Features

Secure SSH access,
one platform

Certificate-based authentication, session recording, fine-grained RBAC, and complete audit trails — shipped as a signed, closed-source binary you run yourself.

SSH Access

Certificate-based SSH authentication that eliminates static keys. Every session is recorded, every connection is authorized through RBAC, and credentials expire automatically. Agents connect via reverse tunnels — no inbound firewall rules needed.

  • Short-lived SSH certificates issued per-session
  • No static SSH keys on target nodes
  • Reverse tunnel connections — agents call out, not in
  • Label-based access control (e.g., env=prod, team=platform)
  • SCP file transfers through the proxy
  • Heartbeat and automatic reconnection
SSH Access bash 
# Connect to a node by name
$ msh ssh --login=root web-prod-01

# Execute a remote command
$ msh ssh web-prod-01 -- uptime
 14:23:01 up 47 days, 3:22, 0 users

# Upload a file via SCP
$ msh scp ./deploy.sh web-prod-01:/tmp/

# List available nodes with labels
$ msh ls
HOSTNAME      ROLE  STATUS  LABELS               VERSION
web-prod-01   node  online  env=prod,app=web     v0.1.0
db-replica    node  online  env=prod,role=db     v0.1.0
staging-box   node  online  env=staging          v0.1.0

Certificate-Based Authentication

Mezite operates two certificate authorities — a User CA for authenticating users and a Host CA for authenticating nodes. Certificates are short-lived (configurable TTL), automatically issued on login, and encode identity, roles, and permitted principals.

  • User CA issues certificates encoding identity and roles
  • Host CA issues certificates for agent nodes
  • ECDSA P-256 CA keys; per-role max_session_ttl controls cert lifetime
  • Mutual verification — users verify hosts, hosts verify users
  • CA private keys encrypted at rest (AES-256-GCM, key derived from MEZITE_CA_KEY_PASSPHRASE via Argon2id) — or signed via AWS KMS
  • Automatic CA initialization on first boot
Certificate Flow bash 
# 1. User authenticates (password, OIDC, or SAML)
$ msh login --proxy=access.example.com --user=alice
> Certificate valid until 2026-03-25 08:00 UTC

# 2. Certificate encodes identity and RBAC
$ msh status
Cluster:     access.example.com
Proxy:       access.example.com:3080
User:        alice@example.com
Roles:       developer, on-call
Valid until: 2026-03-25T08:00:00Z (7h 38m remaining)

# 3. Agent verifies user cert against User CA
# 4. User verifies host cert against Host CA
# Both sides reject unknown or expired certificates

Session Recording

SSH sessions can be captured as structured recordings that replay with video-like fidelity. Recording is configurable per cluster — node-sync (default), proxy-sync, async, or off — and references are linked from the audit log.

  • Full terminal I/O capture when session recording is enabled
  • Video-like playback via msh play command
  • Structured recording format with timestamps
  • Configurable storage (local filesystem, S3, or off)
  • Recording references linked to audit events
  • Retention managed via your storage backend's lifecycle policy
Session Recording bash 
# List recorded sessions
$ msh sessions ls
Session ID   User    Node         Duration  Date
------------ ------- ------------ --------- ----------
sess-a1b2c3  alice   web-prod-01  14m 22s   2026-03-24
sess-d4e5f6  bob     staging-box  3m 08s    2026-03-24
sess-g7h8i9  alice   db-replica   8m 45s    2026-03-23

# Replay a recorded session
$ msh play sess-a1b2c3
> Playing session sess-a1b2c3 (14m 22s)
> Press q to quit, space to pause

Role-Based Access Control

Fine-grained, label-based access control with deny-overrides-allow semantics. Roles define which nodes a user can access, which logins are permitted, and session constraints. Template variables allow dynamic role definitions per team.

  • Label-based node matching (env, team, region)
  • Deny rules always override allow rules
  • Template variables for dynamic role definitions
  • Configurable allowed logins per role
  • Max session TTL enforcement
  • Per-session MFA requirement option
Role Definition yaml 
# roles/developer.yaml
kind: role
metadata:
  name: developer
spec:
  allow:
    logins: ["{{internal.traits.username}}", "ubuntu"]
    node_labels:
      env: ["staging", "dev"]
      team: "{{internal.traits.team}}"
  deny:
    node_labels:
      env: "prod"
      role: "database"
  options:
    max_session_ttl: 8h
    require_mfa: false
    port_forwarding: true
    file_copy: true

Audit Logging

Structured audit events for every access decision, session lifecycle event, and administrative action. Events are written to the database with JSON metadata and can be queried by user, node, time range, or event type.

  • Structured JSON event log for every action
  • Session start, end, and recording references
  • Authentication success and failure events
  • RBAC authorization decisions logged
  • Administrative actions (user/role CRUD) tracked
  • Buffered async writes with sync for critical events
Audit Event json 
{
  "id": "01HRX...",
  "event_type": "session.start",
  "event_code": "S1000I",
  "cluster_name": "access.example.com",
  "user_name": "alice@example.com",
  "user_roles": ["developer", "on-call"],
  "resource_type": "node",
  "resource_name": "web-prod-01",
  "resource_labels": {
    "env": "prod",
    "team": "platform"
  },
  "client_ip": "10.0.0.50",
  "timestamp": "2026-03-24T14:23:01Z",
  "session_id": "sess-a1b2c3d4",
  "success": true
}

SSO Integration

Native support for OIDC, SAML, LDAP/AD, and GitHub OAuth identity providers. Map identity provider groups and attributes to Mezite roles. Users authenticate once through their IdP and receive short-lived SSH certificates. WebAuthn and TOTP MFA layer on top of any login method.

  • OIDC (OpenID Connect) integration
  • SAML 2.0 with signature verification, encrypted assertions & SLO
  • LDAP / Active Directory with group sync
  • GitHub OAuth with org/team role mapping
  • WebAuthn (FIDO2 security keys) for MFA
  • TOTP MFA (RFC 6238) for human users
  • Automatic role mapping from IdP groups/claims
  • Local username + password + TOTP as fallback
Create an OIDC connector bash 
# Connectors are stored in the database, not in a static file.
# Create or update at runtime with mezctl:
mezctl connectors create \
  --type=oidc \
  --name=corp-okta \
  --issuer-url=https://auth.example.com \
  --client-id=mezite-app \
  --client-secret=$OIDC_CLIENT_SECRET \
  --redirect-url=https://access.example.com/v1/webapi/oidc/callback \
  --claims-to-roles="groups:platform-team:admin,developer" \
  --claims-to-roles="groups:on-call:on-call-responder"

# Then log in via the connector:
msh login --proxy=access.example.com --auth=oidc

Access Requests

Just-in-time privilege escalation with approval workflows. Users request temporary access to nodes or elevated roles, approvers grant time-bound access, and everything is logged. Designed for break-glass scenarios and on-call workflows.

  • Just-in-time (JIT) access escalation
  • Time-bound grants with automatic revocation
  • Approval workflows with reason tracking
  • Request and approval audit trail
  • Role-based approval routing
  • CLI-driven request and review workflow
Access Request bash 
# Request elevated access
$ msh request create     --roles=ssh-admin     --reason="Deploy hotfix ISSUE-1234"     --duration=2h

> Request req-x7y8z9 created
> Waiting for approval...

# Approver reviews (via admin CLI)
$ mezctl access-requests approve req-x7y8z9
> Request approved. 2h time-bound grant active.

Agent Identity (mezd identity)

Automated certificate renewal for CI/CD pipelines, services, and other non-human workloads. The mezd identity daemon authenticates with a join token, receives renewable certificates, and keeps them fresh — enabling services to SSH through Mezite without human interaction. SPIFFE workload identity (X.509 / JWT SVIDs) is exposed via a Unix socket for compatible workloads.

  • Automated SSH certificate renewal
  • Join token-based authentication for agent identities
  • Configurable renewal interval
  • Designed for CI/CD pipelines and automation
  • Output certificates to configurable paths
  • Daemon mode with background renewal
Agent Identity bash 
# Start the identity daemon for CI/CD certificate renewal
$ mezd identity start     --auth-server=access.example.com:3025     --token=agent-identity-token-abc123     --destination-dir=/etc/mezite/certs     --renewal-interval=20m

# Certificates are automatically renewed
$ ls /etc/mezite/certs/
cert_serial  ssh_cert  ssh_key  ssh_known_hosts  x509_cert.pem  x509_key.pem

See it in action

Try the managed control plane for free, or license the self-hosted binary. Enterprise customers get source-available access for review.

See Pricing Architecture Docs