SSH Servers

SSH mode gives Reoclo direct command execution on your target host. During server creation, you provide a private key that is immediately encrypted at rest using envelope encryption before storage. The worker decrypts the key only when executing deployment or health-check tasks.

Reoclo applies Trust On First Use (TOFU) for host identity. On first successful connection, the server’s host key fingerprint is recorded. On subsequent sessions, the fingerprint must match; if it changes unexpectedly, the connection is aborted and flagged as a host key change event to reduce MITM risk.

Use SSH when your infrastructure policy allows controlled inbound administration and you want minimal moving parts. Keep keys scoped per server, rotate keys on your own schedule, and ensure required tooling (git, docker, curl) is available on the target for successful pipeline execution.