Best Self Hosted Alternatives to Cloudflare Access

NetBird is an open-source private networking platform that creates a WireGuard-based overlay connecting devices across environments without configuring VPN gateways. It provides centralized access control and a management UI for policy enforcement across Linux, macOS, Windows, Android and iOS.

Key Features

• Kernel WireGuard integration
• Admin Web UI
• SSO & MFA support
• Public API
• Cross-platform clients (Linux, Mac, Windows, Android, iOS)
• Peer-to-peer connections with auto peer discovery
• Access control - groups & rules
• Setup keys for bulk provisioning
• NAT traversal with TURN fallback
• Identity provider integrations
• Activity logging
• Self-hosting via Docker and docker-compose
• Private DNS
• Docker-based quickstart script

Use Cases

• Secure remote access to private resources across distributed teams
• Site-to-site private networks across cloud/infrastructure
• Least-privilege access control with per-group policies via IdPs

Limitations and Considerations

• Self-hosted deployments require a publicly accessible Linux host and opening specific ports; NAT traversal can fail in strict networks, in which case a TURN relay is used

Conclusion

NetBird unifies a WireGuard-based overlay with centralized access control and identity-aware policies, enabling zero-configuration, scalable private networks across heterogeneous environments. It supports cloud-hosted or self-hosted deployments with an admin UI and REST API for managing peers and policies.

authentik is an open-source Identity Provider designed for modern single sign-on and authentication workflows. It provides protocol support and configurable authentication flows to secure web, API, and remote-access use cases.

Key Features

• Supports standard identity protocols: OAuth2 / OIDC, SAML2, LDAP, RADIUS, SCIM and Kerberos for broad application compatibility
• Flexible multi-stage authentication flows, policy engine, and enrollment flows for MFA and conditional access (GeoIP, impossible-travel checks)
• MFA and modern second-factor support including TOTP and WebAuthn (passkeys)
• Application proxy / outpost model for protecting internal apps and enabling remote access (RDP, SSH, VNC) behind the IdP
• Rich admin, user, and flow interfaces plus REST APIs and SDKs for automation and integration
• Pluggable federation and social login sources, fine-grained policies, and templates for customizing login and enrollment behavior
• Deployment options and tooling for Docker Compose, Kubernetes (Helm), and cloud templates; background workers and channel layers for scale
• Caching and async task support via Redis; persistent storage and migrations for relational databases

Use Cases

• Enterprise replacement or augmentation of commercial IdPs to provide SSO, delegated access, and centralized authentication for web and API applications
• Protecting internal or home-lab applications using the outpost/application-proxy model to enforce authentication and authorization policies
• Integrating existing LDAP/AD directories and provisioning flows (SCIM) to enable consolidated identity management and MFA across services

Limitations and Considerations

• Some legacy native desktop or mobile clients that embed outdated browser engines may not support the full web-based login flow; a simplified flow executor (SFE) or alternate API-key approach may be required for such clients
• Major-version upgrades can require careful attention to migrations and worker restarts; administrators should test upgrades in staging before production rollouts

authentik provides a comprehensive, protocol-rich IdP with configurable flows and deployment flexibility. It is suited for organizations that need a self-hosted, extensible SSO solution with enterprise-grade features and automation capabilities.

Teleport is an identity and access platform that provides secure connectivity, authentication, authorization, and auditing for infrastructure. It replaces long-lived SSH keys, static tokens, and traditional bastions/VPN approaches with an identity-aware access proxy and short-lived certificates.

Key Features

• Single sign-on for infrastructure via OIDC and SAML integrations
• Multi-factor authentication and support for modern authenticators (including FIDO2/WebAuthn)
• Short-lived, certificate-based access for SSH, Kubernetes, databases, and other resource types
• Role-based access control with support for fine-grained policies and just-in-time elevation workflows
• Session recording and audit trails across SSH, Kubernetes, database, RDP, and web application access
• Secure tunneling to reach resources behind NATs and firewalls without exposing inbound ports
• Web UI and CLI for resource discovery, access, and operational visibility

Use Cases

• Centralize secure admin access to servers, clusters, and databases without distributing keys
• Provide audited access to sensitive environments (production, regulated systems) with MFA and approvals
• Enable secure remote access to internal web apps and desktops for support and operations teams

Limitations and Considerations

• Full functionality spans multiple protocols and resource types, which can increase deployment and policy complexity in larger environments

Teleport is well-suited for teams that need a unified access layer across diverse infrastructure and want consistent identity-based controls. Its combination of SSO/MFA, short-lived credentials, and detailed auditing helps reduce risk while improving operational access workflows.

Pangolin is an identity-based remote access platform built on WireGuard that securely routes traffic to private and public resources across multiple networks. It combines VPN-style connectivity with browser-based reverse proxy access to applications, using zero-trust access controls.

Key Features

• WireGuard-based tunnels to connect remote networks (“sites”) without exposing ports or requiring public IPs
• Browser-based access to web applications via identity- and context-aware tunneled reverse proxy
• Client-based access to private resources (for example SSH, databases, RDP, and network ranges)
• Granular zero-trust access controls so users only reach explicitly allowed resources
• SSO and OIDC support, plus additional authentication options such as PIN and passwords
• Centralized dashboard to manage applications across networks, with access logging and policy enforcement
• Automatic TLS/SSL certificate handling for proxied apps

Use Cases

• Provide secure access to internal tools (Grafana, Bitwarden, admin panels) across offices, cloud VPCs, and edge locations
• Replace or complement traditional VPNs with per-application access and stronger identity enforcement
• Publish self-hosted web apps safely without directly exposing the underlying network

Limitations and Considerations

• Dual-licensed: Community Edition under AGPL-3, with separate enterprise/commercial licensing terms

Pangolin is well-suited for teams and homelabs that need identity-aware access to distributed networks and apps. It emphasizes minimizing network exposure while still enabling convenient browser and client access to protected resources.

OAuth2 Proxy is a flexible reverse proxy and middleware component that adds OAuth2/OIDC authentication in front of web applications. It integrates with many identity providers and forwards verified identity information to your upstream services.

Key Features

• Works as a standalone reverse proxy or as an authentication middleware in front of existing proxies/load balancers
• Supports OAuth2 and OpenID Connect, including a generic OIDC provider and dedicated implementations for common providers
• Validates users by email, domain, and (for supported providers) groups
• Forwards authenticated identity details to upstream apps via HTTP headers (for example username and group information)
• Can also serve static files when used as a standalone reverse proxy

Use Cases

• Add single sign-on in front of internal tools without modifying the applications
• Protect multiple services behind a central reverse proxy using a shared authentication layer
• Gate access to dashboards and admin panels with provider-backed identity and group-based access

Limitations and Considerations

• Requires correct reverse-proxy/header configuration to avoid trusting spoofed identity headers from untrusted networks
• Provider feature support varies; group/role extraction depends on the chosen provider implementation

OAuth2 Proxy is commonly used to standardize authentication for self-hosted and internal web apps with minimal application changes. It is well-suited for environments that already rely on OAuth2/OIDC identity providers and need a lightweight authentication gateway.

Casdoor is an open-source, UI-first Identity and Access Management (IAM) and Single Sign-On (SSO) platform that provides a web-based admin console for managing users, organizations, and authentication flows. It is designed to integrate with applications via standard identity protocols and offers extensible user authentication options.

Key Features

• Web UI for user, organization, application and permission management
• SSO and federation support via OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0
• Directory and provisioning integrations including LDAP and SCIM
• Multiple authentication methods including WebAuthn and TOTP-based MFA
• Built-in registration, email verification, and password recovery flows
• Public REST API and SDKs to simplify application integration

Use Cases

• Centralized login and SSO for internal apps and SaaS-style multi-tenant products
• Adding MFA and modern authentication (OIDC/WebAuthn) to existing services
• User lifecycle management and provisioning across connected systems

Casdoor fits teams that want an admin-friendly IAM/SSO solution with broad protocol support and a ready-to-use web console. It is especially useful when you need standards-based SSO plus flexible authentication methods in one deployable service.

Cloudflared is the Cloudflare Tunnel client used to create and manage tunnels that expose local or private services to the Internet through Cloudflare's edge network.

It authenticates to your Cloudflare account and routes traffic from the Cloudflare network to your origin with TLS, providing an added layer of security and control.

Key Features

• Easy-to-install agent with low performance overhead
• Command-line configuration
• Built-in DDoS protection
• Load balancing across origin pools with Cloudflare Load Balancer
• Encrypted tunnels with TLS (origin-side certificates)
• Application and protocol-level error logging

Use Cases

• Provide secure remote access to internal applications via Cloudflare Access (Zero Trust)
• Quickly expose local development environments for previews using Quick Tunnels
• Improve remote performance and reliability with Argo Smart Routing across the Cloudflare network

Firezone is an open source zero-trust access platform designed to replace traditional VPNs with identity-aware, least-privilege connectivity. It uses WireGuard-based tunnels and a gateway/relay architecture to securely connect users to specific resources instead of whole networks.

Key Features

• Granular, group-based access policies for applications, subnets, and networks
• Peer-to-peer, end-to-end encrypted tunnels with NAT traversal (hole punching)
• Lightweight gateway component deployable in your infrastructure
• Optional relay (STUN/TURN) to facilitate connectivity when direct paths fail
• SSO and identity provider integration, including OIDC-based authentication
• Admin portal for managing users, resources, and policies
• Audit/activity logging for visibility and compliance needs

Use Cases

• Secure access to internal web apps, databases, and services without exposing networks
• Remote workforce connectivity as an alternative to OpenVPN-style VPN deployments
• Contractor or partner access with strict, least-privilege, policy-based controls

Limitations and Considerations

• Production self-hosting is not officially supported and internal APIs may change rapidly
• Officially distributed clients may not always be compatible with a custom self-hosted control plane build

Firezone fits teams that want a modern, identity-aware approach to private access with WireGuard performance characteristics and centralized policy management. It is especially useful when you need to reduce broad network access while keeping connectivity fast and manageable.

iodine is a tunnel application that transports IPv4 traffic through DNS, using a client and server to create a virtual network interface and route IP packets over DNS queries and replies. It is commonly used in constrained networks where direct internet access is blocked but DNS is still permitted.

Key Features

• Client/server IP-over-DNS tunnel using a TUN/TAP virtual interface
• Works across multiple platforms (Linux, BSDs, macOS, and Windows)
• Supports multiple DNS record types for transport, with autodetection for best throughput
• Automatic probing of fragment/packet sizes to optimize performance
• Challenge-response login and basic peer filtering to reduce unauthorized injection
• Can fall back to raw UDP tunneling when direct UDP to port 53 is possible

Use Cases

• Remote connectivity from restricted networks that only allow DNS traffic
• Creating a temporary backchannel for administration and troubleshooting
• Running a second-layer VPN or SSH-over-tunnel for more secure transport

Limitations and Considerations

• Carries IPv4 payload only; tunneled traffic is not encrypted by default
• Throughput is constrained and often asymmetric, depending on DNS relays and policies
• Client and server typically need matching versions due to protocol compatibility

iodine is a pragmatic tool for establishing connectivity over DNS when other protocols are blocked, offering portability and performance-focused DNS transport choices. For security-sensitive scenarios, it is best used as a transport for an encrypted layer such as VPN or SSH.

Tinyauth is a simple authentication middleware that sits in front of your web applications and provides a login screen or single sign-on via external identity providers. It is designed to be lightweight and easy to configure, making it well-suited for homelabs and small-to-medium self-hosted setups.

Key Features

• Adds an authentication layer in front of existing apps without modifying them
• Supports a built-in login screen with username/password
• OAuth / OIDC authentication with providers such as Google and GitHub (and others)
• LDAP authentication against a centralized directory
• Two-factor authentication support via TOTP
• Designed to integrate with popular reverse proxies such as Traefik, Nginx, and Caddy
• Ships as a single statically linked binary and is typically configured via environment variables

Use Cases

• Protect internal dashboards and admin tools behind a single login page
• Add SSO to self-hosted services that lack native authentication
• Gate access to homelab services exposed through a reverse proxy

Limitations and Considerations

• In active development; configuration and behavior may change between releases

Tinyauth provides a pragmatic way to add authentication in front of multiple services with minimal overhead. It is especially useful when you want a small, dependency-light component that works with common proxy-based deployments.

Cosmos Cloud is a self-hosting platform designed to run and secure home servers, NAS devices, and small business deployments. It combines an application gateway, app management, and built-in security controls to protect services that may not be hardened by default.

Key Features

• App store for installing and managing self-hosted applications, plus support for importing Docker Compose stacks
• Reverse proxy for routing to containers or external services, with automatic HTTPS certificate provisioning
• Built-in authentication server with SSO (OpenID Connect) and multi-factor authentication
• SmartShield protections including anti-bot and anti-DDoS features, plus security-focused access controls
• Container management and updates, with security auditing for managed apps
• Built-in VPN for secure remote access without exposing services directly to the internet
• Backup system with incremental, encrypted backups and support for remote targets (using restic)
• Monitoring with historical metrics, real-time status, and customizable alerts/notifications
• User management and identity-provider style features (invites, account recovery workflows)

Use Cases

• Securely publish multiple homelab services behind a single gateway with SSO and HTTPS
• Provide a private “personal cloud” experience for families with centralized access and user accounts
• Deploy and operate internal web apps for small organizations with tighter access controls

Limitations and Considerations

• License is “available source” (Commons Clause), which may not meet some organizations’ open-source requirements

Cosmos Cloud is best suited for users who want an integrated control plane for apps, networking, and security rather than assembling separate components. It aims to simplify deployment while adding protective layers for commonly self-hosted services.

Pomerium is an identity- and context-aware access proxy that sits in front of applications to enforce Zero Trust access. It enables clientless access to internal web apps and services, applying policy to every request rather than relying on network perimeter trust.

Key Features

• Identity-aware access proxy for internal web apps and services
• Per-request authorization with continuous policy enforcement (not just session-based)
• Context-aware policies using signals like identity, time, and device context
• Works across cloud, hybrid, and on-prem environments without re-architecting apps
• Supports multiple identity types, including humans and non-human/service identities
• Audit-focused logging of access decisions to support compliance and investigations

Use Cases

• Replace or reduce reliance on traditional VPN access for internal applications
• Secure legacy apps that lack built-in authentication/authorization
• Enforce consistent, centralized access policy across mixed environments

Limitations and Considerations

• Requires integration with an identity provider and careful policy design to avoid overly-broad access
• Introducing a proxy layer may require planning for routing, certificates, and high availability in production

Pomerium is well-suited for teams that want identity-first, policy-based access controls for internal services. It provides a consistent way to secure applications and improve auditability while avoiding blanket network access typical of VPN-based approaches.

OpenZiti is an open-source, programmable zero trust networking platform for connecting applications using an identity-based overlay network instead of IP-based trust. It provides a fabric (mesh), edge components, and SDKs/tunnelers to securely connect users, devices, and services with policy-driven access.

Key Features

• Identity-based connectivity with certificate-backed identities and policy-based authorization
• Application segmentation and “deny by default” access controls for services
• Overlay mesh fabric with smart routing and pluggable capabilities
• “Dark” services and routers that can operate without inbound listening ports by using outbound connections into the fabric
• End-to-end encryption options, including application-embedded connectivity via SDKs
• REST management APIs and a web-based admin console for managing the network
• Support for integrating existing apps through tunnelers and proxies when embedding SDKs is not feasible

Use Cases

• Zero trust access to internal applications across hybrid and multi-cloud environments
• Secure machine-to-machine or service-to-service communications without exposing ports
• Replacing or reducing traditional VPN access with per-application access policies

Limitations and Considerations

• Some advanced capabilities (for example, true process-to-process protection) are best achieved when applications embed the OpenZiti SDKs rather than relying only on tunnelers
• Designing policies, identity lifecycle, and PKI can add operational complexity compared to simple IP allowlists

OpenZiti is well-suited for teams that want a flexible, open-source foundation for zero trust application access. It combines a scalable overlay fabric with strong identity controls and multiple integration options, ranging from SDK embedding to tunneling and proxying.

Defguard is an enterprise-grade zero-trust access management platform centered on WireGuard VPN with multi-factor authentication enforced at the VPN protocol level. It also provides integrated identity and SSO capabilities, designed for auditable, private deployments without relying on third-party cloud services.

Key Features

• WireGuard VPN with true connection-level 2FA/MFA (TOTP/email tokens, pre-shared keys) rather than web-only MFA
• Built-in OpenID Connect identity provider for SSO, plus support for external OIDC providers
• LDAP/Active Directory integration with synchronization for users and groups
• User, device, and group management with policy controls (RBAC-style administration)
• Remote user enrollment and onboarding flows, including client configuration distribution
• Forward-auth support for protecting applications behind reverse proxies
• Audit-focused operations with logs and visibility into connected users/devices

Use Cases

• Secure remote workforce access to private networks using WireGuard with enforced MFA
• Replace or complement an existing IdP by acting as an OIDC provider for internal apps
• Centralize user/device onboarding and access policies for multi-site VPN deployments

Defguard fits organizations that need a modern WireGuard-based VPN with strong identity and access controls, while keeping authentication and configuration fully under their own infrastructure.

ShellHub is a centralized SSH gateway that lets teams remotely access and manage Linux servers, containers and embedded devices using a web UI, mobile app or standard SSH clients. It aggregates devices behind a single gateway and provides centralized access controls, logging and session playback.

Key Features

• Native SSH access (supports OpenSSH/standard SSH clients) for web and terminal connections.
• Web-based terminal and mobile access with session recording and built-in replay player.
• Public-key authentication and configurable SSH firewall rules for granular access control.
• SCP/SFTP support and container (Docker) access integration for remote container management.
• Microservices deployment using Docker Compose; production guidance includes HTTPS/NGINX and persistent MongoDB volumes.

(github.com)

Use Cases

• Centralized remote administration of distributed Linux servers and IoT/embedded fleets.
• Secure remote troubleshooting and maintenance of Docker containers and edge devices.
• Compliance and auditing through recorded SSH sessions and audit logs for forensic review.

(shellhub.io)

Limitations and Considerations

• Certain advanced features (enterprise/cloud capabilities) vary by edition: HTTP/Web Endpoints, SAML improvements and some session-recording backend behaviors are highlighted as Enterprise/Cloud features in the project releases. Implementation and storage of large recordings can require S3-compatible storage (e.g., MinIO) for scale. (github.com)

• The recommended self-hosted deployment expects Docker Engine / Docker Compose and a MongoDB service; production setups require additional configuration for volumes, HTTPS termination and proxy protocol handling. (docs.shellhub.io)

ShellHub provides a focused, open-source platform to centralize SSH access for cloud, edge and IoT environments. It is available as a Community (open-source) edition plus paid Cloud and Enterprise editions that add managed and enterprise features.

Wiredoor is a self-hosted ingress-as-a-service platform for securely exposing applications and services running in private networks to the public internet. It creates reverse VPN tunnels using WireGuard and routes inbound traffic through a built-in NGINX reverse proxy.

Key Features

• Reverse VPN tunneling powered by WireGuard for connecting private nodes to a public entrypoint
• Built-in NGINX reverse proxy to publish HTTP services and route traffic by domain
• Expose both HTTP and TCP services, including support for WebSocket connections
• Automatic TLS certificates via Let’s Encrypt, with self-signed fallback for internal/local domains
• Web UI to manage nodes, domains, and exposed services
• CLI-driven setup for registering nodes and creating/revoking exposures
• Optional OAuth2-based authentication per domain/service via an OAuth2 proxy
• Designed to work across environments (Kubernetes, Docker/Compose, VMs, legacy servers, and IoT)

Use Cases

• Publish internal dashboards (for example monitoring tools) without opening inbound firewall ports
• Provide temporary external access to a private service for support, maintenance, or demos
• Expose services running inside Kubernetes clusters, Docker hosts, or on-prem networks through a single public gateway

Wiredoor fits teams and homelabs that want cloud-like ingress control while keeping networking and access fully under their own infrastructure. It provides a consistent way to connect private nodes, map domains, and expose services securely with minimal operational overhead.

NetGoat is a self-hostable reverse proxy engine and traffic manager designed to provide Cloudflare-like controls for routing, security, and performance. It aims to help homelabs and teams manage inbound web traffic with an integrated UI and rule-based behavior.

Key Features

• Reverse proxy for HTTP traffic, including WebSocket support
• TLS termination with automated certificate handling
• WAF-style request filtering and anti-abuse protections
• Rate limiting and request queuing to protect APIs and apps
• Load balancing and failover for multi-node routing
• Per-domain configuration with wildcard/regex support
• Dynamic rules engine for custom routing and filtering logic
• Metrics dashboard for traffic and error visibility
• Optional integration targeting Cloudflare workflows (such as tunnels)

Use Cases

• Fronting multiple self-hosted services with a single security and routing layer
• Adding rate limiting and basic WAF protections to APIs and web apps
• Managing multi-service homelab ingress with per-domain policies and monitoring

Limitations and Considerations

• Project is explicitly work-in-progress; features and stability may change significantly
• Some advertised capabilities may be incomplete depending on the current release state

NetGoat is best suited for users who want a centralized, UI-driven reverse proxy with security-focused controls and extensibility. As it matures, it can serve as a flexible edge layer for both homelab and small-team deployments.

Jauth is a compact SSL/TLS reverse proxy written in Go that protects self-hosted applications by requiring authorization before proxying traffic. It provides SSH- and Telegram-based login methods, optional single sign-on behavior, and can obtain certificates automatically or use self-signed/manual certificates.

Key Features

• Single static binary with minimal dependencies, designed for simple self-hosting
• TLS support via autogenerated self-signed certificates, manual certificates, or ACME/Let's Encrypt
• Authorization via an integrated SSH server (authorized_keys) and Telegram login widget validation
• Optional lightweight SSO: authenticated username is forwarded to backend via Remote-User header
• Per-domain configuration, domain-specific whitelists and optional per-domain Telegram users
• Whitelist-based access control and a NoAuth mode to act as a plain TLS proxy
• Stores authenticated sessions/tokens on disk for session persistence between restarts
• Defaults that let it run with minimal configuration while supporting custom TOML config

Use Cases

• Protect web interfaces and internal dashboards for self-hosted apps without adding app-level auth
• Provide a simple SSO/pass-through header for multiple services behind the same gateway
• Allow SSH key or Telegram-based access for teams that prefer key-based authentication or tokenless login flows

Limitations and Considerations

• Telegram-based login requires registering a bot and binding it to a domain (one bot per domain); Jauth validates tokens rather than using the Telegram bot API directly
• ACME certificate issuance is per-domain and may be delayed; logs may not always show issuance progress
• SSO is minimal (username is forwarded via header) and is not a full-featured identity provider or OIDC/SAML implementation
• Session tokens are stored in a local file; if running with dropped privileges or restricted filesystem access, token persistence or state saving may be affected

Jauth is focused on minimalism and pragmatic access control for self-hosted services. It is suitable when a lightweight, single-binary TLS proxy with SSH/Telegram authorization and simple SSO semantics is preferred over a full identity platform.

nforwardauth is a lightweight forward authentication service written in Rust that provides a single auth middleware for reverse proxies. It validates requests, issues signed auth tokens (cookies), and redirects unauthenticated users to a simple login page.

Key Features

• Forward-auth middleware compatible with common reverse proxies such as Traefik, Caddy, and nginx
• Uses a passwd file of usernames and hashed passwords (sha-512) for credential storage
• Issues signed authentication tokens/cookies using a configurable TOKEN_SECRET
• Optional downstream header (X-Forwarded-User) to pass authenticated identity
• Configurable cookie name, domain, secure flag, port, and pass-through behavior
• Built-in, configurable rate limiter to mitigate brute-force login attempts
• Distributed as a Docker image and usable with docker-compose; simple static login UI

Use Cases

• Protect multiple self-hosted web apps behind a single authentication wall
• Integrate a simple auth layer into Traefik/Caddy/nginx setups for homelabs and small deployments
• Provide password-based access control where a full identity provider is unnecessary

Limitations and Considerations

• Authentication is limited to username/password entries in a local passwd file; no built-in OIDC/SAML/OAuth providers
• No built-in CSRF protection as of current roadmap items
• Not intended as a full SSO or enterprise identity solution; focuses on minimalism and simplicity

nforwardauth is designed for minimal operational overhead and fast response times. It is well suited to homelab and small deployments that need a simple, centralized forward-auth layer without external identity provider integrations.

Bifröst is an advanced, SSH-protocol-compliant server designed as a modern bastion/jump host. It supports traditional public-key SSH authentication and OpenID Connect/OAuth2 identity providers, and can execute user sessions directly inside Docker containers or Kubernetes pods for isolated, ephemeral environments.

Key Features

• Full SSH protocol compatibility while supporting OpenID Connect/OAuth2 authentication alongside SSH keys
• Execute user sessions inside per-user Docker containers or directly inside Kubernetes pods
• Automatic user provisioning and cleanup based on configurable templates and idle timeouts
• "Remember me" behavior to temporarily cache provided public keys for faster reconnects during an active session
• Configurable execution environments with custom images, networks, and resource constraints
• Designed to replace OpenSSH as a bastion while integrating SSO identity providers for centralized access control

Use Cases

• Provide SSO-backed SSH access for developers, operators, or contractors without additional client tooling
• Offer ephemeral, isolated shells for diagnostics or support by launching users into containerized environments
• Grant direct access to a Kubernetes cluster by entering dedicated pods without port-forwarding or kubectl proxies

Limitations and Considerations

• Project is under active development; configuration model and CLI/API structure are reported as evolving and may change
• Not all enterprise features (advanced RBAC, extensive audit integrations) may be production-ready depending on deployment needs

Bifröst is suitable for teams that need SSO-integrated SSH access and ephemeral container/pod sessions. It combines SSH compatibility with modern identity and container orchestration workflows for streamlined, centrally-managed access.