Connection Management
OxideTerm’s Saved Connections panel and Session Manager give you a complete workspace for organizing, securing, and reusing SSH connections — from single servers to complex multi-hop proxy chains.
Creating Connections
Section titled “Creating Connections”Open the New Connection dialog from the sidebar (+ button) or Session Manager toolbar.
Authentication Methods
Section titled “Authentication Methods”| Method | Description |
|---|---|
| Password | Prompted securely on connect — never stored in config files |
| SSH Key | RSA, Ed25519, ECDSA — file path or OS keychain |
| SSH Agent | Delegates to the running ssh-agent or macOS Keychain |
| Certificate | SSH certificate with optional CA verification |
| Keyboard Interactive | 2FA / OTP / PAM challenges on direct connections |
OxideTerm auto-detects the ~/.ssh/ directory and imports keys without configuration.
For direct connections, password auth can also fall back into keyboard-interactive prompts when the server requires it. For ProxyJump chains, explicit KeyboardInteractive auth is still limited today, so password/key/agent/certificate auth is the safer choice per hop.
Connection Options
Section titled “Connection Options”- Host / Port / Username — standard connection parameters
- Color — per-connection accent color for visual identification in the sidebar
- Group — organize into folders in the sidebar and Session Manager
- Tags — freeform labels for filtering and searching
- ProxyJump (Jump Host) — chain through one or more bastion hosts
- Agent Forwarding — optionally forward your local SSH Agent to the remote host
ProxyJump: Multi-Hop SSH
Section titled “ProxyJump: Multi-Hop SSH”OxideTerm resolves jump chains using a Dijkstra shortest-path algorithm across your saved connection tree. You can chain through unlimited intermediate hosts:
Local Machine ──► Bastion A ──► Bastion B ──► Target Server- Intermediate sessions are opened automatically
- Each hop is tracked individually in the Connection Pool
- If any intermediate hop drops, its children are marked
link_downand cascade-reconnected
Per-Hop Auth Notes
Section titled “Per-Hop Auth Notes”- Direct connections support password, key, certificate, SSH Agent, and keyboard-interactive prompts
- ProxyJump hops work best with password, key, certificate, or SSH Agent auth
- Explicit
KeyboardInteractiveauth over proxy chains remains limited today - Imported
ProxyJumpchains from~/.ssh/configkeep their route structure when brought into OxideTerm
Connection Groups
Section titled “Connection Groups”Organize connections into nested folder groups in the Session Manager:
- Drag-and-drop connections between groups
- Rename, create, or delete groups
- Subgroups supported for deep hierarchies
- Filter the connection table by selected group
SSH Config Import
Section titled “SSH Config Import”OxideTerm reads your existing ~/.ssh/config file and imports defined Host blocks as OxideTerm connections — preserving ProxyJump, User, IdentityFile, Port, and other directives.
Known Hosts & TOFU
Section titled “Known Hosts & TOFU”On first connection to a new host, OxideTerm uses Trust On First Use (TOFU):
- The host’s public key fingerprint is shown in a confirmation dialog
- On acceptance, the key is appended to
~/.ssh/known_hostsusing OpenSSH-compatible semantics - On subsequent connects, the stored fingerprint is verified automatically
- Key-mismatch warnings are shown prominently — never silently ignored
Saved Connections at Rest
Section titled “Saved Connections at Rest”OxideTerm encrypts saved connection metadata on disk instead of leaving it as plaintext JSON.
- Passwords / key passphrases / API keys stay in the OS keychain
- Saved connection metadata is sealed locally with ChaCha20-Poly1305
- Local config key lives in the OS keychain and unlocks the encrypted config document at startup
- Legacy plaintext configs are migrated to encrypted storage on startup
This means hosts, labels, auth metadata, jump routes, and related saved-connection state are protected at rest even before you export anything.
Encrypted Export / Import (.oxide)
Section titled “Encrypted Export / Import (.oxide)”Connection presets (including credentials) can be exported to a portable .oxide file for backup or transfer between machines.
Encryption Spec
Section titled “Encryption Spec”| Property | Value |
|---|---|
| Cipher | ChaCha20-Poly1305 AEAD |
| KDF | Argon2id — 256 MB memory, 4 iterations, 1 thread |
| Integrity | SHA-256 checksum embedded in file header |
| Pre-flight | Validates memory availability before starting KDF |
| Key length | 256-bit derived key |
The .oxide format uses a passphrase you provide — OxideTerm never stores the passphrase. Import the file on any OxideTerm installation with the correct passphrase.
Sidebar: Active Sessions View
Section titled “Sidebar: Active Sessions View”The Active Sessions sidebar panel has two modes:
- Tree View — hierarchical view showing jump host relationships, child nodes indented under parents
- Focus View — flat list of only the currently active / connected sessions
Right-click any node for quick actions: Connect, Disconnect, New Terminal, Open SFTP, Open IDE Mode, Port Forwarding, Drill Down (navigate into the host), Save as Preset.
Auto-Route
Section titled “Auto-Route”The Auto-Route feature automatically selects the optimal ProxyJump path to a target host by analyzing the current active session tree.
Combined with the topology graph, this gives you a route-aware connection model instead of a flat host list: jump nodes can be reused, downstream failures cascade visibly, and reconnect logic can rebuild the tree from the parent hop outward.