Self-hosted SSH access gateway with PAM workflows
Teleport-like SSH access control — without opening inbound ports or adopting a large platform.
orion-belt — an open-source SSH/SCP bastion and privileged-access gateway for Linux-first teams.
| Agents dial out | Reverse SSH tunnels — no inbound firewall holes on targets |
| Session recording | Full audit trail + live watch |
| JIT access | Request / approve / expire (UI, API, ChatOps) |
| MFA | TOTP + WebAuthn; FIDO SSH keys |
| Authorization | ReBAC (+ optional OpenFGA) |
| Optional SSH CA | Short-lived certificates instead of standing keys |
git clone https://github.com/orion-belt-dev/orion-belt.git
cd orion-belt
./scripts/docker-quickstart.shThen: add an agent → SSH through the gateway → open Sessions for playback.
Full walkthrough: Try Orion Belt in 10 minutes
| Repo | Description |
|---|---|
| orion-belt | Core gateway, agent, clients, and web console (v1.0) |
| .github | Organization profile & community health files |
We're looking for early operators — labs and small teams running v1.0 and giving sharp feedback.
Orion Belt is Apache 2.0 + Commons Clause: free to self-host and use internally (including commercially). You cannot sell Orion Belt as a product or hosted service.
Details: LICENSE · orion-belt.dev
Security infrastructure should be self-hosted, auditable, and boring to operate.
