msh CLI Reference

msh is the client CLI for Mezite. It lets end users authenticate, open SSH sessions, transfer files, and manage access requests.

login

Authenticate to a Mezite cluster and receive short-lived certificates. Both --user and --password are required for local authentication — there is no interactive password prompt. Use --auth=<connector> to log in via SSO instead.

Login to a cluster bash 
# Login with local username + password
msh login --proxy=mezite.example.com:3080 --user=admin --password="$MEZITE_PASSWORD"

# Login via an SSO connector (OIDC / SAML / GitHub)
msh login --proxy=mezite.example.com:3080 --auth=okta

# Login with a custom certificate TTL (default is 12h)
msh login --proxy=mezite.example.com:3080 --user=admin --password="$MEZITE_PASSWORD" --ttl=30m

ssh

Open an interactive SSH session to a registered node.

SSH into a node bash 
# Connect to a node
msh ssh user@node-hostname

# Connect with a specific cluster
msh ssh --cluster=production user@web-01

# Run a command remotely
msh ssh user@node-hostname -- ls -la /var/log

scp

Transfer files to or from a remote node using SCP.

File transfer with SCP bash 
# Copy a file to a remote node
msh scp ./local-file.txt user@node-hostname:/tmp/

# Copy a file from a remote node
msh scp user@node-hostname:/var/log/app.log ./app.log

ls

List nodes available in the current cluster. Use --filter to restrict the output to nodes matching a label (repeatable).

List nodes bash 
# List all nodes
msh ls

# Filter by label
msh ls --filter=env=production

# List nodes from all trusted clusters
msh ls --all

config

Generate ~/.ssh/config entries for every node visible from your active profile. Each entry pins the Mezite host CA via UserKnownHostsFile ~/.mezite/known_hosts and routes the connection through msh proxy ssh, so native ssh, rsync, Ansible, and editor SSH integrations get the same certificate auth and audit as msh ssh.

Generate SSH config bash 
# Print config for every visible node to stdout
msh config

# Append directly to ~/.ssh/config
msh config --append

# Set the hostname suffix on generated Host entries
# (e.g. 'Host web-01.production.mezite'). Does not filter
# which nodes are returned; that follows your active profile.
msh config --cluster=production

proxy ssh

Use msh proxy ssh as an OpenSSH ProxyCommand to route native ssh(1) through the Mezite proxy. The argument takes a single [user@]host:port token, so OpenSSH's %r@%h:%p substitution drops in directly. msh config generates entries that use it automatically.

ProxyCommand usage bash 
# Typical entry generated by 'msh config'
#   ProxyCommand msh proxy ssh %r@%h:%p

# Manual one-off with native ssh
ssh -o 'ProxyCommand=msh proxy ssh %r@%h:%p' ubuntu@web-server-01.mezite

# Direct invocation (host and port required; user is optional)
msh proxy ssh ubuntu@web-server-01:22

sessions

List active and past SSH sessions.

Session management bash 
# List sessions
msh sessions ls

play

Play back a recorded SSH session.

Session playback bash 
# Replay a recorded session
msh play <session-id>

# Replay at 2x speed
msh play --speed=2.0 <session-id>

request

Create and list access requests for elevated privileges.

Access requests bash 
# Create an access request for a role
msh request create --roles=admin --reason="Deploy hotfix"

# List pending requests
msh request ls

status

Display the current login status, including cluster, user, and certificate expiry.

Check login status bash 
msh status

logout

Remove local certificates and end the current session.

Logout bash 
msh logout