sshportal
sshportal is a transparent SSH bastion server written in Go that acts as a jump host, allowing centralized user and host management without requiring modifications to client SSH configurations. It enables temporary access provisioning, session auditing, and connection logging through a single binary with no external dependencies.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | moul/sshportal |
| Owner | moul |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.9k |
| Forks | 142 |
| Open issues | 80 |
| Latest release | v1.19.5 (2023-05-20) |
| Last updated | 2026-07-08 |
| Source | https://github.com/moul/sshportal |
What sshportal is
Go-based SSH bastion implementing transparent proxying with embedded SSH server/client, SQLite/MySQL backend support, TTY session recording (ttyrec format), and comprehensive ACL/group-based access control. Supports standard SSH features (tunneling, SFTP, scp, rsync, X11 forwarding, ssh-agent) and non-SSH protocols (Telnet).
Get the sshportal source
Clone the repository and explore it locally.
git clone https://github.com/moul/sshportal.gitcd sshportal# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Persistence: Choose between SQLite (single-server, file-based) or MySQL (stateless, horizontally scalable); ensure database backup/restore procedures are tested before production use.
- Key Management: Generated admin invite tokens are ephemeral; capture and securely distribute initial invite link before closing logs; no key rotation policy is documented.
- Network Access: Bastion listens on a single TCP port (default 2222); restrict inbound SSH to trusted networks and consider rate-limiting to prevent brute-force attacks.
- Session Recording: TTY recording increases storage; define retention policy and verify ttyrec playback tools (ttyplay) are available in your environment.
- User/Host Naming: Avoid naming users/hosts 'healthcheck' (reserved) or using identical usernames and hostnames; document naming conventions for your team.
When to avoid it — and what to weigh
- Mosh/Modern Terminal Multiplexing Required — Project documentation explicitly states mosh is not supported; if mobile SSH or UDP-based terminal sessions are critical, sshportal is incompatible.
- Very High Session Throughput (Unvalidated) — While one user reports 65k+ sessions in database, performance under concurrent heavy load is not clearly documented; benchmarks and scalability limits are unknown.
- PostgreSQL-Only or MSSQL Infrastructure — Currently supports only SQLite and MySQL backends; adapting to other databases would require code changes, though maintainers suggest GORM may ease this.
- Real-Time Security Incident Response — Session recording and audit logs are useful for post-incident analysis but do not provide real-time threat detection or anomaly alerting (not mentioned in feature set).
License & commercial use
Apache License 2.0 (Apache-2.0): permissive OSI-approved license allowing commercial use, modification, and distribution with reasonable liability and patent protections. No copyleft obligations.
Commercial use is explicitly permitted under Apache-2.0. However, sshportal is provided as-is with no warranty or support SLA stated in available data. Organizations using it in production should conduct their own security review, maintain their own fork or patches if needed, and consider the single-maintainer risk (project by moul; maintainability status unclear beyond code activity).
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Moderate |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
sshportal functions as a critical access control point; key considerations include: (1) initial admin invite token must be handled securely and stored safely; (2) SQLite is file-based and less suitable for multi-instance HA setups—use MySQL for security-sensitive deployments; (3) session recording and audit logs help with forensics but do not prevent lateral movement; (4) network isolation of the bastion itself is essential; (5) no mention of rate-limiting, brute-force protection, or modern auth methods (MFA, OIDC); (6) single-author maintenance and 80 open issues suggest potential unpatched vulnerabilities—conduct security audit before critical use.
Alternatives to consider
Teleport (Gravitational)
Commercial-grade SSH bastion with MFA, audit logging, RBAC, and native Kubernetes support; larger community and vendor backing but higher operational overhead and licensing cost.
Bastion (OpenSSH with forced-commands)
Simpler approach using standard SSH authorized_keys with forced commands; lower complexity and no new tool to maintain, but less flexible user/host management and no interactive shell.
HashiCorp Boundary
Modern zero-trust access platform supporting SSH, RDP, HTTP, and databases with strong RBAC and audit; more heavyweight and complex than sshportal but designed for enterprise scale.
Build on sshportal with DEV.co software developers
Explore sshportal for transparent bastion functionality, or contact us to evaluate enterprise SSH access platforms suited to your compliance and scale requirements.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
sshportal FAQ
Can I use sshportal in production without modifying my SSH clients?
What databases does sshportal support?
How do I handle high availability and failover?
Is there a commercial support or SLA option?
Does sshportal support multi-factor authentication (MFA)?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like sshportal into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.
Ready to Centralize SSH Access?
Explore sshportal for transparent bastion functionality, or contact us to evaluate enterprise SSH access platforms suited to your compliance and scale requirements.