Dirless maps your cloud users to native Linux identities — no LDAP, no FreeIPA, no extra infrastructure. Add someone in Identity Center and they show up on every host.
# one-time enrollment per host dirless-cli enroll \ --server https://acme.dirless.com \ --token $ENROLLMENT_TOKEN # then just use your cloud users getent passwd alice alice:x:40001:40000::/home/alice:/bin/bash ssh alice@prod-server-01 # it just works
Modern teams manage users in AWS IAM Identity Center. But Linux servers have no idea those users exist. The traditional fix is painful.
FreeIPA or a fake LDAP server — with its own servers, replication, and failure modes.
Add someone in Identity Center, then add them again in LDAP. Remove them, hope you remembered everywhere.
If your LDAP server is down, nobody can log in anywhere. A directory outage becomes a fleet-wide lockout.
Dirless is purpose-built for simplicity. Each piece does one thing well, and the whole system runs on your existing infrastructure.
Runs on an EC2 instance inside your AWS account. Pulls users, groups, and memberships from IAM Identity Center using the EC2 instance role — no static credentials ever stored. Pushes snapshots to the backend over mTLS.
Receives identity snapshots and stores them as the canonical copy. Serves agents on demand. Powers the management plane. Hosted on our 3-node global cluster, or self-hosted by you.
Runs on every Linux host. Polls the backend and writes a fresh identity snapshot to a local SQLite file. If the backend is unreachable, the last snapshot keeps NSS working — no lockout.
A small shared library that hooks into getpwnam,
getgrnam, and friends. Reads from local SQLite only —
zero network calls at lookup time. Works on any Linux distro.
More than just user resolution — a complete identity foundation for your Linux fleet.
Every user and group gets a stable UID/GID that is identical across your entire fleet. Shared filesystems like EFS and NFS work correctly because alice is always UID 40001 — everywhere.
Remove a user from IAM Identity Center and they are gone from every host on the next sync. No manual cleanup, no stale accounts, no forgotten servers.
NSS lookups read the local SQLite database — no network call at query time. A backend outage or network disruption does not lock users out of their hosts.
ls -la, ps aux, audit logs — they all show real usernames,
not raw UIDs. Your forensics team will thank you.
AWS Systems Manager can run sessions as the connecting Identity Center user
instead of the generic ssm-user — but only if that user exists in the OS.
Dirless makes that happen automatically.
Identity snapshots are encrypted with age before leaving the backend. The private key lives only on your host. Even if the backend is compromised, your identity data stays private.
Dirless is designed to work either way. The protocol is identical — you can start hosted and migrate later.
We run the backend on our global 3-node cluster (US East, US East, EU West). You install the syncer and agent — we handle everything else.
Run the backend binary yourself, anywhere. Single node or multi-node. Full control over your infrastructure, your data, your tokens.
No. The agent has no AWS dependency — it only needs network access to the Dirless backend over HTTPS. Agents run on any Linux host: on-premises, other cloud providers, bare metal, or VMs anywhere. Only the syncer needs to run on an EC2 instance (to access the instance role for IAM credentials).
Nothing bad. The agent maintains a local SQLite database on each host. NSS lookups read from it directly — no network call at query time. If the backend is unreachable, the last-known-good snapshot stays on disk and identity resolution continues working normally. Users already on the host stay logged in; new lookups still resolve. The only thing that stops during an outage is pulling fresh changes from Identity Center.
Dirless handles the identity layer — making users exist in the OS — which is the prerequisite
for SSH key authentication and other tools. You still configure SSH authorization as you normally
would (e.g. authorized_keys, a PAM module, or an AuthorizedKeysCommand).
An SSH authorized-keys helper is on the roadmap as a natural extension, since Dirless already
knows which IAM user maps to which Linux user.
The backend assigns UIDs and GIDs deterministically and stably — once assigned, they never change, even if the user is removed and re-added. This is critical for shared filesystems where file ownership is stored numerically. You never end up with a UID recycled to a different user.
Yes. Dirless is fully self-hostable. The backend is a single static binary with a TOML config file. Point your syncer and agents at your own URL. The protocol between all components is identical regardless of who operates the backend. Customers who need full control over their infrastructure or air-gapped deployments use this path.
Not in readable form. At enrollment time, the agent generates an age keypair and sends only the public key to the backend. The backend encrypts every snapshot before storing or serving it. The private key lives only on your host — we never see it. Even if our backend were compromised, an attacker would only find encrypted blobs they cannot decrypt.
Enroll your first node in under a minute. No infrastructure changes required.