Show HN: Cardea, SSH bastion with per-key ACLs, TPM keys and session recording

Y	Hacker News new \| ask \| show \| jobs

Show HN: Cardea, SSH bastion with per-key ACLs, TPM keys and session recording (github.com)

4 points by hectorm 103 days ago

Author here. Cardea is an SSH bastion I wrote to manage access to some servers I administer. Access policies are defined in a single text file, similar to OpenSSH's authorized_keys format, with macros, server groups, time windows, and key expiry, so everything is reviewable in PRs and deployable with config management. No database, no web UI.

Clients connect with any standard SSH client encoding the target as the SSH username (e.g. ssh alice@10.0.0.1:22@bastion.internal). Sessions can be recorded in asciinema v3 format. Host keys can optionally be bound to a TPM 2.0 so they can't be extracted.

It's a single static Go binary with minimal dependencies. Builds are reproducible, immutable, and include provenance attestation.

Happy to answer questions.