docs/documentation/platform/pam/accounts/ssh.mdx
SSH accounts let you manage access to your Linux/Unix servers. Users connect through Web Access (a browser-based terminal) or CLI (a local proxy), and every session can be recorded.
SSH accounts support three authentication methods: password, public key, and certificate-based.
The server must have `PasswordAuthentication yes` in sshd_config.
The corresponding public key must be in the user's `~/.ssh/authorized_keys` on the server.
After creating the account, configure the server to trust Infisical's CA. The account detail page provides a setup script.
See the [SSH Certificate Auth guide](/documentation/platform/pam/guides/ssh-certificate-auth) for a full walkthrough.
1. Go to **Privileged Access Management → My Access**
2. Find the account and click **Launch → Connect in Browser**
3. A terminal opens in a new tab
You get a full shell. To disconnect, type `exit` or close the tab.
```bash
infisical pam access prod-servers/web-01
```
The command outputs the local port to connect to. Then use your SSH client:
```bash
ssh deploy@localhost -p <port>
```
No password or key needed since the proxy handles authentication.
**Flags:**
- `--port <port>` — use a specific local port (otherwise one is assigned automatically)
- `--reason <reason>` — provide an access reason (if required by template)