GitHub Repository

Cardea is an SSH bastion server with access control, session recording, and optional TPM-backed key protection.

19 starsGo

Cardea, SSH bastion with per-key ACLs, TPM keys and session recording

Name: Cardea, SSH bastion with per-key ACLs, TPM keys and session recording
Availability: InStock
Author: hectorm

by hectorm·Mar 8, 2026·4 points·0 comments

Visit Project View on HN

AI Analysis

●●●BangerWizardryNiche Gem

SSH bastion with per-key ACLs, zero database, TPM-backed host keys—rules live in Git.

Strengths

•Text-based config (like authorized_keys) fits existing GitOps workflows; reviewable in PRs, versioned like code.
•TPM 2.0 binding prevents private key extraction—real security hardening most bastions skip.
•Single static Go binary, reproducible builds, provenance attestation; minimal attack surface.

Weaknesses

•Narrow audience—teams already managing infrastructure through code, not typical startups or enterprises on managed platforms.
•Session recording optional and asciinema-specific; no built-in audit dashboard or compliance integrations.

Post Description

Author here. Cardea is an SSH bastion I wrote to manage access to some servers I administer. Access policies are defined in a single text file, similar to OpenSSH's authorized_keys format, with macros, server groups, time windows, and key expiry, so everything is reviewable in PRs and deployable with config management. No database, no web UI.

Clients connect with any standard SSH client encoding the target as the SSH username (e.g. ssh [email protected]:[email protected]). Sessions can be recorded in asciinema v3 format. Host keys can optionally be bound to a TPM 2.0 so they can't be extracted.

It's a single static Go binary with minimal dependencies. Builds are reproducible, immutable, and include provenance attestation.

Happy to answer questions.