Tooling

SSH & Bastion Hosts

Teleport, Boundary, smallstep, SSH certs — modern access to your fleet.

The "you SSH to a box" model still rules in 2026, but the tooling around it modernized. Long-lived ~/.ssh/authorized_keys files are increasingly an anti-pattern.

Modern SSH (cert-based, identity-aware)

  • Teleport — identity-aware bastion / proxy for SSH, k8s, DBs, web apps. Audit logging, session recording, SSO. The default in 2026.
  • smallstep step-ca — issue short-lived SSH certificates from an internal CA; integrates with OIDC providers.
  • Boundary (HashiCorp) — privileged session management; integrates with Vault.
  • Pomerium — identity-aware reverse proxy; works for SSH and HTTP.
  • Tailscale SSH — built into Tailscale; uses tailnet identity to allow SSH; very simple.
  • Cloudflare Access for SSH — zero-trust SSH via CF Tunnel.

SSH cert authorities (what to actually issue)

  • smallstep step-ca — modern; OIDC-driven.
  • Vault SSH secrets engine — short-lived certs from Vault.
  • ssh-keygen -s — DIY; sign keys with your own CA.
  • GitHub SSH CAs — if you're integrating with GitHub Enterprise.

Old-school bastion patterns (still common)

  • A jump host (bastion) with strict SSH rules; everything else only reachable through it.
  • ProxyJump in ~/.ssh/config: ProxyJump bastion.
  • sshpiper — open-source SSH proxy; routes by user / hostname.

Why SSH certs > authorized_keys

  • Short lifetimestep ssh certificate issues for an hour by default. Rotation = doing nothing.
  • Identity-bound — the cert says "this is alice@team"; not "whoever has this private key file."
  • Centrally revoked by revoking the cert authority's signing relationships.
  • Auditable — Teleport / smallstep show who logged in, when, where.

Multi-cloud SSH

  • AWS Systems Manager Session Manager — agent-based; no SSH port needed.
  • GCP IAP TCP forwarding — same idea on GCP.
  • Azure Bastion — managed bastion service.

Workstation tools

  • mosh — UDP-based SSH; survives network drops; great over flaky connections.
  • autossh — auto-reconnect SSH tunnels.
  • sshuttle — VPN-over-SSH; quick "tunnel my traffic through that box."
  • Eternal Terminal — like mosh, more features.
  • ssh -J — built-in jump-host.
  • ~/.ssh/config — learn it; aliases + ProxyJump + ForwardAgent + IdentitiesOnly are the killer settings.

Audit / session recording

  • Teleport records every session by default; play back with timestamps.
  • gravitational/audit — older.
  • AWS SSM Session Manager — records to S3.
  • auditd + aushape — Linux-side syscall auditing; combined with SSH logs gives full traceability.

Patterns to adopt

  • No password SSH. Ever.
  • Tailscale + cert-based SSH is the pleasant 2026 default for small teams.
  • Teleport / Pomerium for any team with compliance requirements.
  • Short-lived certs (1 hour to 1 day) replace long-lived authorized_keys.
  • Restrict who can sudo — sudo without password to specific commands only, ideally tied to identity.
  • Ban human direct access to prod beyond well-defined break-glass paths; everything routine through CI/CD or a Teleport-style proxy.

Pick this if…

  • Default modern SSH: Tailscale SSH for small teams; Teleport for larger.
  • Internal cert CA: smallstep step-ca.
  • Already on Vault: Vault SSH engine.
  • Cloud-managed: AWS SSM / GCP IAP / Azure Bastion.
  • Quick networked tunnel: sshuttle.
  • Survive flaky connections: mosh.

On this page