SSH Key Management

See who can log in. Revoke in one click.

Every authorized key on your Linux server, in a table you can actually read - with least-privilege roles you create yourself. No vim authorized_keys, no agent, no bastion.

How It Works

How it works

Step 01 - You

See.

Open the SSH Management tab. Every key in the server’s authorized_keys becomes a row: who it belongs to, whether it is Ed25519 or RSA, and which system user it can log in as.

Step 02 - You

Scope.

Create a system user with exactly the rights you want - read/write, or read-only - then target a key at it. Nobody gets root just because root was easier.

Step 03 - You

Revoke.

Click the trash icon, confirm, done. The key is gone from authorized_keys and that person cannot log in again. No SSH session, no vim, no second-guessing.

The Opaque File

You can't govern what you can't read.

Access to your server lives in one file: ~/.ssh/authorized_keys. Six lines of base64 that look identical to each other. Nothing in it tells you who someone is, what they can do, or whether they still work here.

Thencat authorized_keys, squint, guess. Per server.
ThenEveryone gets root, because least privilege was too much work.
NowEvery key becomes a row: a name, an algorithm, an access level.

The stale root key was always there. You just couldn't see it.

Try It Here

Go on, take the keys.

This is the real Registry Governance table running on demo data. Filter it by system user, reveal a key, spin up a read-only role, hand it a key, and revoke the contractor who never gave his laptop back.

ctrlops - ssh management · root@prod-web
6Total
Registry
3Secure
ED25519
3Standard
RSA
0General
Access
Registry Governance
Authorized keys management system
contractor@old-laptop
RSArootubuntu
daxesh@ctrlops.io
ED25519root
hiren@macmini
• Current session
ED25519rootubuntu
nikita@thinkpad
ED25519root
ci-bot@github-actions
RSAubuntu
intern@macbook-air
RSAubuntu
Demo data - nothing here touches a real server.
Least Privilege

Not everyone needs root.

Most teams hand out root because setting up anything else means useradd, visudo, chmod and a prayer. CtrlOps makes the safe option the easy one - pick a level, name the user, done.

rootSUDO

The one or two people who genuinely need full admin.

YesRead
YesWrite
YesDelete
YesSudo
ubuntuSTANDARD

Your engineers. Everything except sudo.

YesRead
YesWrite
YesDelete
NoSudo
deployREAD/WRITEYou create this

A teammate who ships but should never rm -rf anything.

YesRead
YesWrite
NoDelete
NoSudo
auditorREAD-ONLYYou create this

Contractors, auditors, the junior on day one.

YesRead
NoWrite
NoDelete
NoSudo

A key is authorized against one system user, so the level you pick is the access the key holder gets. Give the auditor read-only, give the contractor read/write, and keep root for the people who genuinely need it.

From real users

Access control, off the to-do list.

What people say once who-can-log-in stops being a question only one person on the team can answer.

Product Hunt

HR person commenting on a server tool, I know. But whenever someone leaves the team, we need their server access gone immediately. Before this it was a whole back and forth with tech. Now I check SSH management myself and flag it in 2 minutes. Offboarding got so much easier, honestly.

C
Chandni
Product Hunt

100% local and credentials never leave your machine positioning is doing a lot of trust work here and it's the right call.

Product Hunt

the fact that i dont need to install any agent on my servers sold me immediately. got it running on our staging env and already caught 2 issues before they became outages. will be moving prod over soon

SV
Srushti Vasani
x.com

SSH into 10 servers, debug a crash, and deploy a fix - all without leaving one app? CtrlOps is a local-first desktop DevOps tool that translates plain English into bash, manages fleets, and keeps your credentials 100% on-device.

E
EveryDev.ai
Product Hunt

finally something that replaces my mess of ssh tabs and random bash scripts. the playbook feature is underrated, set up my common fixes once and now its just one click. great launch guys..

PV
Prakash Vasani
G2

The AI Terminal with an Approval Gate: being able to ask for a fix in plain English is great, but the fact that it shows you the command and asks for approval before running it on live infrastructure is a massive safety net.

G2

I use CtrlOps to manage multiple servers with ease. Its GUI-based file manager saves me a lot of time, and the AI terminal helps me troubleshoot server issues quickly.

JC
Jeel C.
DevOps Engineer
No middleman

No bastion. No lock-in.

Other tools answer 'who can log in?' by putting themselves between you and your server. CtrlOps answers it by writing the file your server already reads - and then getting out of the way.

your machineCtrlOps.appprivate keys stay hereAES-256 at restyour serverprod-web~/.ssh/authorized_keysplain OpenSSHSSH · public keys onlythe same file you would edit by handbastion / proxynot in the pathhosted key vaultnothing to trust

It's just authorized_keys

CtrlOps writes the same standard OpenSSH file your server already reads. No proprietary format, no sidecar database, no lock-in. Uninstall CtrlOps tomorrow and every key you added still works.

Nothing sits in the connection path

We are not a bastion or a proxy. Your SSH goes straight from your machine to your server. If CtrlOps is down - or you cancel - nobody is renting you access to your own boxes.

What it needs, and what it will not do

It needs root or passwordless sudo, because writing authorized_keys does. And revoking blocks new logins - a session already open stays open until it ends. We would rather say so than surprise you.

SSH access FAQ

Questions before you hand out a key.

An SSH key manager is a tool that gives you a visual interface to add, revoke, and govern SSH authorized keys on your servers - instead of manually editing authorized_keys files via the terminal. CtrlOps shows every authorized key per server in a visual registry with key type, identity, and role assignment.
Open CtrlOps, click your server, and go to the SSH Management tab. Every key in the server’s ~/.ssh/authorized_keys is listed as a row in the Registry Governance table: the key’s name or comment, whether it is Ed25519 or RSA, the key string itself, and which system user it can log in as. Counters at the top show the total and how many are on each algorithm. No cat, no grep, no squinting at base64.
Create a system user with the access level you want, then authorize their key against it. In the Active System User dropdown, click + Create User, name it (for example auditor), and pick Read / Write Access or Read Only Access. Read/write can read and work on the server but cannot delete. Read-only can look and nothing else. Then use Add Key, set the Target System User to your new role, and paste their public key. The level you picked is exactly the access the key holder gets.
Find their key in the registry and click the red trash icon. A confirmation appears - "Revoke Key Access?" - and once you confirm, the key is removed from the server 's authorized_keys file immediately. That person can no longer log in. It is one click, and you never open a terminal. That covers one server; to take someone off every server at once, use Access Management.
No, and we would rather say so. Revoking blocks all new logins instantly, but an SSH session that is already open stays open until it ends. If you are offboarding someone who may be connected right now, revoke the key and then end their session - the AI Terminal can list and kill it for you.
No. Only the public half of a key pair is ever written to a server - that is the file ending in .pub, and it is the only thing the Add Key form accepts. Your private keys stay on your own machine, encrypted at rest, and are never uploaded to CtrlOps or any third party. There is no cloud copy of your registry to breach.
No. There is no agent, daemon or exporter. CtrlOps edits the same ~/.ssh/authorized_keys file your server already reads, over your own SSH connection. It does need to log in as root, or as a user with passwordless sudo, because writing that file requires it - if the tab says "Access Denied" or "Sudo Password Required", that is what it is telling you.
You lock yourself out, so CtrlOps warns you before you do it. The key you are connected with is marked CURRENT SESSION in the registry, and revoking it raises an explicit lockout warning. The safe habit: add and test the new key in a fresh connection first, then revoke the old one.
Those tools answer "who can log in?" by putting themselves in the path - a proxy your traffic has to cross, or a vault that holds your keys for you. CtrlOps never enters the path. It writes plain OpenSSH authorized_keys and gets out of the way, so your SSH works whether or not CtrlOps is running, and uninstalling it leaves every key you added still working. You get the visibility without handing anyone the keys to your own servers.
Get started

Find out who can log in to prod.

Every authorized key on every server, in one readable table - with least-privilege roles and one-click revoke. 1-month free trial, no credit card.

Start instantly· No credit card· No sneaky autorenewals