Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/jossephus/chuchu/llms.txt

Use this file to discover all available pages before exploring further.

Chuchu provides three layers of security to protect your SSH sessions: an app lock that requires biometric or PIN verification before the app opens, a per-connection auth prompt that gates each new SSH connection, and host key fingerprint verification that detects unexpected server changes.

App lock

When app lock is enabled, Chuchu displays a biometric prompt every time you open the app. No server list, credentials, or terminal content is shown until you authenticate successfully. App lock uses the Android BiometricPrompt API, which supports any screen-unlock method you have configured on your device — fingerprint, face recognition, or device PIN/pattern.

Enable app lock

1

Open Settings

Tap the settings icon to open Settings, then select General.
2

Toggle lock app on open

Enable the lock app on open toggle.
3

Verify the next time you open Chuchu

Close the app. The next time you open it, you will be prompted to authenticate with your biometric or device PIN before the app content is shown.

Per-connection authentication

The verify before server connect setting adds a second authentication prompt specifically before each SSH connection is established. This means that even if someone has access to your unlocked device, they cannot initiate an SSH session without your biometric or PIN.

Enable per-connection auth

1

Open Settings

Tap the settings icon to open Settings, then select General.
2

Toggle verify before server connect

Enable the verify before server connect toggle.
3

Connect to a server

Tap a server to connect. Chuchu will prompt you to authenticate before the SSH connection starts.

Host key verification

Every SSH server has a cryptographic host key that uniquely identifies it. Chuchu uses a trust-on-first-use (TOFU) model: the first time you connect to a server, it shows you the server’s SHA-256 fingerprint and asks you to accept or reject it. If you accept, the fingerprint is stored alongside the host address, port, and key algorithm. On every subsequent connection to that server, Chuchu automatically verifies the fingerprint against the stored value. If they match, the connection proceeds without any prompt.

What to do if the fingerprint changes

If the host key fingerprint changes unexpectedly — meaning a key you previously accepted no longer matches — Chuchu shows a dialog with both the old and new fingerprints and a warning that the host key has changed.
If a host key fingerprint changes unexpectedly, reject the connection and verify with your server administrator. An unexpected change can indicate that the server was re-provisioned, or it may be a sign of a man-in-the-middle attack.
A fingerprint change is normal in these situations:
  • The server was rebuilt or reprovisioned and a new host key was generated.
  • The server’s SSH daemon was reconfigured to use a different key algorithm.
If you confirm with your server administrator that the change is legitimate, tap Accept to update the stored fingerprint. Tap Reject to cancel the connection and keep the previously stored fingerprint unchanged.

Supported key algorithms

Chuchu records the host key algorithm alongside the fingerprint, so a server presenting keys of different algorithms (for example, both RSA and ED25519) stores a separate record for each.

Build docs developers (and LLMs) love

Get started for freeTalk to us