"We have 47 servers. Each has authorized_keys files nobody audits. When someone leaves, we grep across every box and hope we found them all."
— Every ops team with more than 5 servers
SSH with identity.
Every session logged.
Install the PAM module on any Linux server. Users SSH with their AuthFI identity. MFA enforced. Role-based sudo. Full session audit trail. No more SSH key sprawl.
SSH keys vs. SSH with identity
One approach is fragile, unauditable, and fails every compliance check. The other is AuthFI.
SSH keys today
- authorized_keys scattered across 47 servers
- Shared root password in a spreadsheet
- No MFA on SSH — "too hard to set up"
- Someone leaves — manually remove keys from every box
- No session recording — "what did the contractor do at 2am?"
- Compliance audit? Print grep output and pray.
SSH with AuthFI
- One identity for SSH, app, cloud, everything
- Role-based sudo: devops → sudo, viewer → read-only
- MFA on every SSH login — TOTP or passkey
- Disable user once → locked out of every server instantly
- Every command recorded in unified audit trail
- Compliance audit: export from one dashboard
How it works
Install the PAM module. User SSHs in. AuthFI validates identity and MFA. Roles map to sudo. Every session logged.
Install PAM module
One package. One config line. Works with any SSH server.
✓ authfi-pam installed
✓ /etc/pam.d/sshd configured
✓ Tenant: ayush | Region: in
$ systemctl restart sshd
User SSHs in
PAM intercepts authentication. AuthFI validates identity and enforces MFA.
AuthFI: MFA required
Enter TOTP code: ••••••
✓ Identity: alice@acme.com
✓ MFA: verified
✓ Role: devops → sudo granted
Role-based sudo
AuthFI roles determine Linux group membership and sudo access. No sudoers files to manage.
alice (role: devops) → sudo: granted
bob (role: viewer) → sudo: denied
carol (role: admin) → sudo: granted + audit
// Roles managed in AuthFI dashboard or Terraform
Full audit trail
Every SSH login, command, sudo attempt — in the same audit trail as app auth, cloud access, and eBPF decisions.
10:30:05 alice@acme.com SSH login ✓ MFA verified
10:30:12 alice: cd /var/log
10:30:15 alice: tail -f app.log
10:31:00 alice: sudo systemctl restart patient-api
10:31:01 sudo: granted (role: devops)
10:35:00 alice: exit
10:35:00 session ended (duration: 4m 55s)
Everything you need for server access
MFA, sudo, provisioning, recording, offline fallback — all from one PAM module.
Others charge extra. We include it.
Session recording, MFA, auto-provisioning — features that competitors sell as add-ons.
Session recording
Business planMFA on SSH
All PAM plansAuto user provisioning
IncludedUnified audit trail
All plansNo per-server pricing
Flat plan pricingRole-based sudo
IncludedReal-world pricing
200 engineers, 50 servers, session recording required
Real scenario
HIPAA audit in 6 weeks. Auditor needs evidence of session logging, MFA on server access, and automatic deprovisioning when staff leave. Currently using shared SSH keys with no MFA and no session recording.
Installed authfi-pam on all 50 servers in one afternoon. MFA enforced on every SSH login. Session recording flows into the same audit trail as the patient portal. Passed HIPAA audit with zero findings.
Related features
Available on Pro and above. See pricing →
One platform. Every identity layer.
Free to start.
Free for 5,000 users. Upgrade when you're ready.
Start building free →