Earlier I wrote Meet Orion-Belt, Go ZeroTrust Bastion — the Alpha “here’s the idea” post.
This is the follow-up: I tagged v1.0.0, moved the project under orion-belt-dev, and I’m willing to call the SSH PAM slice stable.
If you bounced on the Alpha install story, start here instead — the 10-minute path got a lot of attention.
The story (why this exists)
A few years of jump boxes taught me the same lesson on every team:
We didn’t need another VPN.
We needed SSH access we could audit — without opening port 22 on every server.
Access control was never the hard part.
Auditability was.
UX was harder.
If requesting temporary access is slower than pasting a key into chat, people paste the key.
So Orion Belt is deliberately narrow:
Teleport-like SSH access control — without opening inbound ports or adopting a large platform.
Not “enterprise-grade revolutionary.” Just a self-hosted gateway that makes the boring path the easy path.
What v1.0 actually ships
Orion Belt is a self-hosted SSH access gateway with PAM workflows:
| Capability | What you get |
|---|---|
| Reverse agents | Targets dial out — no inbound SSH required on hosts for this path |
| Session recording | Cast-style playback in the web console |
| Live watch | Observe an active session when you need eyes-on |
| JIT access | Request → approve → expire (UI / API / ChatOps) |
| MFA | TOTP + WebAuthn for the console; FIDO SSH keys supported |
| Authorization | Built-in ReBAC (+ optional OpenFGA) |
| Optional SSH CA | Short-lived certs when you’re ready — not forced on day one |
| Clients |
osh / ocp / oadmin, vanilla OpenSSH, or web terminal |
| Packaging | Docker quickstart + deb/rpm/apk |
Repo: github.com/orion-belt-dev/orion-belt
Site: orion-belt.dev
Discord: discord.gg/w62S8jxTHJ
Architecture in one diagram
CLI / OpenSSH / Web UI
│
▼
Orion Belt Gateway
(policy · MFA · recording)
▲
│ reverse SSH (dial out)
│
Agent on target
Operators never need inbound :22 on the application host for the Orion path.
The tradeoff is honest: offline agents are unreachable, and the gateway becomes high-value infrastructure — harden it.
Deep dive: Why reverse SSH agents
What changed since the Alpha DEV.to post
A few things worth calling out if you read the first article:
- v1.0 line — SSH PAM path we’re willing to call stable
-
Org + docs site —
orion-belt-dev, orion-belt.dev -
Docker quickstart —
./scripts/docker-quickstart.sh(secrets + admin bootstrap) - Web console — role-aware UI, Sessions playback/watch, Add agent
- MFA / WebAuthn, recording polish, ChatOps approvals, packages
- License clarity — Apache 2.0 + Commons Clause, disclosed up front
Still on the roadmap (not pretend-done): OIDC, HA, more protocols.
I’d rather ship a sharp SSH slice than a mediocre multi-protocol checkbox list.
Try it in ~10 minutes
This is the conversion path I care about:
gateway up → agent dials out → SSH works → session recorded → wow
git clone https://github.com/orion-belt-dev/orion-belt.git
cd orion-belt
./scripts/docker-quickstart.sh
Then:
- Open
http://localhost:8080/uiwith the printed admin + public key -
Add agent → save
agent-key - Start the Docker agent (
docker-compose.agent.yml) - SSH via web terminal / OpenSSH /
osh - Open Sessions → playback (or live watch)
Full walkthrough: Try Orion Belt in 10 minutes
How it compares (without the marketing fog)
| Need | Jump host | Orion Belt | Full platform (e.g. Teleport) |
|---|---|---|---|
| Reach internal SSH | ✓ | ✓ | ✓ |
| No inbound on targets | ✗ / rare | ✓ (agents dial out) | ✓ / varies |
| Session recording | DIY | Built-in | Built-in |
| JIT approvals | ✗ | Built-in | Built-in |
| K8s / DB / Windows day one | ✗ | Not v1 | ✓ |
| Ops weight | Low features | SSH-focused | Large |
Longer write-up: Orion Belt vs Teleport
Choose Orion Belt if your privileged access problem is mostly SSH and you want self-hosted recording + JIT without a platform migration.
Choose Teleport (or similar) if you need multi-protocol zero trust this quarter.
License — said plainly
Orion Belt is Apache 2.0 + Commons Clause:
- Free to use, modify, and self-host, including internal commercial use
- You cannot sell Orion Belt (or a hosted service whose value derives substantially from it) as a product
That is source-available, not OSI “Open Source” in the strict sense. I disclose it on purpose — security software needs trust more than clever positioning.
Plain-language FAQ: Commons Clause honesty
Lessons that shaped v1
- Access control is easy compared to audit trails people trust
- JIT UX beats a twelfth policy DSL
- Reverse tunnels move risk to the gateway — they don’t delete risk
- Optional complexity (SSH CA, OpenFGA) must stay optional for the first wow
- Protect the 10-minute path like a public API
More: Lessons from building a self-hosted SSH PAM
Looking for early operators
Stars are nice. Deployments that break loudly are better.
I’m looking for ~20 labs / small teams to run v1.0 and file sharp feedback:
- Homelab fleets
- Small company ops needing recording + JIT
- People evaluating a lighter Teleport alternative for SSH-only needs
What you get: help on Discord, faster eyes on issues, roadmap input.
What I ask: actually install it, leave it running on something real, open reproducible bugs.
- Discord: https://discord.gg/w62S8jxTHJ
- Discussions: https://github.com/orion-belt-dev/orion-belt/discussions
- Call post: Looking for early operators
Links
- GitHub: https://github.com/orion-belt-dev/orion-belt
- Docs: https://orion-belt.dev/docs/introduction
- Blog: https://orion-belt.dev/blog
- Earlier Alpha post: https://dev.to/zrouga/meet-orion-belt-go-zerotrust-bastion-clp
If you tried the Alpha and bounced — try the Docker quickstart once. If it still fails, open an issue with logs. That’s the feedback loop that matters.
Top comments (0)