Bowser is a modern, simple, and grokable SSH daemon built to act as a bastion and SSH certificate authority. Bastion provides users with a unobtrusive yet highly secure flow to SSH. Bowser was built at Discord.


  • Three-Factor authentication using SSH keys, passwords, and TOTP
  • Automatic generation of signed SSH keys and certificates for access to proxied servers
  • Extensive logging to multiple outlets
  • Simple, auditable codebase


Example Config

  "bind": "",
  "discord_webhooks": [""]

Example Accounts

    "username": "andrei",
    "password": "$2a$15$QWu4umMh.ZRd5RtrMNkY4e0N197Uha8poioQsEn5spjz5brU8FIRK",
    "ssh-keys": [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCooBb+XKzBkDbr2qc1NM5iTRoaKXtjZPS0l9eOD+szEowHX5P+Ab4uvWcs6KUPcbITBZK60AN3Pi6mt5sTUQuqkFOGJolh6sDXpiBis7bkxQoDe11oOeHfBBHE5YfUaa7naLopN0cSXTkusY/ReNQDvIjQVjfmwoGA2pW96wV1oqnPDHz8HRUcHjfTdjovWY8xMRO0ZsHuavOdk8O+FYaD8BIO3i0bIa/tFe56Eme2FuCN77PgsHVA0HTzMAUGNpZU0zYsk8B5pjpQQyScSpE2ZfF2JqxcTl4KrnxWA3XtDtD3+lPR7ryWy+qDgrf9UxkuP7FEdIE6yD4lZdu0UdcD [email protected]"
    "mfa": {
      "totp": "AAAAAAAAAAAAAAAA"

Example SSH Config

Host bastion
  Port 22
  ControlMaster auto
  ControlPath /tmp/ssh-control-%[email protected]%h:%p
  ControlPersist 30m

Host credit-card-database1
  ProxyCommand ssh -W %h:%p bastion


OpenSSH fails with "no private key for certificate"

This is caused by this OpenSSH bug. Upgrade your version of OpenSSH to resolve.


a smart, friendly, secure, and auditable ssh daemon

Bowser Info

⭐ Stars 31
🔗 Source Code
🕒 Last Update a year ago
🕒 Created 5 years ago
🐞 Open Issues 1
➗ Star-Issue Ratio 31
😎 Author b1naryth1ef