Home / SSH SSO / SSO for SSH on Ubuntu Server
Linux Distribution
Local Agent
Gateway SSH Proxy
Zero-Day Shield

SAML/OIDC SSO for SSH on Ubuntu Server

Ubuntu is a trademark of Canonical Ltd.

Add SAML/OIDC Single Sign-On to SSH on Ubuntu Server. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via local agent or gateway SSH proxy. Shield unpatched Ubuntu servers from zero-day SSH vulnerabilities like regreSSHion.

Quick Start Guide How It Works
Quick Start

Get Started in Minutes

Install the OnePAM agent with a single command. No packages to download, no repositories to configure.

Step 1 — Install
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Step 2 — Verify
systemctl status onepam-agent
The installer auto-registers the endpoint. Confirm the service is active.
Before OnePAM
Generate and distribute SSH keys
ssh-keygen -t ed25519 ssh-copy-id [email protected] ssh-copy-id [email protected]
Repeat for every user and every server
Remove access when someone leaves
for server in $(cat servers.txt); do ssh root@$server "sed -i '/[email protected]/d' /home/*/.ssh/authorized_keys" done
Manual cleanup on every server — easy to miss one
No MFA, no session recording
# SSH keys = single-factor auth # No built-in way to record sessions # No centralized audit trail
Compliance gaps with SOC 2, HIPAA, PCI DSS
After OnePAM
Install OnePAM agent
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Works on Ubuntu 16.04 LTS and later
Verify service and registration
systemctl status onepam-agent
The installer auto-registers this endpoint with your organization
SSH with corporate identity
onepam ssh server1.example.com # → Redirected to Okta/Azure AD/Google Workspace # → MFA verified, short-lived certificate issued # → Session recorded automatically
Use 'onepam ssh' instead of 'ssh' — handles IdP auth automatically
Overview

Why Ubuntu Servers Need Identity-Based SSH Access

Ubuntu Server is the most popular Linux distribution for cloud and on-premises deployments, powering millions of servers on AWS, Azure, GCP, and private data centers. Yet SSH access to Ubuntu servers still relies on static SSH keys and passwords — creating key sprawl, orphan access, and zero-day exposure. OnePAM adds SAML/OIDC SSO to SSH on Ubuntu Server without modifying sshd configuration. With the local agent, OnePAM authenticates SSH sessions via your corporate IdP (Okta, Azure AD, Google Workspace). With the gateway SSH proxy, OnePAM authenticates users at the gateway and proxies SSH connections — no agent needed on the Ubuntu server itself. Both modes enforce MFA, issue short-lived certificates, record sessions, and provide compliance-ready audit trails. Ubuntu servers running outdated OpenSSH versions are shielded from zero-day exploits like regreSSHion (CVE-2024-6387) because the gateway prevents direct access to the SSH daemon.

Local Agent

Install the OnePAM agent on Ubuntu Server with a single command. Provides direct SSH access with SAML/OIDC authentication. Supports Ubuntu 16.04 LTS and later.

Gateway SSH Proxy

Run a dedicated OnePAM gateway that proxies SSH connections to Ubuntu servers. No agent installation required. Ideal for EC2 instances, auto-scaling groups, and deprecated Ubuntu releases without systemd (14.04 and earlier).

SSH Security Risks

SSH Security Risks on Ubuntu Server

Without identity-based SSH access, these risks threaten your servers every day.

regreSSHion (CVE-2024-6387) allows unauthenticated remote code execution on Ubuntu servers running OpenSSH 8.5p1 to 9.7p1
Ubuntu LTS servers often run OpenSSH versions that receive security patches late due to enterprise change control processes
SSH key sprawl across Ubuntu servers makes it impossible to audit who has access to which server
Departed employees and contractors retain SSH key access to Ubuntu servers indefinitely without manual cleanup
Brute-force attacks against SSH passwords on internet-facing Ubuntu servers are constant and automated
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

SSH Key Sprawl

Ubuntu servers accumulate SSH keys in authorized_keys files across hundreds of user accounts. Auditing which keys belong to current employees is nearly impossible at scale.

No Native SSO

Ubuntu's OpenSSH does not natively support SAML or OIDC. Adding SSO traditionally requires complex configuration, SSSD setup, or LDAP integration that breaks on upgrades.

Orphan Access

When employees leave, their SSH keys remain on Ubuntu servers. Manual cleanup across hundreds of servers is error-prone. Former employees retain access until keys are manually removed.

No MFA for SSH

Adding MFA to SSH on Ubuntu traditionally requires configuring each server individually. Configuration drift is inevitable.

Zero-Day Exposure

Ubuntu servers running older OpenSSH versions are vulnerable to exploits like regreSSHion. Production servers cannot be patched immediately due to change control requirements.

Fragmented Audit Logs

SSH session logs are scattered across individual Ubuntu servers in /var/log/auth.log. Correlating who accessed which server requires log aggregation infrastructure.

Setup Guide

How OnePAM Adds SSO to SSH on Ubuntu Server

Step-by-step guide to deploying identity-based SSH access.

1

Choose Your Deployment Mode

Select local agent installation for direct SSH access, or gateway SSH proxy for agentless protection.

Agent mode: Run 'curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash' on Ubuntu 16.04+. Gateway mode: Deploy a OnePAM gateway (Docker, VM, or bare metal) and configure it as the SSH entry point for your Ubuntu servers.
2

Connect Your Identity Provider

Configure your corporate IdP (Okta, Azure AD, Google Workspace, OneLogin, or any SAML 2.0/OIDC provider) as the authentication source.

OnePAM handles the full SAML/OIDC handshake. Users are redirected to your IdP, authenticate with MFA, and receive a short-lived certificate. The certificate includes identity claims (username, groups, email) from your IdP.
3

Define Access Policies

Set granular access rules: who can SSH to which Ubuntu servers, from where, at what times, and with what MFA requirements.

Map IdP groups to server groups. Developers get access to dev/staging servers; SREs get production access with step-up MFA. Contractors get time-limited access that expires automatically.
4

Users SSH with Corporate Identity

Developers and operators SSH to Ubuntu servers using their corporate credentials. No SSH keys to distribute, rotate, or revoke.

Users run 'onepam ssh server.example.com' and are redirected to the IdP for authentication. OnePAM handles the SAML/OIDC handshake, obtains a short-lived certificate, and establishes the SSH session. With gateway mode, users connect through the gateway which proxies to the target server.
5

Audit, Record, Comply

Every SSH session is logged with full IdP context. Optional session recording captures every keystroke.

Compliance teams get a unified audit trail: who accessed which Ubuntu server, which IdP authenticated them, what MFA method was used, from which device and location, and optionally a full session recording for forensics.
Key Benefits

Benefits of SSH SSO on Ubuntu Server

What changes when you deploy identity-based SSH access.

Eliminate SSH Key Management

No more distributing, rotating, or auditing SSH keys on Ubuntu servers. Users authenticate with their corporate identity. Keys are replaced by short-lived certificates.

Zero SSH keys to manage

Shield from SSH Zero-Days

Gateway mode prevents attackers from reaching Ubuntu's sshd directly. Exploits like regreSSHion become unexploitable — even on unpatched servers.

100% of unauthenticated SSH attacks blocked

Enforce MFA on Every Session

Require Duo, FIDO2, or push MFA for every SSH connection to Ubuntu servers — using your IdP's MFA policies. No per-server configuration.

100% MFA-protected SSH sessions

Instant Deprovisioning

Disable a user in your IdP and SSH access to every Ubuntu server stops immediately. No manual authorized_keys cleanup.

Real-time access revocation

Session Recording

Record every SSH session on Ubuntu servers for compliance, forensics, and training. Replay sessions keystroke-by-keystroke.

Full session visibility

SOC 2 / HIPAA / PCI Ready

OnePAM provides identity-verified access logs, session recordings, and access reviews that satisfy SOC 2, HIPAA, and PCI DSS requirements.

Audit-ready from day one
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

SAML 2.0 & OIDC authentication for SSH sessions
Short-lived certificates (1-24 hour TTL)
Compatible with Ubuntu 16.04 LTS and later
Identity-based authentication for sshd
IdP group-to-Linux-group mapping
Automatic user provisioning on first SSH login
Just-in-time sudo elevation with MFA step-up
SSH session recording with keystroke replay
IP and geo-restriction for SSH access
Device trust verification before granting access
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Gateway shields sshd from network-based exploits
Zero-day protection for unpatched OpenSSH versions
SSH protocol inspection at the gateway
Command filtering and blocklists
Real-time session monitoring and termination
Automatic certificate expiration (no key rotation needed)
Encrypted session recordings with tamper detection
Integration with SIEM (Splunk, Datadog, Elastic)
Real-World Scenarios

Ubuntu Server SSH SSO Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
DevOps team managing 200+ Ubuntu EC2 instances with SSO-authenticated SSH access and auto-scaling group support
2
Healthcare company enforcing HIPAA-compliant SSH access to Ubuntu servers storing patient data with full session recording
3
Financial institution replacing SSH keys with short-lived certificates on Ubuntu servers to meet PCI DSS requirements
4
MSP providing time-limited SSH access to client Ubuntu servers for contractors without distributing SSH keys
5
SaaS company using gateway SSH proxy to shield legacy Ubuntu 18.04 servers from regreSSHion while planning migration
6
Remote engineering team requiring MFA-protected SSH access to Ubuntu servers across multiple cloud regions
Frequently Asked Questions

SSO for SSH on Ubuntu Server FAQ

Common questions about SSH SSO and zero-day protection.

Which Ubuntu versions does OnePAM support?

OnePAM's local agent supports any Ubuntu version with systemd, starting from Ubuntu 16.04 LTS. This includes 16.04, 18.04, 20.04, 22.04, 24.04, and future releases. The gateway SSH proxy works with any Ubuntu version (including EOL releases without systemd) because it requires no agent installation on the target server.

Does OnePAM modify my Ubuntu sshd configuration?

The local agent configures certificate authentication. It does not modify your existing sshd_config. The gateway SSH proxy requires no changes to the Ubuntu server at all.

Can I protect Ubuntu servers I cannot install software on?

Yes. The gateway SSH proxy mode requires no agent installation on the Ubuntu server. The gateway authenticates users and proxies SSH connections. This is ideal for Ubuntu servers managed by other teams, in DMZs, or in locked-down environments.

How does OnePAM protect against regreSSHion (CVE-2024-6387)?

The gateway SSH proxy prevents direct access to the Ubuntu server's SSH daemon. Since regreSSHion requires sending a specially crafted authentication sequence directly to sshd, the gateway blocks this by authenticating users before any connection reaches sshd. Unpatched servers are shielded.

What happens if the OnePAM gateway goes down?

In agent mode, the agent caches valid certificates locally and can authenticate offline for a configurable grace period, ensuring SSH access continues during transient network issues. Dedicated gateways can be deployed across multiple instances for redundancy.

Can I use OnePAM alongside existing SSH keys?

Yes. OnePAM can be deployed in audit-only mode first, where it logs all SSH access without changing authentication. You can then gradually migrate users from SSH keys to SSO-based certificates, with both methods accepted during the transition.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on RHEL
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on Amazon Linux
Cloud Platform
SSO for SSH on SUSE Linux Enterprise
Linux Distribution
SSH Zero-Day Protection
SSH Security

Add SSO to SSH on Ubuntu Server

Deploy OnePAM in minutes — via local agent or gateway SSH proxy.

Quick Start Guide All SSH SSO Guides