Engity's Bifröst

Bifröst is an advanced, SSH-protocol-compliant server designed as a modern bastion/jump host. It supports traditional public-key SSH authentication and OpenID Connect/OAuth2 identity providers, and can execute user sessions directly inside Docker containers or Kubernetes pods for isolated, ephemeral environments.

Key Features

• Full SSH protocol compatibility while supporting OpenID Connect/OAuth2 authentication alongside SSH keys
• Execute user sessions inside per-user Docker containers or directly inside Kubernetes pods
• Automatic user provisioning and cleanup based on configurable templates and idle timeouts
• "Remember me" behavior to temporarily cache provided public keys for faster reconnects during an active session
• Configurable execution environments with custom images, networks, and resource constraints
• Designed to replace OpenSSH as a bastion while integrating SSO identity providers for centralized access control

Use Cases

• Provide SSO-backed SSH access for developers, operators, or contractors without additional client tooling
• Offer ephemeral, isolated shells for diagnostics or support by launching users into containerized environments
• Grant direct access to a Kubernetes cluster by entering dedicated pods without port-forwarding or kubectl proxies

Limitations and Considerations

• Project is under active development; configuration model and CLI/API structure are reported as evolving and may change
• Not all enterprise features (advanced RBAC, extensive audit integrations) may be production-ready depending on deployment needs

Bifröst is suitable for teams that need SSO-integrated SSH access and ephemeral container/pod sessions. It combines SSH compatibility with modern identity and container orchestration workflows for streamlined, centrally-managed access.