Shared Credential might be restricted by most Information Security Policies but they are still necessary for specific use cases in most organizations. Not only is the sharing of passwords/keys risky, but you lose valuable auditing/forensic information on the destination should anything go awry: activity can only be tied back to the shared user id. 

In Smallstep SSH Pro you can eliminate half the problem adding principals to group in the admin UI. 


  1. Control which USERS have access to the machine
  2. Enforce user login via IDP
  3. Allow staff to log in as different users if needed (i.e. a shared deploy user)
  4. No sharing of keys/passwords needed
  5. No rotating keys when someone leaves, just remove their access in the IDP

Navigate to the Group Section of SSH Pro administration:

Note on the summary screen you will see a section for Principals

At the right choose to edit the Group

At the bottom of the screen is the section to add a comma separated list of Principals