Releases

Changelog

A chronological record of every release, from initial scaffolding to the SSH-focused platform.

v0.15.0 March 15, 2026

SSH-focused release

  • Removed DB proxy, Kubernetes proxy, and Application proxy to focus exclusively on SSH
  • Improved SSH certificate authentication with per-session MFA support
  • IP pinning for issued certificates — certificates are bound to the requesting IP
  • Certificate TTL is now configurable per-role (default 12 hours)
  • Streamlined mezhub binary with reduced memory footprint
  • Updated documentation to reflect SSH-only scope
  • Closed-source release model: signed binaries and container images, source-available under enterprise license
v0.14.0 February 15, 2026

OIDC SSO and audit event system

  • OIDC (OpenID Connect) identity provider integration for SSO login
  • Structured audit event system with JSON output for all access decisions
  • Access request framework with multi-approver workflows
  • Time-bound access grants with automatic revocation
  • Webhook notifications for pending access requests
v0.13.0 January 15, 2026

Agent reverse tunnels and file transfer

  • Agent-initiated reverse tunnel connections to the proxy service
  • Agent heartbeat with configurable interval and automatic de-registration
  • SCP file upload and download through the proxy
  • Automatic reconnection with exponential backoff on tunnel disconnect
  • Agent configuration via YAML file or environment variables
v0.12.0 December 15, 2025

Initial RBAC and label-based access control

  • Role definitions with allow and deny rules
  • Label-based resource matching for SSH nodes
  • Deny-overrides-allow access control model
  • Template variables for dynamic role definitions (e.g., {{internal.logins}})
  • mezctl commands for role creation and assignment
v0.11.0 November 15, 2025

Certificate authority system

  • Built-in User CA for signing short-lived SSH user certificates
  • Built-in Host CA for signing SSH host certificates
  • Ed25519 keypair generation with encrypted storage in PostgreSQL
  • Certificate issuance with embedded identity, roles, and principals
  • Mutual verification — users verify hosts, hosts verify users
v0.10.0 October 15, 2025 Blog Post

Initial release

  • Basic SSH proxy on port 3023 with TLS termination
  • gRPC auth service on port 3025 with user registration and local auth
  • PostgreSQL backend with automatic migrations via golang-migrate
  • mezhub server binary, msh client CLI, mezctl admin CLI
  • Single binary deployment with systemd unit files

Want to try the latest?

Spin up a free hosted instance, or get a self-hosted license for the signed binary.

See Pricing Try the Latest Release