ConduitCE
Open source · Self-hosted · Single binary

Secure remote access to every machine

No SSH keys. No VPNs. No inbound ports. Conduit gives you instant shell access, file management, and fleet visibility through a single self-hosted binary with post-quantum cryptography.

Open DashboardView Source

Everything you need to manage remote machines

One binary. One dashboard. Zero external dependencies.

Zero-Trust Shell

Passkey-authenticated terminal sessions over QUIC with full PTY support. Agents connect outbound — no inbound ports, no SSH, no VPN.

File Management

Browse directories, upload, download, rename, and delete files on any connected machine through an intuitive browser interface.

Real-Time Dashboard

Live agent status, CPU/memory metrics, connection health, and session monitoring. WebSocket-powered EventBus — no polling.

Post-Quantum Cryptography

X25519MLKEM768 hybrid TLS key exchange. Ed25519 JWT signing. Argon2id password hashing. PQC-first — classical only when forced by external parties.

Single Binary Deploy

One Go binary serves the dashboard, API, agent connections, and embedded SQLite database. No Redis, no Postgres, no Docker required.

Audit Everything

Every login, shell session, file operation, and configuration change is logged with who, what, when, source IP, and outcome. Immutable append-only logs.

Passkey Authentication

WebAuthn/FIDO2 passkeys as the primary auth mechanism. Phishing-resistant, no passwords to manage. Recovery codes as backup.

Session Recording

Every shell session is recorded in asciicast v2 format. Full playback capability for compliance, auditing, and incident review.

Webhooks & Events

Subscribe to agent connect/disconnect, auth events, and shell sessions. HMAC-SHA256 signed payloads with configurable retry.

How it works

Three steps to secure remote access.

1

Deploy the server

Run a single binary on any machine. It auto-provisions TLS via Let's Encrypt and serves the dashboard, API, and agent listener.

2

Join your machines

Generate a join token and run 'conduit join' on each target. The agent installs as a system service, connects outbound, and stays connected.

3

Access from anywhere

Open the dashboard, authenticate with your passkey, and get instant shell access or file management on any connected machine.

Quick start

Up and running in under a minute.

Start the server
# Download the latest release
curl -fsSL https://get.conduit.sh | sh

# Start in dev mode (self-signed TLS on port 8443)
conduit-server --dev
Join an agent
# On the target machine — uses the join token from the dashboard
conduit join https://your-server:8443 <join-token> --dev-insecure
Or use the CLI
# Direct shell access from your terminal
conduit shell web-01

# Or launch the TUI for interactive navigation
conduit

Built for security teams

NIST-compliant architecture with zero-trust principles throughout.

NIST SP 800-53 Rev. 5

  • Access Control (AC)
  • Audit & Accountability (AU)
  • Identification & Auth (IA)
  • System Protection (SC)

OWASP Top 10 & API Top 10

  • BOLA prevention on every handler
  • No user enumeration
  • RFC 9457 error responses
  • Rate limiting & input validation

NIST SP 800-63B (AAL2)

  • WebAuthn/FIDO2 passkeys
  • Argon2id credential hashing
  • Recovery codes (single-use)
  • Session management

Zero Trust Architecture

  • TLS 1.3 only — no downgrades
  • Token validation at every boundary
  • PQC hybrid key exchange
  • All assets embedded — no CDN

Self-host Conduit today

Open source, single binary, zero external dependencies. Deploy on your infrastructure and own your remote access stack.

Get Started on GitHubOpen Dashboard