Hi there, welcome to BastionZero's SSH Quick Start Guide!

This tutorial will guide you through how to secure your resources using Zero Trust Access by leveraging our Multi Root ZeroTrust Protocol (MrZAP) and without the need for using Secure Shell (SSH).

Some prerequisites before we get started

  • Be running MacOS, Linux, or Windows Linux operating system

  • Have an SSH config file with at least one host in the following format:
    host your_host_name
       HostName your.ip.address
       User your_username
       IdentityFile path/to/your/.ssh/.pem/file
       Port specify_port_number_if_desired
  • Have Homebrew installed

Using Quick Start from the command line interface

For the fastest way to setup BastionZero, we recommend using the SSH Quick Start script from our zero-trust command line interface (ZLI).

  1. In a terminal window, install the ZLI. Do this using `brew install bastionzero/tap/zli`
    brew install bastionzero/tap/zli
  2. Next type `zli quickstart`
    zli quickstart

    This will launch the Quick Start script, which takes you through a 4-step process to secure your target host(s) with BastionZero. This will take less than 10 minutes

Rather do it yourself? No problem

If you prefer to complete the process manually, here's what you'll need to do:

  1. In a terminal window, make sure you have our ZLI installed. You can directly download the latest build from our GitHub here, or you can do this using `brew install bastionzero/tap/zli`
    brew install bastionzero/tap/zli
  2. Login to BastionZero using `zli login`
    zli login

    This will open a browser window and prompt you to log in using your identity provider (currently scoped to Microsoft or Google). Don't worry if you don't have a BastionZero account; it will automatically be created for you.

  3. To produce the bash script that will secure your host(s), run `zli generate-bash`
    zli generate-bash

    Note that this script must be executed from the host(s) you're planning to secure.

    • Pro tip #1: To save this script to a file for convenience, run this command as `zli generate-bash -o script.sh`
      zli generate-bash -o script.sh

      This file will be saved to your current working directory.

    • Pro tip #2: For those on a Mac, to copy the script into your system's clipboard, you can run this command as `zli generate-bash --silent | pbcopy`
      zli generate-bash --silent | pbcopy
  4. Run the above bash script on your machine to connect with BastionZero. Make this the last time you use ssh by running `ssh user@host 'bash -s' < script.sh`
    ssh user@host 'bash -s' < script.sh
  5. Add your intended user (the identity you will connect with) to your policy; i.e., for the unix user foo-user, run `zli targetUser --add "Default Admin Policy" foo-user`

    zli targetUser --add "Default Admin Policy" foo-user
  6. Congratulations! Your hosts are now secured with BastionZero. To connect to your newly secured target, use `zli connect <target-user>@<target-name>`. To list your available targets, try `zli lt` 
    zli connect <user>@<target-name>
    zli lt



  1. Is it safe to let BastionZero utilize my SSH config and .pem files?
    • Yes. Neither the information in your config file nor your SSH keys are stored by BastionZero. The Quick Start script uses your configuration so that SSH can log into your chosen host(s) and install the BastionZero agent.
  2. Does BastionZero have any visibility into my login credentials?
    • No. When you authenticate yourself to your identity provider, you are interacting directly with the IdP.
  3. How does MrZAP work?
    • That's a great question! To read our whitepaper covering the protocol, see our GitHub
  4. What does BastionZero do with my data?
    • BastionZero does not share or sell your information to any third party. We may contact you in the future to share updates on the product or seek your feedback. For more information, please see our privacy policy and terms of service.