The following features are supported:

  • Client configuration of OpenSSH to support Smallstep SSH
  • Support for the following client platforms:
    • macOS (10.13 High Sierra or above)
    • Windows 10 (using PowerShell)
    • Ubuntu 18.04 LTS
    • CentOS 7 and CentOS Stream 8
    • Fedora (34 and 35)
    • Debian 10


Since you’re hosting your own Run Anywhere cluster, you’ll use the same process to bootstrap your SSH Authority as you would for the SaaS product. However, you must supplement the command with additional flags to point it toward your cluster.

To set up a client for SSH access, run the following command:

step ssh config \
     --team <team_slug> \
     --team-url="https://api.[base domain]/v1/teams/<>/authorities/ssh"

The above command will connect to your SSH Authority, download your configuration, and request a User SSH Certificate to be stored in your `ssh-agent.` This material will not touch the disk and will only sit in your client’s memory. A browser window will pop up where you can complete authentication with the IdP you’ve configured for your PKI.

From here, you can now SSH to hosts as you would normally:

ssh <hostname>

Host devices will use the SSH Certificate in your `ssh-agent` to authenticate all host devices registered with the authority.