Zero-trust SSH/SFTP gateway that hands out disposable credentials, watches every session live, and puts you in control from your browser, desktop, or Telegram.
GhostGate sits in front of your servers as a secure bastion. Instead of sharing real logins, it mints temporary, single-session credentials on a random port, proxies the connection, and shreds access the moment the session ends. You see everything as it happens — and you can cut anyone off with one tap.
✨ Features
🔐 Ephemeral access, by design
- One-click secure tunnels to any SSH/SFTP server with auto-generated temporary username, password & port — your real credentials are never exposed.
- Session durations from 1 minute to 8 hours — or ♾ Forever sessions that never expire and survive app/server restarts until you kill them.
- Extend on the fly (+30m) and Max concurrent sessions limits per server.
- Vault-encrypted credential storage with Stored / Ask / Master-Passphrase modes — passwords can be kept, prompted per-use, or never stored at all.
🛡️ Command filtering & approvals
- Per-session policy: Off · Whitelist · Restrict (block-list + approval-list) with ready-made presets (Read-Only, Standard Ops, Full Admin, Destructive, Firewall…).
- Telegram approval for flagged commands — dangerous actions wait for your tap before they run.
📡 Live monitoring
- Real-time upload/download traffic, per-connection stats, client IP + geo/country, last command, and live uptime counters.
- Kick a connection or ban an IP instantly.
- Per-operator scoped IP bans (block only your account) and global admin bans — each with their own managed list.
🤖 Telegram control
- Live session bar in Telegram, login alerts, and an approval flow for creating/killing sessions and deleting servers — approve or deny from your phone.
🌐 Access anywhere
- Web dashboard, native Windows desktop app, and a full REST API (v1) with API keys.
- One-click HTTPS — enable TLS on a custom port and GhostGate auto-generates the certificate and starts the secure listener instantly, no restart.
- Trust this browser — skip password + 2FA on devices you own for 1 hour → Forever, with revocable, hash-stored device tokens.
👥 Org-ready
- Admin / Operator roles, team management, 2FA (TOTP), login rate-limiting, IP whitelisting, and a full audit log.
- Server cards with groups, drag-to-reorder, and instant search; saved SSH keys (.pem import); in-browser terminal; scheduled sessions; and traffic usage tracking.

