Closed Source · Source-Available (Enterprise)

The Sealed
SSH Access
Platform

Replace static SSH keys with certificate-based authentication, session recording, and fine-grained RBAC. Distributed as a signed binary, not public source. Source-available under our enterprise license for independent audit and scanning.

See Pricing Enterprise Source Access
Architecture

How it works

Users

SSO / OIDC / Certificates

Mezite Proxy

Auth + RBAC + Audit

Agents

Reverse Tunnel to Proxy

SSH Servers

Linux / Unix Hosts

All SSH connections are authenticated with short-lived certificates, authorized via RBAC, and fully audited. No direct network exposure required.

Capabilities

Everything you need for SSH access

SSH Access

Certificate-based authentication with session recording and live audit. Eliminate static SSH keys forever.

Certificate Auth

Short-lived SSH certificates issued per-session. User CA and Host CA managed automatically. No more authorized_keys.

Session Recording

Full terminal capture with video-like playback. Session recording is configurable per cluster — on by default.

RBAC

Fine-grained, label-based access control. Deny-overrides-allow semantics. Template variables for teams.

View all features
Developer Experience

Built for the terminal

The msh CLI gives you instant SSH access to every node in your infrastructure. Authenticate once, reach everything.

  • Single sign-on via browser or password
  • Auto-generated short-lived SSH certificates
  • Native SSH ProxyCommand support
  • SCP file transfers through the proxy
  • Node listing with label filtering
Terminal bash 
# Authenticate with your cluster
$ msh login --proxy=access.example.com --user=alice
> Logged in as alice@example.com
> Certificate valid until 2026-03-25 08:00 UTC

# List available nodes
$ msh ls
HOSTNAME      ROLE  STATUS  LABELS               VERSION
web-prod-01   node  online  env=prod,app=web     v0.1.0
db-replica    node  online  env=prod,role=db     v0.1.0
staging-box   node  online  env=staging          v0.1.0

# Connect to a node
$ msh ssh --login=root web-prod-01
root@web-prod-01:~#
Self-Hosted

Single binary.
Your infrastructure.
Your data.

Mezite runs entirely on your infrastructure. No SaaS dependency, no data leaving your network, no vendor lock-in. Deploy a single signed binary with SQLite (zero dependencies) or PostgreSQL. That's it.

Your CAs
Your Logs
Your Audit
Quick Start

Up and running in three steps

01

Deploy

Pull the signed container image or download the release binary. SQLite built-in, or bring PostgreSQL.

# Build from source git clone https://github.com/leonardaustin/mezite-mono cd mezite-mono && make build
02

Configure

Set your cluster name and start mezhub. CAs are initialized automatically.

export MEZITE_CLUSTER_NAME=access.example.com mezhub --config=mezite.yaml
03

Connect

Install agents on your nodes, log in with msh, and SSH through the proxy.

msh login --proxy=access.example.com msh ssh --login=root web-prod-01
Full Quickstart Guide
Certificate-Based Auth
Zero Static Keys
Session Recording
RBAC Enforcement
Encrypted In Transit
Audit Logging
SSO / OIDC
Short-Lived Certs
Non-Root Containers
Reverse Tunnels
Certificate-Based Auth
Zero Static Keys
Session Recording
RBAC Enforcement
Encrypted In Transit
Audit Logging
SSO / OIDC
Short-Lived Certs
Non-Root Containers
Reverse Tunnels
Managed and self-hosted

Ready to eliminate
static SSH keys?

Run Mezite as a managed instance, license the self-hosted binary, or request enterprise source access for independent review.

See Pricing Enterprise Source Access