session recording for the migration project
2
MSP providing support engineers with time-limited SSH access to client servers, recorded and reviewable by the client
3
Healthcare company granting HIPAA-compliant SSH access to a vendor for system maintenance with automatic 1-week expiration
4
Financial institution providing auditor SSH access to compliance servers with read-only privileges and full session recording
5
Startup granting SSH access to a freelance DevOps engineer with automatic revocation when the contract ends
6
Government agency granting cleared contractor SSH access with identity verification, MFA, and mandatory session recording
Frequently Asked Questions

SSH Access for Contractors & Third Parties FAQ

Common questions about SSH SSO and zero-day protection.

How do contractors authenticate without SSH keys?

Contractors are added as external users in your IdP (Okta, Azure AD, Google Workspace) or authenticate via their own organization's IdP through SAML/OIDC federation. They authenticate via SSO, complete MFA, and OnePAM issues a short-lived certificate or proxies their connection through the gateway.

Can I restrict contractors to specific servers and commands?

Yes. OnePAM access policies define exactly which servers a contractor can access, with what Linux username, what sudo privileges, and what commands they can execute. Force-command certificates can restrict access to specific scripts or operations.

What happens when a contractor's engagement ends?

If the access policy has an expiration date, access stops automatically. You can also disable the contractor in your IdP for immediate revocation. No server-by-server cleanup is needed — no authorized_keys entries to remove.

Can contractors use their own organization's IdP?

Yes. OnePAM supports federated authentication where contractors authenticate via their own IdP (via SAML/OIDC federation with your IdP). This avoids creating external user accounts in your IdP while maintaining identity verification.

Are contractor sessions always recorded?

Recording policies are configurable per access policy. For contractor access, we recommend mandatory recording with no opt-out. The recording notification banner informs contractors that their session is being recorded.

Can I require approval for contractor SSH access?

Yes. OnePAM supports approval workflows where contractor SSH access requests are routed to a designated approver (team lead, security team) before access is granted. Approvals are time-limited and logged.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on Ubuntu Server
Linux Distribution
SSO for SSH on RHEL
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on Amazon Linux
Cloud Platform
SSO for SSH on SUSE Linux Enterprise
Linux Distribution

Manage Contractor SSH Access

Time-limited, identity-verified, fully recorded SSH sessions for third parties.

Get Started All SSH SSO Guides