SSH & Bastion Hosts
Teleport, Boundary, smallstep, SSH certs — modern access to your fleet.
The "you SSH to a box" model still rules in 2026, but the tooling around it modernized. Long-lived ~/.ssh/authorized_keys files are increasingly an anti-pattern.
Modern SSH (cert-based, identity-aware)
- ★ Teleport — identity-aware bastion / proxy for SSH, k8s, DBs, web apps. Audit logging, session recording, SSO. The default in 2026.
- ★ smallstep
step-ca— issue short-lived SSH certificates from an internal CA; integrates with OIDC providers. - Boundary (HashiCorp) — privileged session management; integrates with Vault.
- Pomerium — identity-aware reverse proxy; works for SSH and HTTP.
- Tailscale SSH — built into Tailscale; uses tailnet identity to allow SSH; very simple.
- Cloudflare Access for SSH — zero-trust SSH via CF Tunnel.
SSH cert authorities (what to actually issue)
- smallstep
step-ca— modern; OIDC-driven. - Vault SSH secrets engine — short-lived certs from Vault.
ssh-keygen -s— DIY; sign keys with your own CA.- GitHub SSH CAs — if you're integrating with GitHub Enterprise.
Old-school bastion patterns (still common)
- A jump host (bastion) with strict SSH rules; everything else only reachable through it.
- ProxyJump in
~/.ssh/config:ProxyJump bastion. - sshpiper — open-source SSH proxy; routes by user / hostname.
Why SSH certs > authorized_keys
- ★ Short lifetime —
step ssh certificateissues for an hour by default. Rotation = doing nothing. - Identity-bound — the cert says "this is alice@team"; not "whoever has this private key file."
- Centrally revoked by revoking the cert authority's signing relationships.
- Auditable — Teleport / smallstep show who logged in, when, where.
Multi-cloud SSH
- AWS Systems Manager Session Manager — agent-based; no SSH port needed.
- GCP IAP TCP forwarding — same idea on GCP.
- Azure Bastion — managed bastion service.
Workstation tools
- mosh — UDP-based SSH; survives network drops; great over flaky connections.
- autossh — auto-reconnect SSH tunnels.
- sshuttle — VPN-over-SSH; quick "tunnel my traffic through that box."
- Eternal Terminal — like mosh, more features.
ssh -J— built-in jump-host.~/.ssh/config— learn it; aliases + ProxyJump + ForwardAgent + IdentitiesOnly are the killer settings.
Audit / session recording
- ★ Teleport records every session by default; play back with timestamps.
- gravitational/audit — older.
- AWS SSM Session Manager — records to S3.
auditd+aushape— Linux-side syscall auditing; combined with SSH logs gives full traceability.
Patterns to adopt
- ★ No password SSH. Ever.
- Tailscale + cert-based SSH is the pleasant 2026 default for small teams.
- Teleport / Pomerium for any team with compliance requirements.
- Short-lived certs (1 hour to 1 day) replace long-lived
authorized_keys. - Restrict who can
sudo— sudo without password to specific commands only, ideally tied to identity. - Ban human direct access to prod beyond well-defined break-glass paths; everything routine through CI/CD or a Teleport-style proxy.
Pick this if…
- Default modern SSH: Tailscale SSH for small teams; Teleport for larger.
- Internal cert CA: smallstep
step-ca. - Already on Vault: Vault SSH engine.
- Cloud-managed: AWS SSM / GCP IAP / Azure Bastion.
- Quick networked tunnel: sshuttle.
- Survive flaky connections: mosh.