Identity, access, and audit for Linux fleets
Static SSH keys are a SOC 2 problem. Make them go away.
Linux Identity replaces static SSH keys with SSO-tied short-lived certificates, captures every sudo invocation, and produces tamper-evident audit evidence. Install in five minutes.
In private preview with Series-A/B platform teams. Free for fleets under 10 hosts and 5 users.
curl -fsSL https://install.linuxidentity.com/install.sh \
| sudo bashSigned with cosign · SBOM published · 5-minute setup
In private preview with platform teams at
Real names will be added here as design partners launch. We don’t use logos without permission.
If your last security review took weeks, you already know the problem.
Series-A/B platform teams inherit SSH access stories that don’t survive contact with an auditor or a departing engineer.
Static SSH keys spread across laptops, vaults, and CI. Offboarding is a manual sweep.
Sudo is unaudited. "Who ran rm -rf last Tuesday?" takes hours to answer.
SOC 2 evidence collection is a 40-hour quarterly chore.
How it works
Three moving parts. Your IdP issues the identity. Our CA issues the cert. Your sshd validates it. The host agent only captures audit events — it is never in the path that lets your engineers in.
- 01
Engineer signs into your IdP
Okta, Google Workspace, or Microsoft Entra. No new password to manage. Our control plane verifies the ID token (PKCE, nonce, signature) and issues a short-lived SSH certificate.
- 02
linuxid ssh user@host
Our CLI fetches the cert, hands it to OpenSSH, and connects. The host's sshd validates the cert against the trusted CA public key — no per-key management on the host side.
- 03
Every action is audited
Sudo invocations and shell sessions are captured by the host agent and written to an append-only audit log with a sha256 hash chain. Tampering is provable.
vs Teleport
We’re the SMB tier they don’t serve.
Teleport is excellent at mid-market and enterprise. They aren’t built for a 60-engineer Series A. Different price, different deployment shape, different sales motion.
| Linux Identity | Teleport | |
|---|---|---|
| Time to first cert issued | 5 minutes | Hours–days (SaaS), weeks (self-hosted) |
| Pricing (under 50 hosts) | $25 / host / mo | Quote-based, mid-market floor |
| Scope | SSH + sudo audit + compliance attach | SSH + DB + K8s + apps + everything |
| SOC 2 evidence pack | First-class, drift detection | Manual export |
| Sales motion | Self-serve + founder calls | Enterprise AE |
Full comparison page coming soon. If you’re >200 engineers or need DB / K8s / app proxying, Teleport is the better fit — we’ll happily refer.
Built for security buyers, not against them.
Our threat model is published. Our crypto choices are documented in ADRs. Our audit log is provably append-only — and you can re-verify the hash chain yourself.
- SSH CA private key in a managed KMS — never on disk, never in process memory
- Postgres row-level security forces tenant isolation on every query
- Append-only audit log with hash chain; app role has no UPDATE/DELETE
- Agent is never in the SSH critical path — if it crashes, your engineers still get in
- Cosign-signed binaries; SBOMs published with every release
Get early access
We’re working with a small number of Series-A/B platform teams as design partners. Tell us a little about your fleet and we’ll be in touch.
- Free for 6 months as a design partner
- Founder-led onboarding (no sales playbook)
- SOC 2 Type II underway