search
Ctrlk
PricingLog inSign up

shield-userSSH ID Security

This page explains the security model of SSH ID, including how device-bound passkeys, biometric protection, and certificate verification ensure secure access to your servers.

SSH ID is an easy-to-use system for managing SSH passkeys. It generates and aggregates device-bound passkeys, including FIDO2 and biometric keys, so you can connect to servers without copying or sharing private keys.

hashtag
Device-bound

SSH ID passkeys are private keys generated and stored on your computer or phone. They never leave your device and cannot be copied or exported.

Only public keys are synced to your vault and published under your specified handle for you to easier update your ~/.ssh/authorized_keys files.

hashtag
Biometric-protected

SSH ID works with Face ID, Touch ID, Windows Hello, and FIDO2. When using ECDSA-SK, every connection requires your biometric or presence confirmation, so even if your device is compromised, the connections to your servers still require additional verification.

hashtag
Every passkey can be verified

Every SSH ID user has a unique CA key pair created by Termius on the device.

Every passkey generated for SSH ID is signed using your CA private key on the device.

Your SSH ID public page contains the CA public key as well as certificates for each key.

You can use this information to verify that each and every public key in the SSH ID was generated by Termius.

hashtag
Verification procedure

The verification process relies exclusively on the standard OpenSSH tooling (ssh-keygen).

hashtag
Prerequisites

  • user_cert.pub - the user's public certificate

  • key.pub - a device public key

  • key_cert.pub - the certificate for that key

In future Termius versions, the above info can be obtained from https://sshid.io/<username> or the SSH ID screen in the app.

hashtag
Verification

  1. Verify user identity

    1. Run ssh-keygen -lvf user_cert.pub

    2. Compare the resulting SHA256 fingerprint or the Randomart visualization against the values displayed on the SSH.id page or in the Termius app

  2. Verify the key was signed by the user

    1. Run ssh-keygen -L -f key_cert.pub to extract the signer fingerprint from the key certificate

    2. Locate the line: Signing CA: <algorithm> SHA256:<fingerprint>

    3. Obtain the fingerprint of the user certificate ssh-keygen -lf user_cert.pub

    4. Compare SHA256 fingerprints. They should be identical

  3. Verify that the Certificate belongs to the key

    1. Run ssh-keygen -lf key.pub

    2. Run ssh-keygen -lf key_cert.pub

    3. Compare SHA256 fingerprints. They should be identical

These three steps confirm that the certificate was issued for that exact public key.

PreviousSetup and usageNextEncryption overview

Last updated

Was this helpful?