Native SSH Access

Teams can now SSH securely without tunneling or workflow changes, as Pomerium introduces native SSH oauth-integrated authentication that works with standard SSH clients and leverages identity-aware, policy-driven authorization.

With this release, Pomerium acts as an SSH certificate authority (CA), signing temporary certificates based on successful OAuth authentication. Instead of managing per-user static keys on every server, access is tied to your identity provider (IdP) and enforced in real time by policy.

This makes SSH access:

• Zero Trust-aligned

• OAuth-backed and centrally authorized

• Ephemeral and auditable

• Easy to manage at scale

How it works

Users connect via:
SSH client → Envoy → Pomerium

1. The user initiates an SSH connection.

2. Pomerium prompts an OAuth login (via keyboard-interactive + device code flow).

3. After successful authentication, Pomerium evaluates context-aware policy for authorization, then generates a short-lived SSH certificate.

4. The certificate is signed using a configured User CA private key.

5. Pomerium creates an SSH connection to the desired host using the short-lived SSH certificate.

6. The SSH server grants access if it trusts the User CA and the certificate fields match policy.

7. If a user logs in again with the same public key, their credentials will be cached for the duration of the pomerium session or until revoked

No changes are required to SSH clients or existing key setups. Servers must be configured to trust Pomerium's User CA via sshd_config (TrustedUserCAKeys).

The generated certificates embed fields like:

• Valid principals (usernames)

• Expiration time

• Session restrictions (e.g., deny port forwarding, shell access)

Why it matters

Static SSH keys are risky and hard to manage at scale. With native SSH support, Pomerium enables:

• Fine-grained access based on identity and policy

• Fast, easy revocation (just disable the user or change a policy)

• Short-lived certs that reduce exposure without burdening users

• No need for VPNs, bastion hosts, or custom ssh clients

Perfect for on-call access, ephemeral production access, or Zero Trust SSH in regulated environments.

Getting started

1. Generate a User CA key pair

2. Update your pomerium.config.yaml to enable SSH support

3. Define your SSH routes

4. Distribute the User CA public key to trusted servers (sshd_config → TrustedUserCAKeys)

5. Restart SSHD

📖 See our docs for the full setup guide.

What’s next

We're just getting started with SSH:

• Command restrictions and session metadata (coming soon)

• Audit integrations for session logging

Secure SSH, simplified and policy-driven.
This is SSH the Zero Trust way — powered by Pomerium.