CLI Reference
Mezite provides four command-line tools for interacting with your SSH access platform. Each binary serves a distinct role in the Mezite ecosystem.
Binaries
| Binary | Description |
|---|---|
msh | Client CLI for end users. Authenticate, open SSH sessions, transfer files with SCP, list available nodes, and manage access requests. |
mezctl | Admin CLI for cluster operators. Manage users, roles, join tokens, audit logs, access requests, and auth connectors. |
mezd | Node agent installed on every SSH host. Connects to the Mezite proxy via a reverse tunnel, handles certificate-based authentication, and records sessions. |
mezd identity | Agent identity subcommand for CI/CD pipelines and automated
services. Continuously renews short-lived certificates so non-human
workloads can authenticate to Mezite. Run as mezd identity start, or set MEZITE_IDENTITY_DIR and MEZITE_IDENTITY_TOKEN in the environment of mezd start for combined mode (mezd start registers no flags — identity is configured via environment variables
only). |
mezhub and mezd
mezhub is a server binary and mezd is an agent
/ workload-identity binary; neither is a general-purpose CLI you run
interactively. Their relevant subcommands and flags are documented in
the surfaces that operate them rather than on their own reference page:
-
mezhub— Run as a systemd service or a container. The full configuration (every YAML field and environment variable) is documented on the Configuration page. Deployment recipes are under Deployment. -
mezd start— Run as a systemd service on every node.mezd starttakes no flags; all configuration is environment-variable driven. See the Agent Configuration section of the Configuration page. -
mezd identity— Long-running workload-identity daemon. Exposes a Unix socket that local workloads connect to in order to fetch SPIFFE X.509-SVIDs and JWT-SVIDs, and renews them on a timer. Configured via theMEZITE_IDENTITY_*andMEZITE_WORKLOAD_SOCKETenvironment variables — see the Workload Identity section of the Configuration page.
Getting Started
Most users will start with msh to log
in and open SSH sessions. Cluster administrators should also install mezctl for user and role management.