Tessera

Tessera is an offline X.509 certificate-based PAM authentication module for Linux device fleets. It authenticates engineers on devices using hardware tokens and X.509 certificates — without requiring network connectivity to a central server at login time.

Key capabilities:

• Offline-first authentication — login decisions are made locally on the device against the trusted certificate chain; no online directory required.
• PAM integration — works with the standard Linux PAM stack (2fa, optional, and cert-only modes).
• Fleet deployment — golden-image cloning workflow with per-host certificate issuance and host identity binding.
• Fail-closed security model — designed around an explicit threat model with fail-closed defaults.

Links

• GitHub repository and README
• Product website

Note

Full documentation is currently available in Russian. Use the language switcher in the header to open the Russian documentation.