Every edition ships the same hardened daemon. Choose the governance, compliance, and access control layer your team needs.
Everything you need for personal SSH automation — no card, no trial, no expiry.
Deploy workflows — manifests, resume, log streaming, state backup — are in Base.
Persistent daemon, verified transfers, fleet management, certificate auth, Docker & systemd control. Everything a developer or AI agent needs for reliable SSH.
Everything in Base plus policy engine, RBAC, SSO/OIDC, ephemeral certificates, secrets management, and pre-change backup with auto-rollback.
Everything in Enterprise plus tamper-proof session recording, session replay, SIEM/syslog export, and credential masking. SOC2 & ISO 27001 ready.
Every feature in Base is included in Enterprise. Every feature in Enterprise is included in Enterprise + Audit.
| Feature | Base | Enterprise | Ent + Audit |
|---|---|---|---|
| Core SSH & Connection Management | |||
| Persistent SSH daemon (connections survive between tool calls) | ✓ | ✓ | ✓ |
| Multi-server session pool (10+ concurrent servers) | ✓ | ✓ | ✓ |
| Auto-reconnect with exponential backoff & jitter | ✓ | ✓ | ✓ |
| Per-server session locking (parallel multi-agent access) | ✓ | ✓ | ✓ |
| Server profiles with OS keyring credential storage | ✓ | ✓ | ✓ |
| Connection quality metrics (RTT, jitter, uptime) | ✓ | ✓ | ✓ |
| OpenSSH config import | ✓ | ✓ | ✓ |
| SSH agent forwarding | ✓ | ✓ | ✓ |
| TOFU host key management | ✓ | ✓ | ✓ |
| Command Execution | |||
| Remote command execution with structured output | ✓ | ✓ | ✓ |
| Script mode (auto-wraps complex commands in temp scripts) | ✓ | ✓ | ✓ |
| Log streaming (--follow, like tail -f over SSH) | ✓ | ✓ | ✓ |
| Multi-locale sudo support (12 languages + per-server learning) | ✓ | ✓ | ✓ |
| Environment variable injection (--env, --env-file, auto-load) | ✓ | ✓ | ✓ |
| Mandatory client-ID audit trail on every command | ✓ | ✓ | ✓ |
| Fleet execution across servers and groups (--servers, --group) | ✓ | ✓ | ✓ |
| File Transfer & Integrity | |||
| SFTP with streaming SHA-256 checksum verification | ✓ | ✓ | ✓ |
| .part file pattern (atomic swap — no partial uploads go live) | ✓ | ✓ | ✓ |
| Resume interrupted transfers | ✓ | ✓ | ✓ |
| Deploy manifests (JSON snapshot of every deployed file) | ✓ | ✓ | ✓ |
| Reverse integrity auditing (verify server against manifest) | ✓ | ✓ | ✓ |
| Bidirectional directory sync with checksums | ✓ | ✓ | ✓ |
| BOM stripping & EOL conversion for cross-platform transfers | ✓ | ✓ | ✓ |
| Security & Authentication | |||
| Built-in Ed25519 Certificate Authority (3 commands to deploy) | ✓ | ✓ | ✓ |
| OS keyring credential storage (DPAPI / Keychain / libsecret) | ✓ | ✓ | ✓ |
| Ephemeral short-lived SSH certificates | — | ✓ | ✓ |
| SSO/OIDC Device Authorization with group-to-role mapping | — | ✓ | ✓ |
| External secrets managers (Vault, AWS, Azure, GCP) | — | ✓ | ✓ |
| Infrastructure Management | |||
| Docker container management (9 subcommands via SSH) | ✓ | ✓ | ✓ |
| Systemd service management (8 subcommands via SSH) | ✓ | ✓ | ✓ |
| Remote OS detection (automatic Windows/Linux adaptation) | ✓ | ✓ | ✓ |
| Data portability export (ZIP + OpenSSH config) | ✓ | ✓ | ✓ |
| Daemon state backup & restore | ✓ | ✓ | ✓ |
| Policy Engine & Access Control | |||
| Command allowlists & blocklists (regex patterns) | — | ✓ | ✓ |
| SFTP path access control & transfer size limits | — | ✓ | ✓ |
| Connection rate limiting & time-of-day restrictions | — | ✓ | ✓ |
| Per-client session quotas | — | ✓ | ✓ |
| Role-Based Access Control (RBAC) with role templates | — | ✓ | ✓ |
| Encrypted policy files (Ed25519 + AES-256-GCM) | — | ✓ | ✓ |
| Policy signing & verification | — | ✓ | ✓ |
| Output filtering & credential masking | — | ✓ | ✓ |
| Change Management | |||
| Pre-change file backup with automatic rollback | — | ✓ | ✓ |
| Post-change integrity verification | — | ✓ | ✓ |
| Compliance & Audit | |||
| Full session recording with HMAC-SHA-256 integrity seals | — | — | ✓ |
| Session replay (search, playback recorded sessions) | — | — | ✓ |
| SIEM / syslog / webhook event export | — | — | ✓ |
| Credential masking in recorded output | — | — | ✓ |
| AI Agent Optimization | |||
| IPC daemon architecture (structured JSON protocol) | ✓ | ✓ | ✓ |
| AI-optimized help (--help-ai with usage examples) | ✓ | ✓ | ✓ |
| Mandatory client-ID per request (multi-agent traceability) | ✓ | ✓ | ✓ |
| Output modes (realtime / aggregated) for AI parsing | ✓ | ✓ | ✓ |
How does sshDCommander compare to the tools developers use today?
| Capability | sshDCommander | Fabric | OpenSSH | PuTTY / Plink | Paramiko |
|---|---|---|---|---|---|
| Persistent SSH connections | Daemon (always-on) | No (reconnect each call) | ControlMaster (Unix only) | No | Manual channel reuse |
| Structured JSON output | Native | No | No | No | No (library) |
| Checksum-verified transfers | SHA-256 streaming | No | No | No | No |
| Deploy manifests | Built-in | No | No | No | No |
| Drift detection | Manifest verify | No | No | No | No |
| Script mode (quoting fix) | Built-in | No | No | No | No |
| Multi-server parallel execution | --servers, --group | ThreadingGroup | No | No | Manual threading |
| AI-optimized CLI | --help-ai, client-ID | No | No | No | No |
| OS keyring credentials | DPAPI / Keychain | No | ssh-agent (keys only) | Pageant (keys only) | No |
| Certificate Authority | Built-in Ed25519 CA | No | ssh-keygen CA | No | No |
| Docker/systemd management | 17 subcommands | No | No | No | No |
| Windows native support | First-class | Limited | Windows 10+ (basic) | Native | Yes |
| Pricing | From EUR 99/yr | Free (open source) | Free (open source) | Free (open source) | Free (open source) |
Enterprise-grade capabilities at a fraction of the cost and complexity.
| Capability | sshDCommander | Teleport | Ansible AAP | CyberArk PAM |
|---|---|---|---|---|
| Policy engine (command/path filtering) | Built-in | Access controls | Playbook-based | Full PAM |
| RBAC | Role templates | Full RBAC | Tower RBAC | Enterprise RBAC |
| SSO/OIDC | Device Authorization | Full SSO/SAML/OIDC | LDAP/SAML | Full SSO |
| Session recording | HMAC-sealed (Audit) | Video-like replay | Tower logging | Full recording |
| SIEM integration | Syslog/webhook (Audit) | Full SIEM | Limited | Full SIEM |
| Ephemeral certificates | Short-lived certs | Auto short-lived certs | No | Limited |
| Secrets management | Vault/AWS/Azure/GCP | No (separate tool) | Ansible Vault | CyberArk Vault |
| Pre-change backup + rollback | Built-in | No | No | Limited |
| Checksum-verified transfers | SHA-256 streaming | No | No | No |
| Deploy manifests + drift detect | Built-in | No | State drift (different) | No |
| Persistent SSH daemon | Always-on pool | Proxy server | No (per-play) | Gateway |
| AI agent integration | Native (IPC + CLI) | No | No | No |
| Setup complexity | pip install, 3 commands | Proxy + auth infra | Controller + inventory | Full PAM deployment |
| Typical annual cost | From EUR 449/yr | EUR 1,500-50,000+/yr | EUR 5,000-150,000+/yr | EUR 50,000+/yr |
Teleport, Ansible, and CyberArk charge thousands to tens of thousands per year. sshDCommander delivers policy control, RBAC, session recording, and verified transfers starting at €449/year— with features they don't have, like checksum-verified file transfers and AI agent integration.
Start with a free trial. No credit card required.