TermBot

SSH with YubiKeys, Nitrokeys and OpenPGP cards

Log into your servers with SSH and authenticate with your Security Keys and OpenPGP cards over NFC and USB. TermBot is based on ConnectBot and uses the Cotech Hardware Security SDK.

  • Easy user interface to add Security Keys to TermBot
  • Auto-detection of Security Key vendor name and serial number
  • Reliable connection of NFC and USB hardware
  • PIN input handled securely
Install TermBot: Get it on Google Play
Report issues and contribute: Get Sample on Github

TermBot

Security Keys and OpenPGP Cards

This list is not exhaustive. A full list of supported hardware can be found in the documentation of our Hardware Security SDK.

NFC:

  • Cotech Card
  • YubiKey NEO
  • YubiKey 5 NFC

USB:

  • Nitrokey Start, Pro, Storage (with adapter)
  • YubiKey 4, 4 Nano, 5, 5 Nano (with adapter)
  • YubiKey 4C, 4C Nano, 5C, 5C Nano (directly over USB-C)
  • Gnuk (with adapter)
  • Secalot (with adapter)
Security Keys

FAQ

  1. Go to the ‘Manage Pubkeys’ screen in TermBot.
  2. Touch the button for adding a Security Key (rightmost button in the app bar).
  3. Hold the NFC Security Key against the back of your device or insert your USB Security Key in your device.
  4. If successful, the dialog should close automatically and the Security Key is listed in your keys.
  1. Long-press the host and select ‘Edit host’.
  2. Touch ‘Use pubkey authentication’.
  3. Select your specific Security Key in this dropdown.
  4. Press the save button.

You can switch to a keyboard input by clicking the small button with “abc” at the bottom of the dialog. However, we recommend a numeric PIN as there is no need to choose a difficult and long PIN with other characters.

Security Keys and Smartcards have a vastly different threat model than password-encrypted files or Internet accounts. While the latter can be brute-forced by trying all possible combinations of different password-lengths, security keys and smartcards get locked after 3 failed PIN attempts. Then, the card needs to be unlocked again using the PUK (also called Admin-PIN). After 3 failed attempts using the PUK, the card is finally blocked and can only be resetted completely.

Thus, even when choosing a short numeric PIN (the standard recommends 6 digits), the probability that an attacker can guess the correct PIN is negligible low.

Export your OpenPGP authentication subkey, convert it to SSH format and import it in TermBot.

On Debian/Ubuntu, this can be done as follows:

  1. Install monkeysphere: sudo apt-get install monkeysphere
  2. Monkeysphere conversion only works on keys without password. Thus, removing password temporarily:
    gpg --edit-key user@example.com, then passwd, press enter when asked for a password. Finally q and save with y.
  3. Export authentication subkey and convert it to SSH format.
    Replace ‘00A03A84ED2A67E9’ with your subkey id shown during key edit.
    gpg 00A03A84ED2A67E9! | openpgp2ssh 00A03A84ED2A67E9 > id_rsa
  4. Move id_rsa to your smartphone and import it in TermBot’s ‘Manage Pubkeys’.
  5. Set your password again, as in step 2.
Hardware Security SDK

Support Security Keys and OpenPGP Cards in Your App?

Learn about the features of the Hardware Security SDK in detail. The guides, API reference, and example projects will help you get up and running in no time.

View SSH features