Remote Shell

Your SSH keys are files. Your device is not.

SSH key management means copying private keys, editing authorized_keys on every server, and hoping nobody leaks a key. amesh replaces all of it with device-bound identity.

The problem with SSH key management

SSH keys are copyable files

A private key in ~/.ssh/ can be copied to any machine. If a laptop is compromised, the attacker has the key and can use it from anywhere. The key is not bound to the device.

authorized_keys has no integrity protection

It's a plain text file. Any process running as the same user can silently append a key. There is no tamper detection, no seal, no audit trail of modifications.

Revocation requires editing every server

When someone leaves the team, you remove their key from authorized_keys on every server they had access to. Miss one and they still have access. There is no central revocation.

The solution

# On your laptop (controller) — shell client included
brew install ameshdev/tap/amesh
# or: npm install -g @authmesh/cli

# On the server (target) — agent daemon + all CLI commands
brew install ameshdev/tap/amesh-agent
# or: npm install -g @authmesh/agent

What changes

Before

SSH keys are copyable files

authorized_keys is a plain text file

Revoke = edit every server

After

Key is in the device — Keychain, TPM, or encrypted

HMAC-sealed allow list with tamper detection

amesh revoke <device-id>. Instant. One command.

Doc Remote Shell Guide

Setup, security model, environment variables

Doc Integration Guide

HTTP API authentication setup

Use Cases

Internal Tools