SSH Gatekeeper — NEW

Just-in-time SSH.
Every login, audited.

Stop leaving long-lived SSH keys on laptops forever. HostAtlas signs a short-lived certificate for each login — traceable to a specific request, reason, and approver. Works with your existing sshd. No jump host. No proxy.

Start free — no credit card How it works

15 min

Default cert TTL

~30s

Revocation latency

0

Jump hosts needed

100%

Audit coverage

How it works

Six steps. Zero friction.

SSH Gatekeeper leverages OpenSSH's built-in Certificate Authority support. No new daemon on your servers, no proxy in your network path, no learning curve for engineers.

  1. 01 — Setup

    Upload your SSH public key

    Like GitHub SSH keys. HostAtlas never sees your private key.

  2. 02 — Enable

    Admin enables per server

    Agent installs the CA into sshd with idempotent marker-fenced config blocks.

  3. 03 — Request

    hostatlas ssh prod-01

    CLI or dashboard. Include a reason for compliance-grade logs.

  4. 04 — Approve

    Self-service or admin approval

    Configurable per server. Admin gets notified, clicks approve, cert is signed.

  5. 05 — Login

    Plain old SSH, but with a cert

    Cert validated offline by sshd. No runtime dependency on HostAtlas during the login.

  6. 06 — Revoke

    Auto-expire + instant revoke

    Certs expire after TTL. For instant revocation, admin clicks "Revoke" — agent applies KRL within 30s.

Why HostAtlas

No jump host. No proxy. No sshd replacement.

Teleport, StrongDM, and Cloudflare Access all put a gateway between you and your server. That gateway becomes a new thing to scale, secure, and worry about when it's down. HostAtlas uses OpenSSH's native CA support — sshd already trusts your cert, no middleman needed.

HostAtlas Teleport StrongDM Cloudflare Access
Jump host requiredNoYesYesYes
Runtime dependency during loginNoYesYesYes
Works with existing sshdYesReplaces itProxies itProxies it
Break-glass on platform outageYes (opt-in)NoNoNo
Built into monitoringYesNoNoNo

Session Recording

Enterprise

Every session, replayable.

Every SSH login through Gatekeeper can be fully recorded — keystrokes, output, timing. Play any session back in your browser at audit time. Search by user, server, or date. The compliance-grade answer to "who did what, when, and exactly how."

  • play_circle asciinema-based: industry-standard terminal recording, lossless replay in the HostAtlas dashboard — no external player needed
  • check_circle Automatic install: agent sets up the recorder + asciinema the moment you toggle "record sessions" on a server
  • all_inclusive Fail-open: if recording infrastructure fails, SSH still works — no user lockout, ever
  • schedule Configurable retention: keep recordings for 30, 90, 365 days or longer — expired recordings pruned automatically
  • rule SOC 2 CC6.1 / ISO 27001 A.8.15: auditors ask for session replay evidence — you have it with one click
  • terminal Interactive + non-interactive: both live shells and one-off commands (scp, git, rsync) are captured
sascha@prod-01 · 2026-04-20 14:23:17 REC 04:12

$ sudo systemctl status nginx

● nginx.service - A high performance web server

    Loaded: loaded (/lib/systemd/system/nginx.service; enabled)

    Active: active (running) since Mon 2026-04-20 09:14:02

$ tail -f /var/log/nginx/access.log

192.168.1.42 - - [20/Apr/2026:14:23:14 +0000] "GET / HTTP/2.0" 200

192.168.1.87 - - [20/Apr/2026:14:23:15 +0000] "POST /api/users HTTP/2.0" 201

192.168.1.42 - - [20/Apr/2026:14:23:16 +0000] "GET /dashboard HTTP/2.0" 200

$ _

02:14 / 05:08
verified_user

Short-lived certs

Default 15 minutes, configurable per server. Long-lived keys become a thing of the past.

approval

Two modes

Self-service for dev environments, approval-required for production. Per-server configuration.

receipt_long

Audit trail

Every request linked to session events: who, when, why, source IP, duration. Exportable for compliance.

block

Instant revocation

Revoke a cert and the KRL propagates to the server in ~30s. Sessions in progress can be killed instantly.

emergency

Break-glass fallback

Keep a traditional SSH key as backup for when HostAtlas is unreachable. Audited separately.

location_on

Source-IP pinning

Optionally bind certs to the requesting IP. Steal the cert, can't use it.

play_circle Enterprise

Session Recording

Full asciinema replay of every session in the browser. SOC 2 / ISO 27001 compliance in one click.

group

Multi-user

Allow login as root, deploy, ubuntu — any system user you configure. Each request specifies the user.

terminal

CLI-first

hostatlas ssh prod-01 — one command requests, waits, and connects.

security

Encrypted CA

CA private keys are encrypted at rest. Enterprise customers can plug in their own KMS or Vault.

Get started

Upgrade your SSH security without changing how you SSH.

SSH Gatekeeper is included in all Business and Enterprise plans. Install the agent, upload your SSH key, enable Gatekeeper on a server, and start issuing short-lived certificates. Your engineers SSH the same way they always have — but now every login is auditable, revocable, and traceable to a specific request.

Start free — no credit card Read the docs