KeyleSSH: A New PAM Concept for IT Admins
Source: Dev.to
For Greater Security and Less Admin Overhead
Infrastructure security is built on a paradox: to protect your assets, you must create a catastrophic single point of vulnerability—a vault, a Certificate Authority, or a database that holds the keys to everything. The U.S. Treasury Department learned that lesson the hard way when it put its trust in a single vendor last year.
The industry’s answer has always been “a safer box”: bastion hosts, PAM vaults, rotation policies. But a key stored anywhere is a key exposed somewhere. We call this the key‑under‑mat problem.
Our senior dev at Tide, Sasha, spent a few weekends trying a new PAM approach that eliminates both the key and the mat. No key is left to secure or rotate, nothing to steal, and zero admin overhead.
She built and open‑sourced the proof‑of‑concept KeyleSSH, a browser‑based SSH console that replaces the centralized vault with a decentralized secrets manager.
How KeyleSSH Works
KeyleSSH utilizes the Tide Cybersecurity Fabric, a network of nodes (ORKs) that operate on secrets without ever seeing them. This is based on a framework we call “Ineffable Cryptography” – a cryptographic scheme where secrets are never expressed in whole, therefore can never be lost, stolen, or misused.
- The key is never reconstructed, not even in a TEE.
- A signature, decryption, or other key action is mathematically constructed directly from the distributed shares performing partial operations.
Distributed Signing Flow
| Step | Description |
|---|---|
| Authentication | The user performs Zero‑Knowledge authentication via OIDC (via TideCloak IAM), receiving a token bound to their device and session. |
| Request | KeyleSSH constructs a signing request containing the raw SSH challenge bytes and human‑readable metadata. |
| Consensus | The request is sent to the decentralized Fabric. Nodes independently validate the policy (e.g., “Is User A allowed to access Server B?”). |
| Threshold Signing | If the policy passes, nodes generate partial signatures using Tide’s special MPC. These are combined to form a valid Ed25519 signature. |
Key point: The private key is never reassembled. Even if you compromise a single node, you only see mathematical noise. To compromise the key you would need to compromise a majority of nodes simultaneously.
The underlying protocol has been formally analyzed over seven years of academic research. See one of the cryptographic proofs here.
Why This Matters
- Reduced operational complexity – No HSMs, no high‑risk software vaults.
- Zero admin overhead – The SDK abstracts orchestration and key‑lifecycle management into a standard async interface.
- Stronger policy enforcement – Policies can require M‑of‑N signatures from other admins before granting access, making it impossible for a single root admin to bypass controls.
Sample Code
The snippet below replaces the entire “secure vault” backend of a traditional PAM. It lives in client/src/lib/tideSsh.ts.
import { IAMService } from "@tidecloak/js";
import { TideMemory, BaseTideRequest } from "heimdall-tide";
export function createTideSshSigner(): SSHSigner {
return async (req: SSHSignatureRequest) => {
const tc = (IAMService as any)._tc;
// 1. Pack the data (Metadata + SSH Challenge)
const humanReadable = createHumanReadableInfo(req);
const draft = TideMemory.CreateFromArray([humanReadable, req.data]);
// 2. Construct the Request for the Fabric
const tideRequest = new BaseTideRequest(
"BasicCustom", // Protocol
"BasicCustom", // Version
"Policy:1", // The policy contract to execute
draft,
new TideMemory()
);
// 3. Attach Authorizer (the user's doken)
const dokenBytes = new TextEncoder().encode(tc.doken);
tideRequest.addAuthorizer(TideMemory.CreateFromArray([dokenBytes]));
// 4. Execute Distributed Signing
// The SDK handles the communication with the ORK nodes.
const initialized = await tc.createTideRequest(tideRequest.encode());
const sigs = await tc.executeSignRequest(initialized, true);
return sigs[0]; // The valid Ed25519 signature.
};
}This achieves something that previously required expensive hardware modules (HSMs) or high‑risk software vaults: generating a valid signature without the signing key ever being present in memory.
Limitations & Open Issues
| Area | Current Status | Future Work |
|---|---|---|
| Browser Security | The client runs in a browser. We use Subresource Integrity (SRI), but a compromised endpoint device (malware on the admin’s laptop) remains a threat vector. | Explore hardware‑based attestation and secure enclaves on the client side. |
| Centralization of the Testnet | Today the Tide ORK nodes are operated primarily by the Tide test network. | Deploy a fully decentralized mainnet and encourage third‑party node operators. |
| Host Hardening | This solution solves the authentication problem but does not replace OS‑level controls, patching, or network segmentation. | Provide best‑practice guides for integrating KeyleSSH into existing hardening frameworks. |
Closing Thoughts
KeyleSSH demonstrates what’s possible beyond the “trusted vault” era. By pushing state and authority to a decentralized fabric, we eliminate the single point of failure that plagues modern infrastructure. It doesn’t eliminate every security risk, but it dramatically reduces the “central trust” blast radius.
If you’d like to try the PoC or contribute, the repository is available on GitHub here.
# KeylessH
*“at underpins traditional security stacks.”*
**Source Code:** [github.com/sashyo/keylessh](https://github.com/sashyo/keylessh)
**Demo:** [demo.keylessh.com](https://demo.keylessh.com)
**Documentation:** [docs.tidecloak.com](https://docs.tidecloak.com)