macOS 14+ · Native · Sandboxed

Manage SSH configs, keys, and tunnels — natively on macOS.

SSH Manager edits ~/.ssh/config losslessly, audits your keys and known_hosts, and runs encrypted -L/-R/-D tunnels in-process — no Terminal, no subprocess, fully sandboxed.

Buy for macOS — $7 See features
One-time purchase Universal — Apple Silicon & Intel Free 1.x updates
~/.ssh/config

Tunnels

2 active
+ New
prod-db via bastion.acme.io
Running
-L 5432 -D 1080
↑ 12.4 MB/s ↓ 3.1 MB/s
staging-redis via jump.staging
Running
-L 6379
↑ 0.8 MB/s ↓ 2.2 MB/s
k8s-api direct
Idle
-L 6443 idle
prod-db · console
 verified bastion.acme.io (ed25519)
 channel open: localhost:5432 → 10.0.4.12:5432
 SOCKS5 proxy listening on :1080
In-process
0 subprocesses, no Terminal
-L · -R · -D
every forward type
ProxyJump
multi-hop bastion chains
App Sandbox
Keychain-backed secrets

Everything in one place

The whole SSH workflow, without the terminal gymnastics.

Six tools that usually live across a dozen man pages, dotfiles, and shell aliases — rebuilt as one focused Mac app.

Lossless config editor

Edit ~/.ssh/config visually. Reorder hosts, tweak directives, manage Includes — comments and formatting are preserved byte-for-byte.

In-process tunnels

Run -L, -R, and -D forwards over a single SSH link. Multiple forwards per tunnel, live throughput, and auto-retry with backoff.

Key & agent manager

Inspect and use ed25519, ECDSA, and RSA keys. ssh-agent and external-signer auth are built in — passphrase keys decrypt natively.

known_hosts, handled

Search, review, and prune known_hosts. New hosts get a TOFU prompt with full fingerprint verification before you ever connect.

Version history

A git-style time machine for your config. Every edit is a content-addressed commit you can diff, branch, and restore in one click.

Multi-hop ProxyJump

Chain bastions with ProxyJump and SSH Manager builds the entire path in-process — no nested ssh subprocess, no shell required.

Config editor

Edit ssh_config without breaking it.

A lossless parser reads and rewrites your config so the bytes you didn’t touch stay exactly as they were. Hand-edit in a real editor, or let the UI do it.

  • Comments, blank lines, and indentation survive every save
  • Include directives are parsed and followed, never flattened
  • App-only data (tunnels, tags, favorites) never touches your config
~/.ssh/config
# Work bastion — jump host
Host bastion
  HostName bastion.acme.io
  User deploy
  IdentityFile ~/.ssh/id_ed25519
  ForwardAgent yes

# Reached through the bastion above
Host prod-db
  HostName 10.0.4.12
  ProxyJump bastion
  LocalForward 5432 localhost:5432
Active forwards one SSH link
-L
localhost:5432 → 10.0.4.12:5432
Local forward
-R
bastion:8080 → localhost:3000
Remote forward
-D
SOCKS5 proxy on :1080
Dynamic / SOCKS
prod-db · via bastion ↑ 12.4 · ↓ 3.1 MB/s
Tunnels

Tunnels that run inside the app.

Because the sandbox can’t cleanly launch Terminal, SSH Manager speaks SSH itself — over swift-nio-ssh. Start a tunnel and it’s supervised: health-checked, retried with backoff, and metered live.

Many forwards, one link
Bundle -L/-R/-D per tunnel
Live throughput
Per-tunnel up/down metering

Security model

Built for the sandbox, not around it.

SSH Manager treats your keys and network access as privileges, not assumptions. The architecture is the security story.

Runs in the App Sandbox

Full com.apple.security.app-sandbox entitlement. ~/.ssh access is a user-granted, security-scoped bookmark — nothing else is touched.

Tunnels never shell out

The engine speaks SSH in-process over swift-nio-ssh. No ssh subprocess, no Terminal, no quarantine stripping.

Secrets stay in Keychain

Private keys and passphrases are protected by the system Keychain and verified against known_hosts on every connect.

$7, once. Yours forever.

A one-time purchase — no subscription, no account. Universal binary, signed and notarized, with free updates across the entire 1.x line.

Buy & download Compare what’s included
enes