I have maybe a dozen machines I need to connect to on a regular basis and rather than configuring a bunch of sessions in something like Remmina I’ve found KeepassXC can do everything I need to both manage keys and make it easy to launch sessions attaching to those hosts.

Basic key management with KeepassXC is pretty straight forward:

  1. Create an entry in KeepassXC for the host.
  2. Fire up ssh-keygen and generate a new private key for the target host using a randomly generated, secure password1.
  3. Add the new key as a file attachment to the Keepass entry.
  4. Set the ssh key for the Keepass entry to the attached file.
  5. Set the password for the entry to the password for the key.
  6. Set the URL for the entry to ssh://[user]@[host][:optional port].

KeepassXC comes with built in ssh agent integration, so you can select an entry and press C-h to add the key to the agent. At this point you could just fire up a terminal and ssh to the host manually.

However, KeepassXC also lets you press C-S-u to open the configured URL for the entry using xdg-open. The trouble is, by default, “ssh://” URLs don’t do anything. However, this is solvable with just a little bit of work.

Now, in my case, this is where jaro comes in.

Jaro is a highly flexible resource opener. You call it with a resource (e.g. a file name, URL, etc), and it’ll look into its list of configured associations and take some action.

In my case I set up a couple of associations as follows:

  #:pattern "^ssh://((.*@)?(.*?)):([0-9]+)$"
  #:program "/path/to/kitty -o term=\"xterm-256color\" -o shell=\"/usr/bin/ssh -p %4 %1\"")
  #:pattern "^ssh://((.*@)?(.*?))$"
  #:program "/path/to/kitty -o term=\"xterm-256color\" -o shell=\"/usr/bin/ssh %1\"")

The first pattern matches ssh URLs that include a port, and the second matches URLs without one. The rules then fire up kitty with ssh as the shell connecting to the desired host and port.

Next, we create a jaro.desktop file:

[Desktop Entry]
GenericName=URL opener
Exec=jaro %U

And drop it into .local/share/applications.

Finally, we add the following line to .config/mimeapps.list:


Now, upon pressing C-S-u, KeepassXC will use xdg-open to open the configured ssh:// URL, which, based on mimeapps.list launches jaro, which then consults the configured associations and fires up ssh in my preferred terminal.

I know this all sounds like a bit much, but I cannot tell you how incredibly convenient this is! Connecting to one of the many machines I admin is now a simple matter of opening KeepassXC, searching for the host name, selecting it and pressing C-h, C-S-u. Super handy!

  1. And don’t forget to use a good, strong cipher. I’ve personally moved all my hosts to ed25519 ECC keys.