Security is not a feature — it is the foundation. Every design decision starts with the question: how does this protect the user's SSH infrastructure?
All user and host authentication uses short-lived SSH certificates signed by Ed25519 CA keypairs. No static SSH keys are stored or distributed. Certificates are generated on demand and expire automatically.
Certificates have a configurable TTL, typically 8-12 hours. When a certificate expires, access stops. There are no long-lived credentials to rotate, leak, or forget about on departed employees' machines.
Mezite operates two CAs: a User CA and a Host CA. Users verify they are connecting to legitimate hosts, and hosts verify they are accepting connections from authorized users. Both directions are cryptographically verified.
Access control uses a deny-overrides-allow model. Deny rules always take precedence, ensuring that overly broad allow rules cannot accidentally grant access to sensitive resources. Roles are label-based and support template variables.
Beyond the core certificate-based authentication model, Mezite includes multiple hardening layers to reduce the blast radius of any potential compromise. These are enabled by default.
Every authentication attempt, certificate issuance, access decision, SSH session start/stop, and administrative action generates a structured audit event. Nothing happens without a record.
Every SSH session can be recorded with full terminal capture. Sessions can be played back for audit, compliance, or incident investigation. Recording is enforced at the proxy level and cannot be bypassed by the user.
All network connections between components use TLS. The gRPC auth API, the proxy-to-agent reverse tunnels, and the client-to-proxy connections are all encrypted in transit. Internal communication uses mutual TLS.
All container images run as non-root by default (UID 65534). The mezhub and mezd binaries drop privileges after binding to privileged ports. Read-only root filesystem with writeable volumes mounted at runtime.
The User CA and Host CA private keys are stored encrypted in the database (SQLite or PostgreSQL). Ed25519 was chosen for its performance, small key size, and resistance to side-channel attacks.
Mezite is a single statically-linked binary with zero external dependencies when using the built-in SQLite backend. No interpreted languages, no plugin systems, no dynamically loaded libraries.
The systemd unit files include ProtectSystem=strict, PrivateTmp=true, NoNewPrivileges=true, and capability restrictions to minimize the attack surface.
Releases are cryptographically signed (cosign) and built reproducibly. Customers can verify the binary they run matches what we built and shipped. Hashes and signatures are published with every release.
Mezite is closed source by default. Enterprise customers receive a source-available license granting rights to read, audit, statically scan, and pentest the code under NDA — for security teams and regulated environments that require source-level assurance.
[Service]
User=mezite
Group=mezite
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/var/lib/mezite /var/log/mezite
NoNewPrivileges=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelModules=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=nativeFROM scratch
COPY --from=builder /mezite/mezhub /mezhub
USER 65534:65534
VOLUME ["/var/lib/mezite", "/var/log/mezite"]
ENTRYPOINT ["/mezhub"]If you believe you have found a security vulnerability in Mezite, please report it privately to our security team. Do not disclose details publicly until we have had a chance to investigate and ship a fix.
Mezite is a new project. No CVEs have been reported or assigned. We will track and disclose any vulnerabilities here as the project matures.
Security advisories are published on this page and emailed to customers under support. Enterprise customers receive priority pre-disclosure of CVEs ahead of public release.
Mezite is self-hosted software. Your data never leaves your infrastructure. We do not collect telemetry, usage analytics, or personally identifiable information from your Mezite deployment.
The mezite.com website uses minimal analytics to understand traffic patterns. No cookies are used for tracking. We do not sell or share any data with third parties.
Mezite is proprietary software distributed under the Mezite Commercial License. Hosted Free and Self-Hosted tiers grant a right to use the signed binaries; reverse engineering, decompilation, and redistribution are not permitted. Enterprise customers may receive a separate Source-Available License under NDA.
The software is provided "as is", without warranty of any kind. See Pricing for tiers and Enterprise Source Access for source-available terms.
Learn how to configure role-based access control with labels, deny rules, and template variables.
Read GuideConfigure audit logging, session recording, and retention policies for SSH sessions.
Read GuideSource-available license terms for security teams who need to audit, scan, or pentest the Mezite codebase under NDA.
Read Terms