First Connection

This guide walks through creating a connection, authenticating (with a password or SSH key), and understanding the host key verification prompt you will see on first connect.

Creating a connection

On mobile, tap the + button on the home screen. On desktop, press Ctrl+T or use the command palette (Ctrl+Shift+P) and search for “new connection.”

Fill in the connection form:

Label — a display name for this connection (e.g., “Production Web Server”).
Hostname — the IP address or domain name of the server.
Port — defaults to 22. Change this if your server listens on a non-standard port.
Username — the user account on the remote server.
Authentication — choose password or key-based. See the sections below.

Tap Save to store the connection, or Save & Connect to save and immediately open a session.

Password authentication

The most straightforward method. Select Password as the authentication method and enter your password. ZestSSH stores the password in the platform’s secure storage (Android Keystore / iOS Keychain / OS credential manager) — it is never written to the SQLite database in plaintext.

If your server supports it, you should move to key-based authentication after verifying the connection works. Password auth is more vulnerable to brute-force attacks and credential stuffing.

Key-based authentication

Select Public Key as the authentication method, then choose an identity (key pair) from the list. If you have not generated or imported a key yet, see Key Management.

Before connecting, you need to add your public key to the server’s ~/.ssh/authorized_keys file. You can copy the public key from ZestSSH:

Go to Identities.
Tap the key you want to use.
Tap Copy Public Key or use the share button.
On the server, append the key to ~/.ssh/authorized_keys:

echo "ssh-ed25519 AAAA...your-key... user@ZestSSH" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Make sure the .ssh directory has the correct permissions:

chmod 700 ~/.ssh

Host key verification

The first time you connect to a server, ZestSSH displays a host key verification prompt. This is the Trust On First Use (TOFU) model — the same approach used by OpenSSH.

The prompt shows:

The server’s key type (e.g., ssh-ed25519, ssh-rsa).
The SHA-256 fingerprint of the server’s host key.

You should verify this fingerprint against a known-good value. If you have console access to the server, you can print the fingerprint:

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

If the fingerprint matches, tap Trust to accept the key. ZestSSH stores the fingerprint in its known hosts database, and future connections to this host will be verified silently.

Changed host key warning

If ZestSSH detects that a server’s host key has changed since you last connected, it displays a warning. This can mean:

The server was reinstalled or its SSH keys were regenerated.
A man-in-the-middle attack is intercepting the connection.

ZestSSH also checks for key-type changes. If the server previously presented an RSA key and now presents an Ed25519 key, that is flagged as a change even though the key types differ. This prevents an attacker from bypassing verification by using a different algorithm.

Do not accept a changed host key unless you know why it changed. If the server was legitimately reinstalled, you can accept the new key to update your known hosts database.

After connecting

Once connected, you land in the terminal. A few things to know:

Touch gestures (mobile): two-finger tap sends Ctrl+C, three-finger tap pastes from clipboard, two-finger horizontal swipe switches between sessions.
Keyboard shortcuts (desktop): Ctrl+W closes the current tab, Ctrl+Tab switches to the next tab, Ctrl+\ toggles split panes.
Connection health: a colored dot next to the connection name shows the connection status. ZestSSH performs TCP pings and displays latency.

If the connection fails, see Troubleshooting Setup.