DEV Community

Cover image for Orion Belt v1.0 — from Alpha bastion to a stable self-hosted SSH PAM
Mohamed Zrouga
Mohamed Zrouga

Posted on

Orion Belt v1.0 — from Alpha bastion to a stable self-hosted SSH PAM

Earlier I wrote Meet Orion-Belt, Go ZeroTrust Bastion — the Alpha “here’s the idea” post.

This is the follow-up: I tagged v1.0.0, moved the project under orion-belt-dev, and I’m willing to call the SSH PAM slice stable.

If you bounced on the Alpha install story, start here instead — the 10-minute path got a lot of attention.

The story (why this exists)

A few years of jump boxes taught me the same lesson on every team:

We didn’t need another VPN.
We needed SSH access we could audit — without opening port 22 on every server.

Access control was never the hard part.

Auditability was.
UX was harder.

If requesting temporary access is slower than pasting a key into chat, people paste the key.

So Orion Belt is deliberately narrow:

Teleport-like SSH access control — without opening inbound ports or adopting a large platform.

Not “enterprise-grade revolutionary.” Just a self-hosted gateway that makes the boring path the easy path.

What v1.0 actually ships

Orion Belt is a self-hosted SSH access gateway with PAM workflows:

Capability What you get
Reverse agents Targets dial out — no inbound SSH required on hosts for this path
Session recording Cast-style playback in the web console
Live watch Observe an active session when you need eyes-on
JIT access Request → approve → expire (UI / API / ChatOps)
MFA TOTP + WebAuthn for the console; FIDO SSH keys supported
Authorization Built-in ReBAC (+ optional OpenFGA)
Optional SSH CA Short-lived certs when you’re ready — not forced on day one
Clients osh / ocp / oadmin, vanilla OpenSSH, or web terminal
Packaging Docker quickstart + deb/rpm/apk

Repo: github.com/orion-belt-dev/orion-belt

Site: orion-belt.dev

Discord: discord.gg/w62S8jxTHJ

Architecture in one diagram

CLI / OpenSSH / Web UI
          │
          ▼
   Orion Belt Gateway
   (policy · MFA · recording)
          ▲
          │ reverse SSH (dial out)
          │
     Agent on target
Enter fullscreen mode Exit fullscreen mode

Operators never need inbound :22 on the application host for the Orion path.
The tradeoff is honest: offline agents are unreachable, and the gateway becomes high-value infrastructure — harden it.

Deep dive: Why reverse SSH agents

What changed since the Alpha DEV.to post

A few things worth calling out if you read the first article:

  1. v1.0 line — SSH PAM path we’re willing to call stable
  2. Org + docs siteorion-belt-dev, orion-belt.dev
  3. Docker quickstart./scripts/docker-quickstart.sh (secrets + admin bootstrap)
  4. Web console — role-aware UI, Sessions playback/watch, Add agent
  5. MFA / WebAuthn, recording polish, ChatOps approvals, packages
  6. License clarity — Apache 2.0 + Commons Clause, disclosed up front

Still on the roadmap (not pretend-done): OIDC, HA, more protocols.
I’d rather ship a sharp SSH slice than a mediocre multi-protocol checkbox list.

Try it in ~10 minutes

This is the conversion path I care about:

gateway up → agent dials out → SSH works → session recorded → wow

git clone https://github.com/orion-belt-dev/orion-belt.git
cd orion-belt
./scripts/docker-quickstart.sh
Enter fullscreen mode Exit fullscreen mode

Then:

  1. Open http://localhost:8080/ui with the printed admin + public key
  2. Add agent → save agent-key
  3. Start the Docker agent (docker-compose.agent.yml)
  4. SSH via web terminal / OpenSSH / osh
  5. Open Sessions → playback (or live watch)

Full walkthrough: Try Orion Belt in 10 minutes

How it compares (without the marketing fog)

Need Jump host Orion Belt Full platform (e.g. Teleport)
Reach internal SSH
No inbound on targets ✗ / rare ✓ (agents dial out) ✓ / varies
Session recording DIY Built-in Built-in
JIT approvals Built-in Built-in
K8s / DB / Windows day one Not v1
Ops weight Low features SSH-focused Large

Longer write-up: Orion Belt vs Teleport

Choose Orion Belt if your privileged access problem is mostly SSH and you want self-hosted recording + JIT without a platform migration.

Choose Teleport (or similar) if you need multi-protocol zero trust this quarter.

License — said plainly

Orion Belt is Apache 2.0 + Commons Clause:

  • Free to use, modify, and self-host, including internal commercial use
  • You cannot sell Orion Belt (or a hosted service whose value derives substantially from it) as a product

That is source-available, not OSI “Open Source” in the strict sense. I disclose it on purpose — security software needs trust more than clever positioning.

Plain-language FAQ: Commons Clause honesty

Lessons that shaped v1

  1. Access control is easy compared to audit trails people trust
  2. JIT UX beats a twelfth policy DSL
  3. Reverse tunnels move risk to the gateway — they don’t delete risk
  4. Optional complexity (SSH CA, OpenFGA) must stay optional for the first wow
  5. Protect the 10-minute path like a public API

More: Lessons from building a self-hosted SSH PAM

Looking for early operators

Stars are nice. Deployments that break loudly are better.

I’m looking for ~20 labs / small teams to run v1.0 and file sharp feedback:

  • Homelab fleets
  • Small company ops needing recording + JIT
  • People evaluating a lighter Teleport alternative for SSH-only needs

What you get: help on Discord, faster eyes on issues, roadmap input.

What I ask: actually install it, leave it running on something real, open reproducible bugs.

Links

If you tried the Alpha and bounced — try the Docker quickstart once. If it still fails, open an issue with logs. That’s the feedback loop that matters.

Top comments (0)