Velocity Docs

Velocity SSH migration

Move administrative SSH onto Velocity while keeping audit trails intact.

Last updated October 8, 2025View on GitHub

Bring SSH along for the ride

Velocity can transport SSH sessions with lower handshake overhead and richer auditing. Follow this migration path to avoid surprises.

Components in play

  • vshd: terminates Velocity connections and forwards them to OpenSSH.
  • vsh-proxy: a drop-in ProxyCommand helper for legacy clients and automation.
  • Velocity edge runtime: optional control plane enforcing policy and collecting observability data.

Migration steps

  1. Deploy vshd alongside your existing bastion and front it with Velocity.
  2. Configure OpenSSH for certificate authentication so identities flow end-to-end.
  3. Distribute an SSH config snippet pointing at vsh-proxy, or ship a wrapper script for automated jobs.
  4. Mirror Velocity logs (including connection_id and session_reason) into your SIEM for audit correlation.

Policy patterns

  • Require mutual TLS for administrator access; treat client certificates as part of the MFA chain.
  • Enforce per-command authorisation via PAM or your policy engine.
  • Tag sessions with metadata (environment, workload, change ticket) to streamline compliance reporting.

Rollback mindset

Keep the classical SSH endpoint online until every client confirms Velocity support. If anything misbehaves, shift DNS or load-balancer weights back while you investigate.