⚠️ Installers live on Cloudflare R2 (download-osh.moninotes.com) · iOS TestFlight link pending Beta Review approval
Zero-Trust SSH

Log in to servers
with no passwords.

Short-lived SSH certificates — requested by your laptop, approved on your iPhone, signed by a YubiKey-backed CA. Nothing static to steal.

↓ Download How it works
zero-trust-flow
[ OSH Approver · iPhone ] [ CA Signer · YubiKey ] │ approve (Face ID) │ sign cert (PIV 9c) ▼ ▼ [ OSH Client ] ──▶ [ Gateway ] ──────────────┘ │ request cert │ issue short-lived cert └──────────────────┴──────────▶ [ Target server ] # TrustedUserCAKey

Download

Pick your role in the system

macOS builds are signed & notarized — open them directly. Always download through a browser to keep the signature intact.

Gateway Available

Server (Linux) — the broker that issues certs

Ubuntu / Debian · amd64 .deb Download
Ubuntu / Debian · arm64 .deb Download
RHEL / Rocky · x86_64 .rpm Download
RHEL / Rocky · aarch64 .rpm Download

OSH Approver Pending review

iOS — approves & signs requests (Secure Enclave + Face ID)

iPhone · TestFlight TestFlight

Public build is pending Beta App Review (~24–48h). Until then, invite testers via Internal (send your Apple ID).

CA Signer Cross-platform

Signs certificates with a YubiKey (PIV slot 9c)

macOS · Apple Silicon .dmg Download
Windows .exe Download
Ubuntu · amd64 .deb Download

OSH Client Cross-platform

Workstation — where you run ssh to get a cert

macOS · Apple Silicon .pkg · GUI + CLI Download
Windows .exe Download
Ubuntu · amd64 .deb Download

OSH CLI Terminal

Just the osh command — servers / headless / scripts (no GUI)

Ubuntu/Debian · amd64 .deb Download
Ubuntu/Debian · arm64 .deb Download
RHEL/Rocky · x86_64 .rpm Download
RHEL/Rocky · aarch64 .rpm Download
Windows · x64 .zip Download

macOS: osh is already inside the OSH Client .pkg above.

Install

Get running in a few steps

Copy-paste per platform.

gateway — linux server
# Ubuntu/Debian sudo apt install ./pam-zta-gateway_0.1.0_amd64.deb # RHEL/Rocky sudo yum install ./pam-zta-gateway-0.1.0-1.x86_64.rpm # 1) Requires PostgreSQL (create an empty DB + user) # 2) Edit /etc/pam-zta/gateway.toml — DSN, [ca].token (openssl rand -hex 32), public_url/TLS sudo systemctl enable --now pam-zta-gateway sudo journalctl -u pam-zta-gateway -f # watch for the root-onboarding QR
desktop & ios — apps
# macOS — CA Signer (.dmg) Open the .dmg ▸ drag "PAM-ZTA CA" to Applications ▸ open ▸ plug YubiKey ▸ enter PIN (PIV 9c) ▸ "Save PIN to Keychain". # macOS — OSH Client (.pkg · all-in-one: GUI app + `osh` command) Double-click OSH-1.0.0-arm64.pkg ▸ Install. # notarized · installs the OSH app + the `osh` CLI into PATH osh connect dev@your-server # or open the OSH app and click Connect · (new terminal: run `rehash`) # Windows — CA Signer / OSH Client (.exe · not yet code-signed) Run the .exe ▸ on SmartScreen "Windows protected your PC" ▸ More info ▸ Run anyway. # Ubuntu/Debian — CA Signer / OSH Client (.deb · amd64) sudo apt install ./CA-0.1.0-amd64.deb # CA Signer (Operator Console) sudo apt install ./OSH-0.1.0-amd64.deb # OSH Client # iOS (OSH Approver) 1. Install TestFlight from the App Store. 2. Open the TestFlight link above ▸ Install OSH. 3. Open OSH ▸ scan the enrollment QR from the Gateway ▸ approve with Face ID.
🔐CA Signer requires a YubiKey (hardware-only, fail-closed). Pull the YubiKey and signing stops — exactly by zero-trust design.