Mezite Documentation

Welcome to the Mezite docs. Mezite is a self-hosted SSH access platform that provides secure, audited access to SSH servers through a single control plane. It replaces VPNs, bastion hosts, and shared SSH keys with short-lived certificates, role-based access control, and complete session recording.

What is Mezite?

Mezite gives your team a unified gateway to every SSH server you run. Instead of distributing SSH keys or managing authorized_keys files, Mezite issues short-lived SSH certificates on demand. Every connection is authenticated, authorized against RBAC policies, and recorded for audit.

Key Components

Binary	Purpose
`mezhub`	Main server process — runs Auth and Proxy services in a single binary.
`mezd`	Node agent — runs on each SSH target, connects back via reverse tunnel.
`msh`	Client CLI — authenticates users and opens SSH sessions through the proxy.
`mezctl`	Admin CLI — manages users, roles, tokens, and cluster configuration.
`mezid`	Machine identity daemon — automatic certificate renewal for CI/CD and services.

Architecture at a Glance

SSH connection flow text

Users ──> msh CLI ──> Proxy (:3080/:3023) <── Reverse Tunnel <── Agents ──> SSH Servers
                          |
                     Auth Service (:3025)
                          |
                     SQLite / PostgreSQL

Both Auth and Proxy run inside a single mezhub process (combined mode). Agents connect outbound to the proxy via reverse tunnels, so no inbound firewall rules are needed on target nodes. See the Architecture page for the full breakdown.

Get Started

Installation

Download binaries, pull container images, or build from source.

Quickstart

Go from zero to a working SSH session through Mezite in under five minutes.

Configuration

Full reference for mezite.yaml, environment variables, and defaults.

Architecture

Understand how Auth, Proxy, and Agent components fit together for SSH.

Quick Links

Guides

CLI Reference

Deployment

API Reference

Licensing

Mezite is closed-source, proprietary software. We distribute signed binaries and container images. A free hosted tier is available for evaluation, and self-hosted licenses are sold per identity. Enterprise customers may request source-available access under NDA for independent audit, scanning, and pentesting.

Bug reports and feature requests should be sent to support@mezite.com. Security issues should be reported privately to security@mezite.com — see Security for disclosure terms.