Skip to content

Host-key pinning

TermZ pins SSH host keys with trust-on-first-use (TOFU), so you know you’re still talking to the same server every time you connect.

The first time you connect to a host, TermZ shows the server’s host-key fingerprint and asks you to trust it. Confirm the fingerprint, accept, and TermZ records it. That’s the only prompt in normal use.

On every later connection, TermZ verifies the key matches the one it recorded. If the key changes, TermZ hard-blocks the connection and warns you — a changed key is the signature of a man-in-the-middle or a rebuilt host. It’s your call whether to re-trust the new key.

Every trust decision — first-use acceptances and re-trusts alike — is written to an append-only audit log, giving you a durable record of what you accepted and when.