A cross-platform CLI for creating, managing, and revoking time-limited SSH access to Linux servers with Zero Trust and Just-in-Time (JIT) security principles.
tunnelR ensures users get the minimum required access for the shortest necessary time through:
- Zero Trust Architecture: Every access request is authenticated and authorized
- Just-in-Time Access: Temporary SSH access that automatically expires
- Centralized Management: Role-based access control through a backend API
- Audit Trail: Complete logging of all SSH access events
The project consists of two main components:
- Connect: Initiate connections to backend servers
- Login: Authenticate with the backend API
- Configuration Management: Store server and authentication settings
- User Management: Register and authenticate users
- Role-Based Access: Admin, Operator, and Read-only roles
- JWT Authentication: Secure token-based authentication
- PostgreSQL Storage: Persistent user and access data
- Go 1.24+
- PostgreSQL 15+
- Task (optional, for development)
-
Clone the repository
git clone https://github.com/codaxa/tunnelR.git cd tunnelR -
Set up environment variables
cp .env.example .env # Edit .env with your configuration -
Build both applications
task build # Or manually: # go build -o bin/tunnelr-cli ./cmd/cli/main.go # go build -o bin/tunnelr-api ./cmd/api/main.go
-
Create and migrate database
task setup
-
Or manually
task db-create task migrate-init task migrate-up
# Development with hot reload
task dev-air
# Or run directly
task run-api
# API runs on http://localhost:8080-
Connect to a backend server
./bin/tunnelr-cli connect --user alice --server localhost:8080
-
Login and get authentication token
./bin/tunnelr-cli login --user alice --password secret123
-
Get help
./bin/tunnelr-cli --help ./bin/tunnelr-cli connect --help
GET /healthz- Health checkGET /version- API versionPOST /api/login- User authentication
POST /api/register- Register new users
Create a .env file with:
PORT=8080
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=your_password
DB_NAME=tunnelr
JWT_SECRET=your_jwt_secret_keyThe CLI stores configuration in ~/.tunnelr/config.json:
{
"server": "localhost:8080",
"token": "your_jwt_token"
}- Admin: Full access to user management and system configuration
- Operator: Can request and manage SSH access
- Read-only: View-only access to audit logs and status
task --listKey development tasks:
task dev-air- Start API with hot reloadtask run-cli- Run CLI applicationtask test- Run all teststask lint- Run lintertask check- Run all checks (test, lint, vet, format)
# Fresh database setup
task setup-fresh
# Create new migration
task migrate-new
# Check migration status
task migrate-status
# Apply migrations
task migrate-up.
├── cmd/
│ ├── api/ # Backend API server
│ └── cli/ # CLI application
├── configs/ # Configuration management
├── internal/
│ ├── api/ # Backend business logic
│ │ ├── app/ # Application services
│ │ ├── core/ # Domain models and interfaces
│ │ ├── infrastructure/ # Database and external services
│ │ └── presentation/ # HTTP handlers and middleware
│ └── cli/ # CLI infrastructure
├── pkg/ # Public packages
└── scripts/ # Utility scripts
- JWT Authentication: Secure token-based authentication
- Password Hashing: bcrypt for secure password storage
- Role-Based Access Control: Granular permissions system
- Database Constraints: SQL-level data validation
- Environment Encryption: GPG-encrypted environment files
- Fork the repository
- Create a feature branch
- Make your changes
- Run tests:
task check - Submit a pull request
[Add your license here]
- SSH key management
- Time-limited access controls
- Audit logging and reporting
- Multi-server support
- Web dashboard
- Integration with cloud providers
For issues and questions:
- Create an issue on GitHub
- Check the documentation
- Review the CLI help:
tunnelr --help