Smallstep SSH is a certificate-based SSH access management solution that replaces static SSH keys with short-lived, ephemeral certificates. It is designed to secure remote access across cloud, on-premises, and hybrid environments for developers, automation pipelines, and AI/MCP-driven workflows. Key capabilities include: - Ephemeral SSH Certificate Issuance: Certificates are issued daily and expire within hours, eliminating the risks associated with long-lived static SSH keys that accumulate on servers and endpoints. - IdP Integration with MFA: Connects to identity providers (IdPs) such as Okta, Google Workspace, and Microsoft Entra ID. User and group mappings from the IdP are applied directly to server access roles, enabling granular RBAC without separate SSH credentials. - Device Identity Enforcement: Hardware-bound certificates contain a unique, hardware-attested device identifier, ensuring only trusted, company-managed devices can initiate SSH sessions. - SCIM Provisioning: Supports SCIM-based user lifecycle management, so adding or removing a user in the IdP propagates immediately to SSH access across all servers. - Break-Glass / Offline Access: Supports hardware-backed offline certificates for emergency access when the SSO/IdP provider is unavailable. - Centralized Auditing Dashboard: Provides a single dashboard for monitoring active SSH sessions, managing user groups, enforcing access rules, and generating usage reports. - Automated Certificate Rotation: Certificates renew automatically daily without manual intervention or downtime. - API for Ephemeral Container Access: Provides an API for managing SSH access to short-lived container workloads. - No Bastion Host Required: Eliminates the need for SSH bastion hosts or jump servers.