SSH That Respects Identity, Not Just Network Presence
SSH is one of the most sensitive access paths in your stack. But most tools treat it like a utility: “If you’re on the network, you’re in.”
This might be fine for side projects. It’s not fine for production.
Take WireGuard VPNs like Tailscale, for example. Tailscale makes SSH simple—maybe too simple. But reachability doesn’t equal security. By default, anyone on the same tailnet can SSH into other nodes, no additional policy required.
Here’s why that breaks Zero Trust fundamentals:
Access is implicit. You’re trusted because you’re present—not because your identity or role was verified.
No dynamic policy. You can’t easily enforce rules like, “only on-call SREs can access prod.”
Long-lived access. Sessions persist without re-auth.
Limited auditing. Tracking who connected, when, and why isn’t built-in.
In summary, being on the network shouldn't equal being allowed in. Learn more here.
Pomerium Does SSH Differently
With Pomerium, SSH access is identity-aware, time-bound, and policy-enforced. Every connection goes through an authentication flow that results in a short-lived certificate—valid only for that session, scoped to that user.
OAuth-backed SSH authentication. Users log in via browser to authenticate identity.
Short-lived SSH certificates. No keys to manage. Certificates expire automatically.
Contextual policy enforcement. Access is granted based on identity, group, time, and role.
Built-in audit logs and session recording. Every certificate issuance and login attempt is logged. SSH sessions are automatically recorded and stored in an S3-compatible bucket. You can review session playback from the CLI or browser, giving your team full visibility without third-party tools.
You define who gets in. When. And under what conditions.
How SSH Works With Pomerium
When a user initiates an SSH connection:
Pomerium intercepts the request and initiates an OAuth login flow via keyboard-interactive prompt (or clickable URL in many terminals).
After successful authentication, Pomerium issues a short-lived SSH certificate, signed by its own SSH Certificate Authority (CA).
The user’s SSH client presents this certificate to the target server.
The SSH server, pre-configured to trust Pomerium’s CA, grants access if the certificate is valid and in-policy. You’ll need to add Pomerium’s SSH CA public key to your server’s TrustedUserCAKeys in sshd_config.
No agents are needed on the SSH client or server. Pomerium uses the standard SSH protocol and validates certificates directly.
That’s it. No static SSH keys, no VPN tunnels, no standing permissions.
How Pomerium’s Policy Enforcement Works
Pomerium encodes metadata (username, groups, roles, etc.) into each SSH certificate. That metadata is checked against policies like:
Only during on-call shifts
Only from managed devices
Re-auth required every 30 minutes
Policy isn’t optional, it’s the entry gate.
SSH Session Lifecycle
SSH sessions are bounded by the certificate’s TTL (time-to-live). You can configure this window to meet your needs. If you set the TTL to one hour max, after one hour, users must re-auth via OAuth to continue.
Pomerium enforces session limits at connection time and continuously re-evaluates the user’s authorization. If a user falls out of policy — for example, their on-call shift ends — the session is revoked immediately. Once connected, session duration depends on SSH server configuration. Pomerium captures full session logs for every SSH connection. Your team gets visibility into exactly what happened, without extra setup or external dependencies.
Real-World Example: SSH for On-Call Engineers
One platform team we worked with needed SSH access to production limited to on-call engineers only. With Pomerium, they enforced:
Time-based access based on on-call schedules
Re-auth every 60 minutes
Trusted device posture
No shared keys or standing credentials
Full audit trail of who accessed what, and when
Every session was temporary and every connection was justified. True Zero Trust in practice.
Default SSH Behavior: Tailscale vs. Pomerium
Feature | Tailscale | Pomerium |
Identity-based SSH | ⚠️ Optional via ACLs | ✅ |
Short-lived certificates | ❌ | ✅ |
OAuth login | ❌ | ✅ |
Per-session TTL | ❌ | ✅ |
Certificate-based policy | ❌ | ✅ |
Built-in certificate audit | ⚠️ Partial | ✅ |
SSH server config required | ⚠️ None | ✅ (Trust Pomerium CA) |
If You’re Serious About Zero Trust, Choose Pomerium
Pomerium gives your organization the fine-grained control over SSH access you need, without relying on network presence to match modern secure access models. No compromises.
You have the power to define who can connect, when, and under what conditions. SSH becomes just as secure as the rest of your stack.
Next steps:
See how easy securing SSH can be -> Request a demo
