SSH (Secure Shell)
ZestSSH implements the SSH 2.0 protocol via a custom-patched dartssh2 library, providing encrypted remote terminal access across all supported platforms. SSH is the default and recommended connection protocol for all remote server access.
Availability
Section titled “Availability”| Platform | Status |
|---|---|
| Android | Full support |
| iOS | Full support |
| Windows | Full support |
| macOS | Full support |
| Linux | Full support |
Quick Start
Section titled “Quick Start”- Tap the + button on the home screen (or use Ctrl+T on desktop).
- Enter the hostname or IP address of your server.
- Set the port (default: 22).
- Select or create an identity (username + authentication method).
- Tap Connect.
For quick one-off connections, use the Quick Connect bar and type user@host directly.
How It Works
Section titled “How It Works”When you initiate an SSH connection, ZestSSH performs the following sequence:
- TCP Connection — Establishes a TCP socket to the target host and port with a 15-second timeout.
- Protocol Negotiation — Begins SSH-2.0 protocol handshake, exchanging supported algorithms for key exchange, encryption, host key verification, and MAC.
- Key Exchange — Negotiates a shared secret using the highest-priority mutually supported KEX algorithm.
- Host Key Verification — Presents the server’s host key fingerprint for verification. New hosts prompt for trust-on-first-use (TOFU); changed keys always trigger a warning.
- Authentication — Authenticates using the configured method: public key, password, or keyboard-interactive.
- Shell Session — Opens a PTY with
xterm-256colorterminal type and begins the interactive shell session.
Supported Cipher Suite
Section titled “Supported Cipher Suite”ZestSSH offers the following algorithms during negotiation, listed in the order they are presented to the server (highest priority first).
Encryption Ciphers
Section titled “Encryption Ciphers”| Cipher | Key Size | Mode | AEAD |
|---|---|---|---|
[email protected] | 512-bit (2x256) | Stream + Poly1305 | Yes |
aes128-ctr | 128-bit | CTR | No |
aes128-cbc | 128-bit | CBC | No |
aes256-ctr | 256-bit | CTR | No |
aes256-cbc | 256-bit | CBC | No |
The following ciphers are implemented in the core library but not included in the default negotiation list: [email protected], [email protected], aes192-ctr, and aes192-cbc. They can be enabled through custom algorithm configuration.
Key Exchange (KEX) Algorithms
Section titled “Key Exchange (KEX) Algorithms”| Algorithm | Digest |
|---|---|
[email protected] | SHA-256 |
ecdh-sha2-nistp521 | SHA-512 |
ecdh-sha2-nistp384 | SHA-384 |
ecdh-sha2-nistp256 | SHA-256 |
diffie-hellman-group-exchange-sha256 | SHA-256 |
diffie-hellman-group14-sha256 | SHA-256 |
diffie-hellman-group14-sha1 | SHA-1 |
diffie-hellman-group-exchange-sha1 | SHA-1 |
diffie-hellman-group1-sha1 | SHA-1 |
Curve25519 is preferred and negotiated first when the server supports it.
Host Key Algorithms
Section titled “Host Key Algorithms”| Algorithm | Type |
|---|---|
ssh-ed448 | Ed448 (Edwards curve) |
ssh-ed25519 | Ed25519 (Edwards curve) |
rsa-sha2-512 | RSA with SHA-512 |
rsa-sha2-256 | RSA with SHA-256 |
ssh-rsa | RSA with SHA-1 (legacy) |
ecdsa-sha2-nistp521 | ECDSA P-521 |
ecdsa-sha2-nistp384 | ECDSA P-384 |
ecdsa-sha2-nistp256 | ECDSA P-256 |
MAC Algorithms
Section titled “MAC Algorithms”Used for integrity verification when a non-AEAD cipher is negotiated:
| Algorithm | Key Size | Notes |
|---|---|---|
hmac-sha2-256-96 | 256-bit | Truncated to 96 bits |
hmac-sha2-512-96 | 512-bit | Truncated to 96 bits |
[email protected] | 256-bit | Encrypt-then-MAC |
[email protected] | 512-bit | Encrypt-then-MAC |
hmac-sha1 | 160-bit | Legacy |
hmac-sha2-256 | 256-bit | Standard |
hmac-sha2-512 | 512-bit | Standard |
hmac-md5 | 128-bit | Legacy, not recommended |
When an AEAD cipher (ChaCha20-Poly1305 or AES-GCM) is negotiated, MAC algorithms are not used because authentication is built into the cipher.
Authentication Methods
Section titled “Authentication Methods”ZestSSH supports three SSH authentication methods:
- Public Key — RSA (2048/4096), ECDSA (P-256/P-384/P-521), Ed25519. See Public Key Authentication.
- Password — Stored securely in the platform keychain. See Password Authentication.
- Keyboard-Interactive — Handles server-driven prompts for 2FA and PAM. See Keyboard-Interactive.
Connection Parameters
Section titled “Connection Parameters”Each SSH connection supports the following configurable parameters:
| Parameter | Default | Description |
|---|---|---|
| Host | (required) | Hostname or IP address |
| Port | 22 | SSH server port |
| Username | Configured per identity | Login username |
| Keep-Alive Interval | 15 seconds | Interval for sending keep-alive packets to prevent idle disconnects |
| Zlib Compression | Off | Enable zlib payload compression for slow links |
| Agent Forwarding | Off | Forward SSH keys to the remote host for onward connections |
| Jump Host | None | Proxy the connection through another saved SSH connection |
| Environment Variables | None | JSON map of variables to export on the remote shell |
Jump Host / ProxyJump
Section titled “Jump Host / ProxyJump”ZestSSH supports multi-hop SSH connections via jump hosts. When a connection has a “Connect Via” host configured:
- An SSH connection is established to the jump host first.
- A
direct-tcpipchannel is opened through the jump host to the target. - The target SSH session runs through this tunnel.
Both the jump host and the target connection perform full host key verification independently.
Limitations
Section titled “Limitations”- The SSH library does not currently support OpenSSH certificates (
*[email protected]key types). Standard public key and password authentication are fully supported. - FIDO2/WebAuthn (
sk-*@openssh.com) key types are not yet supported. See FIDO2 Hardware Keys for current status. - There is no support for GSSAPI/Kerberos authentication.
Troubleshooting
Section titled “Troubleshooting”Connection times out
Section titled “Connection times out”- Verify the host is reachable and the SSH service is running on the expected port.
- Check that firewalls or security groups allow inbound traffic on the SSH port.
- Try reducing the connection timeout or checking with a port scanner.
”Host key changed” warning
Section titled “”Host key changed” warning”This means the server’s host key fingerprint differs from what ZestSSH previously recorded. This could indicate a legitimate server reinstall or a potential man-in-the-middle attack. Verify the new fingerprint with your server administrator before accepting.
Authentication fails immediately
Section titled “Authentication fails immediately”- Confirm the username and credentials are correct.
- For public key auth, verify the key is in the server’s
~/.ssh/authorized_keys. - Check the server’s
sshd_configforPubkeyAuthenticationandPasswordAuthenticationsettings.
”Algorithm negotiation failed”
Section titled “”Algorithm negotiation failed””The server and ZestSSH do not share any common algorithms. This typically happens with very old or very hardened servers. Check the server’s sshd_config for Ciphers, KexAlgorithms, and MACs directives.
Q: Does ZestSSH support SSH-1? A: No. SSH-1 has known security vulnerabilities and has been deprecated for over a decade. Only SSH 2.0 is supported.
Q: Can I use a non-standard SSH port? A: Yes. Set the port to any value between 1 and 65535 in the connection editor.
Q: Does ZestSSH support zlib compression? A: Yes. Enable it per-connection in the advanced settings. This can improve performance over slow or high-latency links but adds CPU overhead.
Q: How does keep-alive work? A: ZestSSH sends SSH keep-alive packets at the configured interval (default 15 seconds). This prevents firewalls and NAT devices from closing idle connections and helps detect broken connections faster.