Features

Secure SSH access,
one platform

Certificate-based authentication, session recording, fine-grained RBAC, and complete audit trails — shipped as a signed, closed-source binary you run yourself.

SSH Access

Certificate-based SSH authentication that eliminates static keys. Every session is recorded, every connection is authorized through RBAC, and credentials expire automatically. Agents connect via reverse tunnels — no inbound firewall rules needed.

Short-lived SSH certificates issued per-session
No static SSH keys on target nodes
Reverse tunnel connections — agents call out, not in
Label-based access control (e.g., env=prod, team=platform)
SCP file transfers through the proxy
Heartbeat and automatic reconnection

SSH Access bash

# Connect to a node by name
$ msh ssh --login=root web-prod-01

# Execute a remote command
$ msh ssh web-prod-01 -- uptime
 14:23:01 up 47 days, 3:22, 0 users

# Upload a file via SCP
$ msh scp ./deploy.sh web-prod-01:/tmp/

# List available nodes with labels
$ msh ls
Node          Address        Labels
------------- -------------- ----------------
web-prod-01   10.0.1.10      env=prod,app=web
db-replica    10.0.2.20      env=prod,role=db
staging-box   10.0.3.30      env=staging

Certificate-Based Authentication

Mezite operates two certificate authorities — a User CA for authenticating users and a Host CA for authenticating nodes. Certificates are short-lived (configurable TTL), automatically issued on login, and encode identity, roles, and permitted principals.

User CA issues certificates encoding identity and roles
Host CA issues certificates for agent nodes
Ed25519 keys with configurable TTL (default 12h)
Mutual verification — users verify hosts, hosts verify users
CA private keys stored encrypted in the database
Automatic CA initialization on first boot

Certificate Flow bash

# 1. User authenticates (password, OIDC, or SAML)
$ msh login --proxy=access.example.com --user=alice
> Certificate valid until 2026-03-25 08:00 UTC

# 2. Certificate encodes identity and RBAC
$ msh status
User:       alice@example.com
Roles:      [developer, on-call]
Principals: [alice, root]
Expires:    2026-03-25T08:00:00Z
Cluster:    prod-cluster

# 3. Agent verifies user cert against User CA
# 4. User verifies host cert against Host CA
# Both sides reject unknown or expired certificates

Session Recording

Every SSH session is captured as a structured recording that can be replayed with video-like fidelity. Recordings are stored alongside audit events and can be exported to S3 or local filesystem for long-term retention.

Full terminal I/O capture for every SSH session
Video-like playback via msh play command
Structured recording format with timestamps
Configurable storage (local filesystem or S3)
Recording references linked to audit events
Retention policies for compliance

Session Recording bash

# List recorded sessions
$ msh sessions ls
Session ID   User    Node         Duration  Date
------------ ------- ------------ --------- ----------
sess-a1b2c3  alice   web-prod-01  14m 22s   2026-03-24
sess-d4e5f6  bob     staging-box  3m 08s    2026-03-24
sess-g7h8i9  alice   db-replica   8m 45s    2026-03-23

# Replay a recorded session
$ msh play sess-a1b2c3
> Playing session sess-a1b2c3 (14m 22s)
> Press q to quit, space to pause

Role-Based Access Control

Fine-grained, label-based access control with deny-overrides-allow semantics. Roles define which nodes a user can access, which logins are permitted, and session constraints. Template variables allow dynamic role definitions per team.

Label-based node matching (env, team, region)
Deny rules always override allow rules
Template variables for dynamic role definitions
Configurable allowed logins per role
Max session TTL enforcement
Per-session MFA requirement option

Role Definition yaml

# roles/developer.yaml
kind: role
metadata:
  name: developer
spec:
  allow:
    logins: ["{{internal.traits.username}}", "ubuntu"]
    node_labels:
      env: ["staging", "dev"]
      team: "{{internal.traits.team}}"
  deny:
    node_labels:
      env: "prod"
      role: "database"
  options:
    max_session_ttl: 8h
    require_mfa: false
    port_forwarding: true
    file_copy: true

Audit Logging

Structured audit events for every access decision, session lifecycle event, and administrative action. Events are written to the database with JSON metadata and can be queried by user, node, time range, or event type.

Structured JSON event log for every action
Session start, end, and recording references
Authentication success and failure events
RBAC authorization decisions logged
Administrative actions (user/role CRUD) tracked
Buffered async writes with sync for critical events

Audit Event json

{
  "event": "session.start",
  "time": "2026-03-24T14:23:01Z",
  "user": "alice@example.com",
  "resource": "web-prod-01",
  "resource_type": "node",
  "session_id": "sess-a1b2c3d4",
  "client_ip": "10.0.0.50",
  "roles": ["developer", "on-call"],
  "mfa_verified": true,
  "labels": {
    "env": "prod",
    "team": "platform"
  }
}

SSO Integration

Native support for OIDC, SAML, LDAP/AD, and GitHub OAuth identity providers. Map identity provider groups and attributes to Mezite roles. Users authenticate once through their IdP and receive short-lived SSH certificates.

OIDC (OpenID Connect) integration
SAML 2.0 with signature verification, encrypted assertions & SLO
LDAP / Active Directory with group sync & TOTP MFA
GitHub OAuth with org/team role mapping
SPIFFE workload identity (X.509/JWT SVIDs)
Device trust enforcement
Hardware key support (PIV/YubiKey)
Automatic role mapping from IdP groups/claims
MFA passthrough from identity provider
Local username + password + TOTP as fallback

OIDC Configuration yaml

# auth-config.yaml
auth:
  type: oidc
  oidc:
    issuer_url: https://auth.example.com
    client_id: mezite-app
    client_secret_file: /etc/mezite/oidc-secret
    redirect_url: https://access.example.com/callback
    claims_to_roles:
      - claim: groups
        value: platform-team
        roles: [admin, developer]
      - claim: groups
        value: on-call
        roles: [on-call-responder]

Access Requests

Just-in-time privilege escalation with approval workflows. Users request temporary access to nodes or elevated roles, approvers grant time-bound access, and everything is logged. Designed for break-glass scenarios and on-call workflows.

Just-in-time (JIT) access escalation
Time-bound grants with automatic revocation
Approval workflows with reason tracking
Request and approval audit trail
Role-based approval routing
CLI-driven request and review workflow

Access Request bash

# Request elevated access
$ msh request create     --roles=ssh-admin     --reason="Deploy hotfix ISSUE-1234"     --duration=2h

> Request req-x7y8z9 created
> Waiting for approval...

# Approver reviews (via admin CLI)
$ mezctl access-requests approve req-x7y8z9
> Request approved. 2h time-bound grant active.

Machine Identity (mezid)

Automated certificate renewal for CI/CD pipelines, services, and other non-human workloads. mezid authenticates with a join token, receives renewable certificates, and keeps them fresh — enabling services to SSH through Mezite without human interaction.

Automated SSH certificate renewal
Join token-based authentication for machines
Configurable renewal interval
Designed for CI/CD pipelines and automation
Output certificates to configurable paths
Daemon mode with background renewal

Machine Identity bash

# Start mezid for CI/CD certificate renewal
$ mezid start     --auth-server=access.example.com:3025     --join-token=bot-token-abc123     --destination=/etc/mezite/certs     --renewal-interval=1h

# Certificates are automatically renewed
$ ls /etc/mezite/certs/
ssh_user_cert.pub  ssh_user_key  known_hosts

See it in action

Try the managed control plane for free, or license the self-hosted binary. Enterprise customers get source-available access for review.

See Pricing Architecture Docs

Secure SSH access,one platform