KeyleSSH: A PAM With No Single Point of Vulnerability

Most infrastructure security relies on a paradox: to protect your assets, you must create a single point of failure - a vault, a Certificate Authority, or a database that holds the keys to everything. We built a PAM that removes that point of failure entirely.

In December 2024, attackers breached a leading PAM vendor by compromising an API, gaining access to the US Treasury. This is the inevitable risk of any central authority: compromise it, and you own everything it protects.

The alternative is to eliminate the central authority.

KeyleSSH is an open-source, browser-based SSH console that replaces the centralized vault with a decentralized signing network. Private keys doesn't just live in a better hiding spot; they never exist at all.

So, there's nothing to rotate, nothing to secure, and nothing to steal. Superior security, with less management.

The Architecture: Ineffable Cryptography

KeyleSSH utilizes the Tide Cybersecurity Fabric, a network of nodes (ORKs) that operate on secrets without ever seeing them. This is based on a framework we call "Ineffable Cryptography" - secrets that are never expressed in whole, therefore can never be lost, stolen or misused.

Unlike traditional Multi-Party Computation (MPC) where key shares are momentarily combined inside a Trusted Execution Environment (TEE) to perform a cryptographic operation, this protocol is entirely blind from start to end. The key is never reconstructed, not even in a TEE. The signature is mathematically constructed directly from the distributed shares.

Instead of a server holding an SSH private key and signing user requests, the signing operation is distributed:

1. Authentication: The user performs Zero-Knowledge authentication via OIDC (TideCloak), receiving a token bound to their device and session.
2. Request: KeyleSSH constructs a signing request containing the raw SSH challenge bytes and human-readable metadata.
3. Consensus: The request is sent to the decentralized Fabric. Nodes independently validate the policy (e.g., "Is User A allowed to access Server B?").
4. Threshold Signing: If the policy passes, nodes generate partial signatures using MPC. These are combined to form a valid Ed25519 signature.

Crucially, the private key is never reassembled. Even if you compromised a node in the fabric, you would find only mathematical noise. To compromise the key, you would need to compromise a threshold of nodes simultaneously.

The underlying protocol has been formally analyzed over 7 years of academic research. Read one of the cryptographic proofs here.

The Implementation: 30 Lines of Code

Distributed MPC networks are notoriously difficult to implement. They usually require specialized cryptography teams and complex state management.

What makes KeyleSSH interesting is that Sasha, one of our dev leads, built the core proof-of-concept in a few weekends using the TideCloak SDK. The SDK abstracts the complex orchestration of the decentralized network into a standard async interface.

This is the actual code that replaces the entire "secure vault" backend of a traditional PAM:

client/src/lib/tideSsh.ts

import { IAMService } from "@tidecloak/js";
import { TideMemory, BaseTideRequest } from "heimdall-tide";

export function createTideSshSigner(): SSHSigner {
 return async (req: SSHSignatureRequest) => {
   const tc = (IAMService as any)._tc;

   // 1. Pack the data (Metadata + SSH Challenge)
   const humanReadable = createHumanReadableInfo(req);
   const draft = TideMemory.CreateFromArray([humanReadable, req.data]);

   // 2. Construct the Request for the Fabric
   const tideRequest = new BaseTideRequest(
     "BasicCustom", // Protocol
     "BasicCustom<1>",   // Version
     "Policy:1",         // The policy contract to execute
     draft,
     new TideMemory()
   );

   // 3. Attach Authorizer (The user's doken)
   const dokenBytes = new TextEncoder().encode(tc.doken);
   tideRequest.addAuthorizer(TideMemory.CreateFromArray([dokenBytes]));

   // 4. Execute Distributed Signing
   // The SDK handles the communication with the ORK nodes.
   const initialized = await tc.createTideRequest(tideRequest.encode());
   const sigs = await tc.executeSignRequest(initialized, true);

   return sigs[0]; // The valid Ed25519 signature.
 };
}

This snippet achieves something that previously required expensive hardware modules (HSMs) or high-risk software vaults: generating a valid signature without the signing key ever being present in memory.

Quorum Governance as Code

Because the authority over assets is the network, away from the PAM and anyone administering it, we can enforce logic that even a root admin cannot bypass. For example, a policy can require M-of-N signatures from other admins before granting access to a production cluster.

This isn't application-layer logic (which can be patched out by a rogue admin); it is a constraint enforced by the signing network itself. If the quorum isn't met, the mathematical threshold for the signature is never reached.

Current Limitations & Alpha Status

While the architectural model offers significant advantages over centralized PAMs, KeyleSSH is currently a proof-of-concept.

• Browser Security: The client is still a browser. While we use Subresource Integrity (SRI), a compromised endpoint device (malware on the admin's laptop) remains a threat vector.
• Centralization of the Testnet: Currently, the Tide ORK nodes are operated by the Tide test network. We are working toward a fully decentralized mainnet, but today, trust is still placed in the Tide infrastructure providers.
• Host Hardening: As with any PAM, this solution solves the authentication problem. It does not replace the need for standard OS-level controls, patching, or network segmentation.

Summary

KeyleSSH demonstrates that we can move beyond the "Vault" era of security. By pushing state and authority to a decentralized fabric, we eliminate the Single Point of Failure that plagues modern infrastructure. And thanks to modern abstractions, implementing this architecture no longer requires a PhD in cryptography.

Links

Source Code: github.com/sashyo/keylessh
Live Demo: demo.keylessh.com
TideCloak SDK: docs.tidecloak.com