DEV.co
Open-Source DevOps · moul

sshportal

sshportal is a transparent SSH bastion server written in Go that acts as a jump host, allowing centralized user and host management without requiring modifications to client SSH configurations. It enables temporary access provisioning, session auditing, and connection logging through a single binary with no external dependencies.

Source: GitHub — github.com/moul/sshportal
1.9k
GitHub stars
142
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymoul/sshportal
Ownermoul
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars1.9k
Forks142
Open issues80
Latest releasev1.19.5 (2023-05-20)
Last updated2026-07-08
Sourcehttps://github.com/moul/sshportal

What sshportal is

Go-based SSH bastion implementing transparent proxying with embedded SSH server/client, SQLite/MySQL backend support, TTY session recording (ttyrec format), and comprehensive ACL/group-based access control. Supports standard SSH features (tunneling, SFTP, scp, rsync, X11 forwarding, ssh-agent) and non-SSH protocols (Telnet).

Quickstart

Get the sshportal source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/moul/sshportal.gitcd sshportal# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Educational/Temporary Access

Provision temporary SSH access to students or event attendees without managing per-server user accounts; invite system generates one-time tokens for key association.

Centralized Audit & Compliance Logging

Organizations requiring session history, connection auditing, and TTY recording can use sshportal as a single audit point; useful for hosting companies and regulated environments needing access trails.

Multi-Host Access Management

Simplify key distribution and host access control across many servers using host groups, user groups, and role-based ACLs without distributing shared credentials or managing per-host authorized_keys.

Implementation considerations

  • Persistence: Choose between SQLite (single-server, file-based) or MySQL (stateless, horizontally scalable); ensure database backup/restore procedures are tested before production use.
  • Key Management: Generated admin invite tokens are ephemeral; capture and securely distribute initial invite link before closing logs; no key rotation policy is documented.
  • Network Access: Bastion listens on a single TCP port (default 2222); restrict inbound SSH to trusted networks and consider rate-limiting to prevent brute-force attacks.
  • Session Recording: TTY recording increases storage; define retention policy and verify ttyrec playback tools (ttyplay) are available in your environment.
  • User/Host Naming: Avoid naming users/hosts 'healthcheck' (reserved) or using identical usernames and hostnames; document naming conventions for your team.

When to avoid it — and what to weigh

  • Mosh/Modern Terminal Multiplexing Required — Project documentation explicitly states mosh is not supported; if mobile SSH or UDP-based terminal sessions are critical, sshportal is incompatible.
  • Very High Session Throughput (Unvalidated) — While one user reports 65k+ sessions in database, performance under concurrent heavy load is not clearly documented; benchmarks and scalability limits are unknown.
  • PostgreSQL-Only or MSSQL Infrastructure — Currently supports only SQLite and MySQL backends; adapting to other databases would require code changes, though maintainers suggest GORM may ease this.
  • Real-Time Security Incident Response — Session recording and audit logs are useful for post-incident analysis but do not provide real-time threat detection or anomaly alerting (not mentioned in feature set).

License & commercial use

Apache License 2.0 (Apache-2.0): permissive OSI-approved license allowing commercial use, modification, and distribution with reasonable liability and patent protections. No copyleft obligations.

Commercial use is explicitly permitted under Apache-2.0. However, sshportal is provided as-is with no warranty or support SLA stated in available data. Organizations using it in production should conduct their own security review, maintain their own fork or patches if needed, and consider the single-maintainer risk (project by moul; maintainability status unclear beyond code activity).

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

sshportal functions as a critical access control point; key considerations include: (1) initial admin invite token must be handled securely and stored safely; (2) SQLite is file-based and less suitable for multi-instance HA setups—use MySQL for security-sensitive deployments; (3) session recording and audit logs help with forensics but do not prevent lateral movement; (4) network isolation of the bastion itself is essential; (5) no mention of rate-limiting, brute-force protection, or modern auth methods (MFA, OIDC); (6) single-author maintenance and 80 open issues suggest potential unpatched vulnerabilities—conduct security audit before critical use.

Alternatives to consider

Teleport (Gravitational)

Commercial-grade SSH bastion with MFA, audit logging, RBAC, and native Kubernetes support; larger community and vendor backing but higher operational overhead and licensing cost.

Bastion (OpenSSH with forced-commands)

Simpler approach using standard SSH authorized_keys with forced commands; lower complexity and no new tool to maintain, but less flexible user/host management and no interactive shell.

HashiCorp Boundary

Modern zero-trust access platform supporting SSH, RDP, HTTP, and databases with strong RBAC and audit; more heavyweight and complex than sshportal but designed for enterprise scale.

Software development agency

Build on sshportal with DEV.co software developers

Explore sshportal for transparent bastion functionality, or contact us to evaluate enterprise SSH access platforms suited to your compliance and scale requirements.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

sshportal FAQ

Can I use sshportal in production without modifying my SSH clients?
Yes. sshportal is designed to be transparent—standard SSH clients, Git, scp, rsync, and SFTP work without configuration changes. Connect via the bastion host and port (e.g., ssh -p 2222 localhost -l username).
What databases does sshportal support?
SQLite (file-based, default) and MySQL. The README suggests adding PostgreSQL or MSSQL via GORM would be 'probably easy,' but this is not implemented. Requires code changes for other databases.
How do I handle high availability and failover?
Use MySQL backend to make sshportal stateless, allowing multiple instances behind a load balancer. SQLite is single-node only. Exact HA setup is not documented; requires custom operational setup.
Is there a commercial support or SLA option?
Not mentioned in available data. Project is open-source maintained by a single author (moul); no commercial support vendor identified. Organizations must rely on community or internal resources.
Does sshportal support multi-factor authentication (MFA)?
Unknown. Feature list does not mention MFA, TOTP, or OIDC integration. Current auth relies on SSH keys and invites; no modern auth methods are documented.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like sshportal into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.

Ready to Centralize SSH Access?

Explore sshportal for transparent bastion functionality, or contact us to evaluate enterprise SSH access platforms suited to your compliance and scale requirements.