Zero Trust

Certificate-Based Authentication

Built-in Ed25519 CA. Three commands from zero to certificate-authenticated SSH. No passwords in prompts. No key sprawl.

The problem

Password-based SSH authentication is the weakest link. Passwords end up in scripts, config files, environment variables, and AI agent context windows. SSH key management creates key sprawl — dozens of keys across machines with no centralized authority. Revoking access means hunting down authorized_keys entries on every server.

Credential management nightmares

  • - Passwords in plaintext config files
  • - SSH key sprawl across machines
  • - No centralized certificate authority
  • - Revoking access requires touching every server
  • - AI agents need credentials in their context to authenticate

How sshDCommander solves it

sshDCommander includes a built-in Ed25519 certificate authority. Three commands: ca init to create the CA, ca sign to issue a certificate, ca deploy to configure the server. Certificate auth is additive — it does not disable password auth. Dry-run mode and automatic rollback protect against misconfiguration.

Built-in Ed25519 CA

Generate a certificate authority keypair locally. No external PKI infrastructure needed. Ed25519 for modern, fast cryptography.

Three-Command Setup

ca init, ca sign, ca deploy. From zero to certificate-authenticated SSH in under a minute.

Safe Deployment

Dry-run mode previews sshd_config changes. sshd -t validation before reload. Automatic rollback on failure. Backup of existing config.

Additive Auth

Certificate auth is added alongside existing password auth. Nothing is disabled. You can fall back to password if needed.

In practice

certificate authentication setup
# Step 1: Initialize the certificate authority
$ sshdctl ca init
Ed25519 CA keypair generated.
# Step 2: Sign a certificate for the deploy user
$ sshdctl ca sign --principal deploy --server prod
Certificate signed for deploy@prod. Server profile updated.
# Step 3: Deploy the CA to the server (with dry-run safety)
$ sshdctl ca deploy --server prod
Backed up sshd_config. Deployed CA public key. sshd -t passed. sshd reloaded.
Certificate auth active for prod.
# Done — AI agents now authenticate via certificate
$ sshdcmd --client-id claude --server prod "whoami" --connect
Connected to 10.0.1.5:22 (certificate auth)
deploy

Eliminate password-based SSH authentication

5-day free trial. No credit card required.

Start Free Trial