Valhalla SSH is a self-hosted SSH gateway that issues ephemeral certificates instead of static keys. JIT access requests, Slack approvals, full session recording, and structured audit logs — for every ssh connection.
Production-grade SSH security, self-hosted, no vendor lock-in.
Ed25519 CA signs certificates with ttl=5..1440m. Certs auto-expire. No more authorized_keys sprawl across servers.
Developers request access with a reason. Admins approve via Slack or bastion approve <id>. Access is time-boxed and audited.
Server-side recording in asciinema v2 format. Stored in S3/MinIO. Replay any session with asciinema play. Tamper-proof.
Users → Groups → Policies → Host tags. Match by env=prod, role=db, team=platform. AND-logic, fine-grained.
Every event logged: logins, requests, approvals, cert issuance, sessions. Filter by --user, --type, --from/--to.
Works on AWS, OVH, Contabo, DigitalOcean — any host with sshd. Use S3 natively on AWS, MinIO everywhere else.
Prometheus metrics + Grafana dashboards out of the box. Track active sessions, login rates, cert issuance, HTTP latency, and audit events.
JWT scopes separate user and admin operations. bastion login --admin for RBAC management. Reduced blast radius if token is compromised.
Four steps from zero to secure session.
Developer runs the CLI. API checks RBAC policies for matching group → policy → host tags.
Slack bot sends interactive message. Admin clicks Approve/Reject. Or uses CLI: bastion approve <id>. 4-eyes principle enforced.
CA signs an ed25519 certificate with the remaining TTL. Certificate contains username as principal. Auto-expires.
SSH proxy validates cert, opens session to target host, records all I/O server-side. Session uploaded to S3/MinIO on close.
Simple deployment, no vendor dependencies.
Developer │ │ bastion cli │ ▼ ┌───────────────────────────────────────────────┐ │ Caddy (reverse proxy, auto TLS) :443 │ └──────────────┬────────────────────────────────┘ │ ┌─────────┴─────────┐ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌────────────┐ │ API │ │ Proxy │ │ Slack │ │ Express │ │ ssh2 │ │ Bot │ │ :3000 │ │ :2222 │ │ (optional │ │ │ │ │ │ approvals)│ └──┬───┬───┘ └──┬───┬───┘ └────────────┘ │ │ │ │ ▼ ▼ │ ▼ ┌────┐ ┌────┐ │ ┌──────────┐ │PG │ │Redis│ │ │ S3/MinIO │ └────┘ └────┘ │ └──────────┘ ▼ Prometheus ┌──────────────┐ + │ Target Hosts │ Grafana │ :22 │ └──────────────┘
Every key you deploy is a key you have to revoke someday.
| Static Keys | Valhalla SSH | |
|---|---|---|
| Key lifetime | Permanent | 5–1440 min TTL |
| Access model | authorized_keys per host | RBAC + tag policies |
| Approvals | None | Slack + CLI fallback |
| Recording | None | Server-side asciinema |
| Offboarding | Remove from every host | bastion admin user disable |
| Audit | grep /var/log/auth.log | Structured events + filters |
| Compliance | Manual | Audit trail + recording ready |
| Monitoring | None | Prometheus + Grafana built-in |
Stop sharing keys on Slack. Proper access control from day one.
Give devs production access without giving the keys.
Meet audit requirements with zero manual effort.
Minimal resources. Maximum security.
2 vCPUs • 4 GB RAM • 20 GB SSD
Docker + Compose. Ports 443 and 2222 open.
Ubuntu, Debian, Amazon Linux, RHEL — any Linux with Docker.
OpenSSH ≥ 6.2 • any Linux, macOS, or Windows with sshd
No agent installed. Just two lines in sshd_config:
TrustedUserCAKeys + AuthorizedPrincipalsFile
Node.js ≥ 20 • pnpm ≥ 9 • SSH client
Install the bastion CLI. Works on macOS, Linux, WSL.
Ed25519 SSH key — ssh-keygen -t ed25519
Self-hosted. Open source. Deploy in under 10 minutes.