Citadel SSH

Secure your
SSH access

Power up your PKI security by moving to SSH without passwords. Store every employee's private keys in the secure element of their security keys. You’ve just given your infrastructure a seal, with credentials impossible to steal.

The ultimate protection for your private key

Security keys protect the most sensitive operations in the world—from the largest cloud providers to rocket companies. Attackers steal private keys to advance their operation, but when you store all private keys on a the isolated processor of a security key, credential theft becomes impossible.

SSH authentication and access management

A scalable system
for SSH access

Let users enroll themselves

The 0pass App helps users enroll their YubiKeys for native SSH access. It gives an easy enrollment flow for every employee—whether they’re in HR or engineering.

Tie PKI to corporate identity

When a user enrolls a YubiKey, Citadel installs a signed certificate onto the YubiKey and derives a public SSH key from it. SSH servers will check Citadel for allowed keys.

Manage users and their access

Define the resources that each user or user group is permitted to access, managing server access the same way that you manage application access with your identity provider.

No public keys on servers

The 0pass SSH Plugin only runs when authentication is initiated. It enables the server to communicate directly with Citadel and the YubiKey. No need to deploy and manage public keys.

The passwordless infrastructure

The 0pass App helps users enroll their YubiKeys for native SSH access.

How you can get started

Request a demo with
a free 30-day trial

Get your team using strong authentication.

Identity tied to PKI

A smooth rollout

Hands-on support

How you can get started

Request a demo with
a free 30-day trial

Get your team using strong authentication.

Identity tied to PKI

A smooth rollout

Hands-on support

How you can get started

Request a demo with
a free 30-day trial

Get your team using strong authentication.

Identity tied to PKI

A smooth rollout

Hands-on support

Your questions, answered.

Does this work with OpenSSH?

What happens if a user loses their security key?

Does Citadel provide audit logging capabilities?

How can I configure SSH servers to support Citadel SSH?

How can I configure SSH clients to support Citadel SSH?

Is this deployed via SaaS or self hosted?

How does a YubiKey’s PIN and a password differ?

Can I sudo via SSH with the YubiKey?