SSO for SSH on Linux Servers
Replace SSH keys and passwords with SAML/OIDC Single Sign-On. Authenticate SSH sessions via your corporate IdP (Okta, Azure AD, Google Workspace). Deploy via local agent or gateway SSH proxy. Protect unpatched servers from zero-day SSH vulnerabilities — every connection is identity-verified.
Local Agent or Gateway SSH Proxy
Two deployment models for SSO-protected SSH. Choose based on your infrastructure, compliance requirements, and whether you can install software on target servers.
PumaGate Agent on Each Server
Install the lightweight PumaGate agent directly on your Linux servers. The agent authenticates
SSH sessions via your corporate IdP — no gateway required.
Users connect via pumagate ssh hostname; the agent handles SAML/OIDC authentication.
- Direct SSH connection — no network hop through a proxy
- Identity-based authentication for native sshd
- Short-lived certificates issued after IdP auth
- Connect via
pumagate ssh hostname— replacessshtransparently - Offline grace period for intermittent connectivity
- Full session recording on the server itself
Dedicated Gateway SSH Proxy
Run a dedicated PumaGate gateway that proxies SSH connections to your servers. Users authenticate via SAML/OIDC at the gateway, which then establishes the SSH session on their behalf. No agent installation needed on target servers — ideal for legacy and unmanaged environments.
- Zero agent installation on target servers
- Protect unmanaged/legacy servers without touching them
- Centralized session recording at the gateway
- Network-level isolation — servers never directly exposed
- SSH protocol inspection and command filtering
- Works with servers you cannot install software on
Your Unpatched Linux Servers Are One SSH CVE Away from Compromise
OpenSSH has had critical zero-day vulnerabilities (regreSSHion CVE-2024-6387, CVE-2023-38408, CVE-2023-48795 Terrapin). If your servers run outdated SSH, attackers don't need credentials — they need one exploit. PumaGate shields them.
regreSSHion (CVE-2024-6387)
Remote unauthenticated code execution in OpenSSH. Affected millions of servers running older versions. Root access without any credentials.
Stolen SSH Keys
SSH private keys stored on developer laptops, in CI/CD pipelines, and in config management tools. One compromised key = full server access.
Slow Patching Cycles
Production servers can't be rebooted freely. Patch cycles take weeks. During the gap, every unpatched SSH daemon is a target.
Orphan Access
Ex-employees, contractors, and rotated team members retain SSH key access. Manual cleanup of authorized_keys is error-prone and incomplete.
How PumaGate Protects SSH from Zero-Day Exploitation
No Direct SSH Exposure
With gateway mode, SSH ports are only reachable via PumaGate. Attackers cannot send exploit payloads directly to your sshd.
Identity-First SSH
Every SSH session requires a valid IdP-verified identity. No anonymous connections. No key-only authentication. Identity is always verified.
Short-Lived Certificates
Replace static SSH keys with short-lived certificates issued after IdP authentication. Certificates expire automatically — no keys to rotate.
Patch Safely
Take time to test SSH patches. PumaGate's gateway shields servers from exploitation during the patch window. No rush patching.
SSO for SSH — By Linux Distribution & Use Case
Click any guide for distro-specific setup instructions, deployment architecture, zero-day protection details, and FAQ.
What Changes with Identity-Based SSH Access
Replaces SSH key sprawl with corporate identity on every connection. Shields servers from SSH zero-day exploits without changing how developers work.
Block SSH Zero-Day Exploits
Gateway mode prevents attackers from reaching your SSH daemons directly. Exploits like regreSSHion (CVE-2024-6387) become unexploitable — even on unpatched servers.
Eliminate SSH Key Sprawl
No more distributing, rotating, or auditing SSH keys across hundreds of servers. Users authenticate with their corporate identity. Keys are replaced by short-lived certs.
MFA on Every SSH Session
Enforce multi-factor authentication (Duo, FIDO2, push) on every SSH connection using your IdP's MFA policies. No SSH-specific MFA configuration.
Instant Deprovisioning
Disable a user in your IdP and SSH access to every server stops immediately. No more manual authorized_keys cleanup across hundreds of servers.
SSH Session Recording
Record every SSH session for compliance, forensics, and training. Replay sessions keystroke-by-keystroke with full metadata.
Compliance-Ready Audit Trail
SOC 2, HIPAA, PCI DSS, ISO 27001 — all require access controls and audit trails for SSH. PumaGate provides identity-verified logs for every session.
PumaGate SSH SSO vs. Traditional SSH Access
See what changes when you replace SSH keys and passwords with identity-based authentication.
| Capability | With PumaGate | Traditional SSH Keys |
|---|---|---|
| Authentication | SAML/OIDC via corporate IdP | Static SSH keys or passwords |
| Zero-Day Protection | Gateway shields sshd from exploits | sshd directly exposed to network |
| MFA Enforcement | IdP MFA (Duo, FIDO2, push) | None or complex PAM config |
| Key Management | Short-lived certs, auto-rotated | Manual key distribution & rotation |
| User Deprovisioning | Instant via IdP disable | Manual authorized_keys cleanup |
| Session Recording | Built-in with keystroke replay | Requires external tooling |
| Audit Trail | Identity-verified, centralized | Key fingerprints only, fragmented |
| Compliance (SOC2/HIPAA/PCI) | Built-in controls and evidence | Manual evidence collection |
Add SSO to SSH on Any Linux Distribution
Install with a single command. Connect your IdP. Use pumagate ssh with corporate identity.
SSO for SSH on Linux Servers - SAML and OIDC Authentication
PumaGate adds SAML 2.0 and OpenID Connect (OIDC) Single Sign-On to SSH authentication on Linux servers. Supported distributions include Ubuntu Server, Red Hat Enterprise Linux (RHEL), Debian, CentOS, Rocky Linux, AlmaLinux, Amazon Linux, SUSE Linux Enterprise, Oracle Linux, and Alpine Linux. PumaGate replaces static SSH keys with identity-based access tied to your corporate Identity Provider (Okta, Azure AD, Google Workspace, OneLogin, Ping Identity).
Two Deployment Models for SSH SSO
PumaGate offers two deployment modes: a local agent installed on each server for direct SSH access, or a dedicated gateway SSH proxy that authenticates users and proxies connections without requiring any agent installation on target servers. The gateway mode is ideal for legacy servers, unmanaged environments, and segmented networks.
Zero-Day SSH Protection for Outdated Servers
PumaGate's gateway SSH proxy shields unpatched Linux servers from SSH zero-day vulnerabilities. Exploits like regreSSHion (CVE-2024-6387), the Terrapin attack (CVE-2023-48795), and ssh-agent forwarding exploits (CVE-2023-38408) require direct access to the SSH daemon. With PumaGate's gateway, the SSH port is only reachable through the authenticated proxy, making these exploits unexploitable. Organizations can patch on their schedule rather than rushing emergency updates.
Replace SSH Keys with Short-Lived Certificates
PumaGate's certificate authority issues short-lived certificates after SAML/OIDC authentication. Certificates expire automatically (configurable from 1 hour to 24 hours), eliminating the need for SSH key rotation, authorized_keys management, and manual deprovisioning. When a user is disabled in the IdP, their certificates are immediately invalid.