Docs / Getting Started

Glossary

A plain-language reference to the terms you'll meet across NetShell — defined in order, from the protocols you connect with to the keys and safeguards that protect you.

NetShell is a free SSH client for iPhone, iPad & Mac (iOS/iPadOS 17+, and Mac), with no subscription and no telemetry by default. Whether you're new to remote administration or just want a quick refresher, this glossary explains every concept the app relies on. Each entry links to a fuller guide where one exists.

Protocols & connections

  • SSH (Secure Shell) — the encrypted protocol for logging into and running commands on a remote server. It gives you a text terminal where everything you type and everything the server sends back is encrypted in transit. This is NetShell's core: full SSH with multiple simultaneous sessions. See Terminal basics.
  • SFTP (SSH File Transfer Protocol) — file transfer carried over the same secure SSH channel. Use it to browse, upload, download, rename and delete files on a server with a graphical file browser. See SFTP browser.
  • SMB (Server Message Block) — the file-sharing protocol used by Windows shares and NAS devices. NetShell can mount and browse SMB/CIFS shares on your network. See SMB shares.

Hosts & trust

  • Host — the server you're connecting to, identified by an address (like 192.168.1.20 or myserver.com) and a port (usually 22 for SSH).
  • Host key — a unique cryptographic fingerprint a server presents to prove it really is the server you meant to reach. It's how SSH protects you from an imposter sitting in the middle of your connection.
  • Known hosts — the list of host keys you've already seen and approved. On every connection NetShell checks the server's key against this list. In NetShell these known-host keys are stored device-local and deliberately do not sync to your other devices, so trust is decided fresh per device.

TOFU & fail-closed

  • TOFU (Trust On First Use) — the first time you connect to a server, NetShell shows you its host key and asks you to approve it. Once approved, that key is remembered, and any future mismatch is treated as a warning that something has changed.
  • Fail-closed — NetShell verifies the host key at handshake time, before any secret is sent. If the host is unknown or its key has changed and you haven't approved it, the connection stops and your credentials are never transmitted. The safe default is to refuse, not to silently continue. See Host verification.
Tip. A sudden "host key changed" warning usually means the server was rebuilt or reinstalled — but it can also mean an attack. If you're not sure why the key changed, stop and confirm with whoever runs the server before approving it.

Jump hosts & multi-hop

  • Jump host (bastion) — an intermediate server you must connect through to reach a target that isn't directly reachable from the internet. The jump host is the only machine exposed; everything behind it stays private.
  • Multi-hop — chaining one or more jump hosts so a single connection tunnels from your device, through the bastion(s), to the final server. NetShell handles the whole chain for you, verifying the host key of each hop. See Jump hosts.

Port forwarding

Port forwarding tunnels network traffic securely through your SSH connection. There are three kinds:

  • Local forwarding — maps a port on your device to a service reachable from the server. Open a remote database or web admin page in a local app as if it were running on your phone.
  • Remote forwarding — maps a port on the server back to a service on your device, so the remote machine can reach something running locally.
  • Dynamic forwarding — turns the SSH connection into a SOCKS proxy, letting many apps route their traffic through the server without configuring each one. See Port forwarding.

Keys & authentication

  • SSH key pair — a private key (kept secret on your device) and a public key (placed on the server). The server lets you in if you can prove you hold the matching private key. Keys are stronger than passwords and can't be guessed. See SSH keys.
  • ed25519 — a modern elliptic-curve key type: short, fast and very strong. It's the recommended default for new keys.
  • RSA — an older, widely-compatible key type. NetShell generates RSA keys too, useful when a server is too old to accept ed25519. Both ed25519 and RSA keys can be generated on-device or imported from OpenSSH format (encrypted ed25519/RSA supported).
  • Passphrase — an optional password that encrypts a private key itself, so a stolen key file is useless without it. NetShell can store the passphrase for you so you don't retype it every time.

Where secrets live

  • Keychain — Apple's hardware-backed iOS Keychain, where NetShell stores your private keys, passphrases and passwords. Access is protected by Face ID, and the app auto-relocks behind Face ID after it has been idle. See Face ID lock.
  • iCloud Keychain — Apple's end-to-end encrypted sync for Keychain items. Your private keys and passphrases sync only across your own devices this way — never through a NetShell server. Host (known-hosts) keys stay device-local and do not sync. See Key sync.

Snippets & sequences

  • Snippet — a saved command (or short script) you can run with a tap instead of typing it out. Handy for status checks, service restarts and other commands you reach for often.
  • Sequence — an ordered list of snippets that run one after another, automating a small multi-step routine across a session. See Snippets.
Tip. NetShell's destructive-command guard watches for dangerous lines — rm -rf, DROP/TRUNCATE TABLE, git push --force, git reset --hard, shutdown/reboot, kubectl delete namespace, helm uninstall, pipe-to-bash and more — and intercepts them before they reach the server. See Command guard.

Quick reference

SSH      remote shell, encrypted        port 22
SFTP     file transfer over SSH
SMB      Windows / NAS file shares
TOFU     approve a host key on first use
ed25519  modern key — recommended default
RSA      older key — maximum compatibility
Next
Quickstart → Related
Host verification →