Orion-Belt is an open-source, secure SSH/SCP bastion system designed for controlled access to infrastructure without exposing networks.
It provides reverse SSH tunneling, relationship-based access control (ReBAC), temporary access workflows, and full session recording, making it ideal for teams that need auditable, time-bound, and approval-based access to servers behind firewalls.
Think of it as a lightweight, self-hosted alternative to traditional bastion hosts or commercial access gateways — built with simplicity, auditability, and extensibility in mind.
Status: Alpha / Early development (APIs and internals may change)
Traditional SSH and VPN-based access have limitations:
- Long-lived credentials
- No native approval workflow
- Limited auditability
- Broad network access instead of per-machine access
Orion-Belt solves this by:
- Eliminating inbound firewall rules using reverse SSH tunnels
- Enforcing fine-grained, relationship-based access control
- Supporting temporary, approval-based access
- Recording every session for audit and replay
- Acting as a single, centralized access gateway
- Server Mode: SSH/SCP tunneling server with session recording
- Client Mode: CLI tools (osh, ocp) for connecting to machines through the server
- Agent Mode: Runs on target machines to receive connections
- ReBAC: Relationship-based access control for authorized users
- Temporary Access: Request-based temporary access with admin approval
- Session Recording: Complete session recording and audit trails
- Plugin System: Extensible plugin architecture
- Database Agnostic: Interface-based database layer for easy switching
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Client │────────>│ Server │────────>│ Machine │
│ (osh/ocp) │ │ (tunneling) │ │ (agent) │
└─────────────┘ └──────────────┘ └─────────────┘
│
├─> Session Recording
├─> ReBAC Authorization
└─> Access Request Management
Orion Belt is under active development with core functionality working in production. We have an ambitious roadmap ahead covering security hardening, advanced features, and multi-protocol support.
Current Status: Alpha v0.1 — Core SSH proxy, session recording, and access control are operational.
What's Next:
- Host key verification and API authentication (v0.2)
- High availability and identity provider integrations (v0.3)
- Risk-based access and command filtering (v0.4)
- Multi-protocol support: RDP, VNC, K8s, databases (v1.0)
See ROADMAP.md for the complete development plan, outstanding TODOs, and contribution opportunities.
- SSH/SCP tunneling
- Session recording and playback
- ReBAC authorization engine
- Temporary access request handling
- Admin notification system
osh: Orion-Belt SSH clientocp: Orion-Belt SCP client- API integration with server
- Runs on target machines
- Connects to server for reverse tunneling
- Receives and handles connections
# Clone the repository
git clone https://github.com/zrougamed/orion-belt.git
cd orion-belt
# Build all components
make build
# Or build individually
make build-server
make build-client
make build-agentserver:
host: "0.0.0.0"
port: 2222
ssh_host_key: "/etc/orion-belt/host_key"
database:
driver: "postgres"
connection_string: "postgres://user:pass@localhost/orionbelt"
recording:
enabled: true
storage_path: "/var/lib/orion-belt/recordings"
auth:
rebac_enabled: true
allow_temp_access: true
notifications:
smtp_host: "smtp.example.com"
smtp_port: 587
from_email: "orion-belt@example.com"server:
host: "orion-belt.example.com"
port: 2222
api_endpoint: "https://orion-belt.example.com/api"
auth:
key_file: "~/.ssh/id_rsa"server:
host: "orion-belt.example.com"
port: 2222
agent:
name: "web-server-01"
tags:
- "production"
- "web"orion-belt server --config /etc/orion-belt/server.yamlorion-belt agent --config /etc/orion-belt/agent.yaml# Connect to a machine
osh machine-name
# Request temporary access
osh --request-access machine-name --duration 1h --reason "Emergency deployment"# Copy file to remote machine
ocp local-file machine-name:/remote/path
# Copy from remote machine
ocp machine-name:/remote/file local-pathorion-belt/
├── cmd/
│ ├── server/ # Server entry point
│ ├── client/ # Client (osh/ocp) entry point
│ └── agent/ # Agent entry point
├── pkg/
│ ├── server/ # Server implementation
│ ├── client/ # Client implementation
│ ├── agent/ # Agent implementation
│ ├── auth/ # ReBAC and authorization
│ ├── recording/ # Session recording
│ ├── database/ # Database interface and implementations
│ ├── api/ # API server and client
│ ├── plugin/ # Plugin system
│ └── common/ # Shared utilities
├── plugins/ # Plugin implementations
├── go.mod
├── go.sum
├── Makefile
└── README.md
go mod download
go build -o bin/orion-belt ./cmd/serverFor details see PLUGIN_DEVELOPMENT.md.
- All connections are encrypted using SSH protocol
- Session recordings are encrypted at rest
- ReBAC ensures fine-grained access control
- Audit logs track all access and changes
- Temporary access automatically expires
Currently supported databases:
- PostgreSQL
To switch databases, update the configuration and implement the database.Store interface if needed.
Apache License 2.0 – see LICENSE file for details.
For a detailed architecture overview, see ARCHITECTURE.md.
We welcome contributions from the community! See CONTRIBUTING.md for guidelines.