Every part of your SSH workflow, native.
Config, tunnels, keys, known_hosts, and history — each rebuilt as a focused, sandboxed macOS tool that respects the files you already have.
Free forever to edit & understand · Pro $7 unlocks tunnels, key management & system integration
Lossless ssh_config editing.
Your config is the source of truth. SSH Manager reads and rewrites it without disturbing a single byte you didn’t change.
- A lossless parser preserves comments, blank lines, and indentation
- Include directives are followed and edited in place, never flattened
- Reorder hosts and edit directives from the UI or by hand
- App-only data — tunnels, tags, favorites — is stored separately, never in your config
# Work bastion — jump host Host bastion HostName bastion.acme.io User deploy IdentityFile ~/.ssh/id_ed25519 ForwardAgent yes # Reached through the bastion above Host prod-db HostName 10.0.4.12 ProxyJump bastion LocalForward 5432 localhost:5432
See exactly what SSH will do.
Resolve the effective settings for any host with origin tracing, catch insecure or broken config before it bites, and copy the exact command — all free.
- Effective-config resolver shows the value SSH will use — and the line that set it
- Linter flags duplicate hosts, deprecated keywords, weak crypto and missing keys
- Built-in connection tester probes reachability before you connect
- Copy the exact ssh command, ProxyJump chain included
- Favorites, tags, and fuzzy search across every host — all free, no account
Tunnels
2 active-L 5432 -D 1080 -L 6379 -L 6443 idle✓ verified bastion.acme.io (ed25519) ✓ channel open: localhost:5432 → 10.0.4.12:5432 › SOCKS5 proxy listening on :1080
In-process tunnels, fully supervised.
One SSH link can carry many forwards. SSH Manager starts them, watches their health, and meters them — all without ever shelling out.
- -L, -R, and -D forwards — multiple per tunnel over one SSH link
- Multi-hop ProxyJump chains built entirely in-process
- ssh-agent, external-signer, and keyboard-interactive auth
- known_hosts verification with TOFU for first-seen hosts
- Supervised lifecycle: health checks and retry with backoff
- Live per-tunnel throughput and a streaming console
Every key type, handled in-app.
Inspect fingerprints, decrypt passphrase-protected keys, and authenticate through the agent — RSA included, via the NIOSSHRSA backend.
- ed25519, ECDSA, and RSA — generated and inspected natively
- Passphrase-protected OpenSSH keys decrypt in-app (bcrypt_pbkdf + AES-CTR)
- Use ssh-agent or an external signer — private keys never need to leave Keychain
known_hosts you can actually trust.
First-seen hosts get a trust-on-first-use prompt with their full fingerprint. After that, every connection is verified — inside the sandbox.
- TOFU prompt with full fingerprint on first connection
- Every connect re-verifies the host against known_hosts
- Runs inside the App Sandbox with a user-granted ~/.ssh bookmark
- Secrets live in the system Keychain, never in plaintext
A time machine for your config.
Restoring then editing forks a branch — nothing is ever discarded. Browse the whole tree and roll back with confidence.
- Every settled edit becomes a content-addressed commit
- Files are SHA-256’d and zlib-compressed — unchanged files dedupe
- Diff any two versions, branch from any point, restore in one click
- Oldest-first pruning to a configurable cap (default 100k)
And the details that add up.
Fast search
Filter hosts, keys, and known_hosts instantly.
Favorites & tags
Organize hosts with app-only metadata.
SQLite-backed
Tunnels, settings, and history in one local DB.
swift-nio-ssh engine
A real SSH stack, in-process — RSA via NIOSSHRSA.
Native macOS UI
SwiftUI, dark-mode first, keyboard friendly.
External-change aware
Disk edits are detected and versioned.
SSH Manager vs the competition
Both apps edit ~/.ssh/config. The difference
is what happens after you save.
Competitor data reflects publicly listed features as of June 2026. Roadmap items are planned for SSH Manager but not yet shipped.