Version 0.17.9 | GTK4/libadwaita Connection Manager for Linux
RustConn is a modern connection manager designed for Linux with Wayland-first approach. It supports SSH, RDP, VNC, SPICE, MOSH, SFTP, Telnet, Serial, Kubernetes, Web protocols and Zero Trust integrations through a native GTK4/libadwaita interface.
- Getting Started
- Main Interface
- Connections
- Protocols
- Sessions & Terminal
- Organization
- Productivity Tools
- Settings
- Import, Export & Migration
- Cloud Sync
- Security
- Troubleshooting & FAQ
- Keyboard Shortcuts
- CLI Reference
- Install RustConn (see INSTALL.md)
- Launch from application menu or run
rustconn - Create your first connection with Ctrl+N
- Double-click to connect
- Press Ctrl+N or click + in header bar — the Connection Wizard opens
- Select a protocol (SSH, RDP, VNC, SPICE, MOSH, SFTP, Telnet, Serial, Kubernetes, Zero Trust, Web)
- Enter host and connection details
- Configure authentication (password, SSH key, or SSH Agent) and terminal theme
- Click Save & Connect
- For advanced options, click Advanced… at any step to open the full connection editor
┌─────────────────────────────────────────────────────────────┐
│ Header Bar: Menu | Search | + | Quick Connect | Split │
├──────────────────┬──────────────────────────────────────────┤
│ │ │
│ Sidebar │ Session Area │
│ │ │
│ ▼ Production │ ┌─────┬─────┬─────┐ │
│ ├─ Web-01 │ │ Tab1│ Tab2│ Tab3│ │
│ ├─ Web-02 │ └─────┴─────┴─────┘ │
│ └─ DB-01 │ │
│ ▼ Development │ Terminal / Embedded RDP / VNC │
│ └─ Dev-VM │ │
│ │ │
├──────────────────┤ │
│ Toolbar: 🗑️ 📁 ⚙️ │ │
└──────────────────┴──────────────────────────────────────────┘
- Header Bar — Application menu, search, action buttons
- Sidebar — Connection tree with groups (alphabetically sorted, collapsible via F9 or on narrow windows)
- Sidebar Toolbar — Delete, Add Group, Group Operations, Sort, Import, Export, KeePass status
- Session Area — Active sessions in tabs
- Toast Overlay — Non-blocking notifications
Filter connections by protocol using the filter bar below search:
- Click protocol buttons (SSH, RDP, VNC, SPICE, Telnet, K8s, ZeroTrust)
- Multiple protocols can be selected (OR logic)
- Clear search field to reset filters
Shows integration status in sidebar toolbar:
- Highlighted — Password manager enabled and configured
- Dimmed — Disabled or not configured
- Click to open appropriate password manager:
- KeePassXC/GNOME Secrets for KeePassXC backend (in Flatpak, launches KeePassXC on the host via
flatpak-spawn) - Seahorse/GNOME Settings for libsecret backend
- Bitwarden web vault for Bitwarden backend
- 1Password app for 1Password backend
- KeePassXC/GNOME Secrets for KeePassXC backend (in Flatpak, launches KeePassXC on the host via
The Connection Wizard provides a streamlined 3-step flow for creating connections:
Step 1 — Protocol Selection: Protocols are displayed in a grouped FlowBox layout that wraps adaptively on narrow windows:
- Secure Shell: SSH, MOSH, SFTP
- Remote Desktop: RDP, VNC, SPICE
- Terminal: Telnet, Serial, Custom Command
- Other: Kubernetes, Zero Trust, Web
Step 2 — Connection Details: Adaptive form based on the selected protocol:
- Host, Port, Username (for network protocols)
- Jump Host dropdown for SSH tunneling (SSH, MOSH, SFTP, RDP, VNC, SPICE)
- Device and Baud Rate (Serial)
- Context, Namespace, Pod, Container (Kubernetes)
- Provider-specific fields (Zero Trust)
- URL (Web)
Step 3 — Authentication & Finish:
- Authentication method: Password, Key File, or SSH Agent (SSH family)
- Password only (RDP, VNC, SPICE)
- Terminal theme selector for VTE-based protocols
- Custom icon (emoji or icon name)
- Save or Save & Connect buttons
Click Advanced… at any step to open the full connection editor with all entered data pre-filled.
The full editor provides access to all connection options:Basic Tab:
- Name, Host, Port
- Protocol selection
- Parent group
- Tags
Authentication Tab:
- Username
- Password source selection:
- Prompt — Ask for password on each connection
- Vault — Store/retrieve from configured secret backend (KeePassXC, libsecret, Bitwarden, 1Password, Passbolt)
- Variable — Read credentials from a named secret global variable
- Inherit — Use credentials from parent group
- Script — Resolve password from an external command (see Script Credentials)
- None — No password (key-based auth)
- SSH key selection
- Key passphrase
Security Key / FIDO2 Authentication (SSH):
SSH connections support hardware security keys (YubiKey, SoloKey, etc.) via the security-key auth method. Requirements:
- OpenSSH 8.2+ on both client and server
libfido2installed on the client (sudo apt install libfido2-1)- An
ed25519-skorecdsa-skkey generated withssh-keygen -t ed25519-sk - The key file path configured in the connection's SSH key field
PKCS#11 / Smart-Card Authentication (SSH):
For hardware tokens that expose keys through a PKCS#11 library (YubiKey PIV, OpenSC smart cards, etc.), set the PKCS#11 Provider field in the connection editor (SSH options → Session group) to the path of the provider library, for example /usr/lib64/libykcs11.so.2. RustConn maps this to ssh -o PKCS11Provider=<path>, so the token's keys are offered automatically without loading them into the SSH agent first.
- Works alongside any auth method — the provider simply offers the token's keys.
- The PIN/touch prompt appears directly in the session terminal.
IdentitiesOnlyis not forced, so the token keys are always offered. Leave the field empty (or setnone) to disable it, including an inherited provider.- The directive is imported automatically from
~/.ssh/config(PKCS11Provider …).
Through a jump host: OpenSSH does not pass
-o PKCS11ProvidertoProxyJumpchild connections. To authenticate the bastion itself with the token, enable the PKCS#11 Provider field on the jump-host connection — RustConn injects it into the first hop'sProxyCommandfor terminal SSH and for RDP/VNC/SPICE tunnels. With a jump host the token may prompt once per hop, because each hop is a separate SSH process.
Advanced Tabs:
- Advanced — Window mode (Embedded/External/Fullscreen), remember window position, hide local cursor (embedded RDP/VNC/SPICE), Wake-on-LAN configuration (MAC address, broadcast, port, wait time), monitoring override (enable/disable per connection, overrides global setting)
- Automation — Expect rules for auto-responding to terminal patterns, pattern tester with built-in templates (Sudo, SSH Host Key, Login, etc.), pre-connect task, post-disconnect task (with conditions: first/last connection only)
- Data — Local variables (connection-scoped, override global variables), custom properties (Text/URL/Protected metadata)
- Logging — Session logging (enable/disable, log path template with variables, timestamp format, max file size, retention days, granular content options: log activity, log input, log output, add timestamps)
Expect rules automate interactive prompts during connection. Each rule matches a pattern in terminal output and sends a response.
Configure Expect Rules:
- Edit connection → Automation tab
- Click Add Rule
- Enter pattern (text or regex) and response
- Set priority (lower number = higher priority)
- Use the Test button to verify pattern matching
Tip: You can also configure Expect Rules at the group level (Edit Group → Automation tab). Connections with empty automation config automatically inherit rules from their parent group chain. See Group Automation for details.
Examples:
| Pattern | Response | Use Case |
|---|---|---|
password: |
${password} |
Auto-login with vault password |
\[sudo\] password |
${password} |
Sudo password prompt |
Are you sure.*continue |
yes |
SSH host key confirmation |
Select option: |
2 |
Menu navigation |
Enter token: |
${MFA_TOKEN} |
Use a global variable for MFA |
Rules execute in priority order. After matching, the response is sent followed by Enter.
Variable Substitution in Responses:
Expect rule responses support ${VARIABLE_NAME} placeholders that are resolved at connection time using Global Variables. This lets you use dynamic values (passwords, tokens, environment-specific strings) without hardcoding them into rules.
${password}— resolves to the connection's password from the configured secret backend${MY_VARIABLE}— resolves to the value of the global variableMY_VARIABLE(defined in Menu → Tools → Variables)- Undefined variables remain as literal text (e.g.,
${UNKNOWN}is sent as-is) - If substitution fails, the raw response text is used as a fallback (with a warning in the log)
Example — multi-step login with variables:
| Pattern | Response | Description |
|---|---|---|
Username: |
${PROD_USER} |
Global variable with username |
Password: |
${password} |
Password from vault |
Verification code: |
${OTP_CODE} |
Global variable (set before connecting) |
Select environment |
production |
Static text, no variable needed |
Run commands automatically before connecting or after disconnecting.
Configure Tasks:
- Edit connection → Tasks tab
- Add a Pre-connect task (runs before the connection is established)
- Add a Post-disconnect task (runs after the session ends)
- Set the command and optional working directory
Examples:
- Pre-connect:
nmcli con up VPN-Work(connect VPN before SSH) - Pre-connect:
ssh-add ~/.ssh/special_key(load a specific key) - Post-disconnect:
nmcli con down VPN-Work(disconnect VPN after session) - Post-disconnect:
notify-send "Session ended"(desktop notification)
Add arbitrary key-value metadata to connections for organization and scripting.
- Edit connection → Advanced tab → Custom Properties section
- Click Add Property
- Enter key and value (e.g.,
environment=production,team=backend) - Properties are searchable and visible in connection details
Resolve passwords dynamically by running an external script or command. The script's stdout is used as the password. This is useful for integrating with custom secret management tools, HashiCorp Vault, or any command-line credential source.
Configure:
- Edit connection → Authentication tab
- Set Password Source to Script
- Enter the command in the script field (e.g.,
vault kv get -field=password secret/myserver) - Click Test to verify the script returns a password
- Save
Behavior:
- The command is parsed via
shell-words(supports quoting and escaping) - Executed without a shell (direct process spawn) for security
- 30-second timeout — if the script doesn't complete, the connection fails with an error
- stdout is trimmed and stored as
SecretString(zeroed on drop) - Non-zero exit code → error with stderr message
Examples:
# HashiCorp Vault
vault kv get -field=password secret/servers/web-01
# AWS Secrets Manager
aws secretsmanager get-secret-value --secret-id myserver --query SecretString --output text
# Custom script
/usr/local/bin/get-password.sh web-01
# Pass (passwordstore.org)
pass show servers/web-01Temporary connection without saving:
- Supports SSH, RDP, VNC, Telnet
- Optional template selection for pre-filling
- Password field for RDP/VNC
- Runtime history — last 15 Quick Connect sessions are remembered during the app lifetime (not persisted to disk); shown as a "Recent" section with type-ahead filtering by host/username; clicking an entry fills protocol, host, port, and username fields instantly
| Action | Method |
|---|---|
| Connect | Double-click, Enter, or right-click → Connect |
| Edit | Ctrl+E or right-click → Edit |
| Rename | F2 or right-click → Rename |
| Duplicate | Ctrl+D or right-click → Duplicate |
| Copy/Paste | Ctrl+C / Ctrl+V (sidebar focus) or Menu → Copy/Paste Connection |
| Delete | Delete key or right-click → Delete (moves to Trash) |
| Move to Group | Drag-drop or right-click → Move to Group |
| Run Snippet | Right-click → Run Snippet... (sends snippet to active session) |
| Start/Stop Recording | Right-click connected session → Start/Stop Recording |
Opening the context menu: Besides right-click, the context menu for the selected row can be opened with the Menu key or Shift+F10 (standard GNOME keyboard access, anchored to the selected row), or via a touch long-press on touchscreens. The menu supports Up/Down (with wrap-around) plus Home/End navigation and is announced to screen readers.
Deleted items are moved to Trash and can be restored:
- After deleting, an "Undo" notification appears
- Click "Undo" to restore the deleted item
- Trash is persisted across sessions for recovery
In connection dialog, click Test to verify connectivity before saving.
For RDP, VNC, and SPICE connections, RustConn performs a fast TCP port check before connecting:
- Provides faster feedback (2-3s vs 30-60s timeout) when hosts are unreachable
- Configurable globally in Settings → Connection page
- Per-connection "Skip port check" option for special cases (firewalls, port knocking, VPN)
Right-click a connection in the sidebar → Copy Username or Copy Password.
- Copy Username copies the username from cached credentials (resolved during a previous connection) or falls back to the username stored on the connection model
- Copy Password copies the password from cached credentials; you must connect at least once so credentials are resolved and cached
- Password is auto-cleared from clipboard after 30 seconds (only if the clipboard still contains the copied password)
- Toast notifications confirm the action or explain why it failed
Right-click a connection → Check if Online to probe whether the host is reachable.
- Starts an async TCP port probe (polls every 5s for up to 2 minutes)
- If the host comes online within the timeout, RustConn auto-connects
- Toast notifications show progress and result
Right-click a group in the sidebar → Connect All to open all connections in that group (including nested subgroups) simultaneously.
When an SSH session disconnects unexpectedly (server reboot, network failure), RustConn automatically starts polling the host (every 5s for up to 5 minutes) and reconnects when the server comes back online. The reconnect banner is still shown for manual reconnect if auto-reconnect times out.
Protocol-specific options are configured in the connection dialog's protocol tab. This section covers each protocol's unique features and settings.
Protocol Options Summary:
| Protocol | Options |
|---|---|
| SSH | Auth method (password, publickey, keyboard-interactive, agent, security-key/FIDO2), key source (default/file/agent), PKCS#11 provider (hardware token/smart card), proxy jump (Jump Host), ProxyJump, IdentitiesOnly, ControlMaster, agent forwarding, Waypipe (Wayland forwarding), X11 forwarding, compression, startup command, verbose mode, custom SSH options, port forwarding (local/remote/dynamic) |
| RDP | Client mode (embedded/external), performance mode (quality/balanced/speed), resolution, color depth, display scale override, audio redirection, RDP gateway (host, port, username), keyboard layout, disable NLA, clipboard sharing, shared folders, mouse jiggler (prevent idle disconnect, configurable interval 10–600s), autotype (send text as keystrokes, configurable inter-character and initial delay), custom FreeRDP arguments |
| VNC | Client mode (embedded/external), performance mode (quality/balanced/speed), encoding (Auto/Tight/ZRLE/Hextile/Raw/CopyRect), compression level, quality level, display scale override, view-only mode, scaling, clipboard sharing, custom arguments |
| SPICE | TLS encryption, CA certificate (with inline validation), skip certificate verification, USB redirection, clipboard sharing, image compression (Auto/Off/GLZ/LZ/QUIC), proxy URL, shared folders |
| MOSH | Predict mode (Adaptive/Always/Never), SSH port, UDP port range, server binary path, custom arguments |
| Telnet | Custom arguments, backspace key behavior, delete key behavior |
| Serial | Device path, baud rate, data bits, stop bits, parity, flow control, custom picocom arguments |
| Kubernetes | Kubeconfig path, context, namespace, pod, container, shell, busybox mode, busybox image, custom kubectl arguments |
| ZeroTrust | Provider-specific (AWS SSM, GCP IAP, Azure Bastion, Azure SSH, OCI Bastion, Cloudflare Access, Teleport, Tailscale SSH, HashiCorp Boundary, Hoop.dev, Generic Command), custom CLI arguments |
| Web | URL (opens in system browser), credentials for copy-to-clipboard |
Forward TCP ports through SSH tunnels. Three modes are supported:
| Mode | SSH Flag | Description |
|---|---|---|
Local (-L) |
-L local_port:remote_host:remote_port |
Forward a local port to a remote destination through the tunnel |
Remote (-R) |
-R remote_port:local_host:local_port |
Forward a remote port back to a local destination |
Dynamic (-D) |
-D local_port |
SOCKS proxy on a local port |
Configure Port Forwarding:
- Edit an SSH connection → Protocol tab
- Scroll to Port Forwarding section
- Select direction (Local, Remote, Dynamic)
- Enter local port, remote host, and remote port (remote host/port hidden for Dynamic)
- Click Add Forward
- Add multiple rules as needed
- Click Save
Examples:
- Local: forward local port 8080 to remote
db-server:5432→ access the database atlocalhost:8080 - Remote: expose local port 3000 on the remote server's port 9000
- Dynamic: create a SOCKS proxy on local port 1080
Import Support: Port forwarding rules are automatically imported from:
- SSH config (
LocalForward,RemoteForward,DynamicForwarddirectives) - Remmina SSH profiles
- Asbru-CM configurations
- MobaXterm sessions
The SSH tab in the connection dialog contains session-level toggles that control how the SSH connection behaves. These are in the Session options group.
| Option | SSH Flag | Description |
|---|---|---|
| Agent Forwarding | -A |
Forward your local SSH agent to the remote host, allowing key-based authentication to further servers without copying keys |
| X11 Forwarding | -X |
Forward X11 display to your local machine — run graphical X11 apps on the remote host and see them locally |
| Compression | -C |
Compress the SSH data stream — useful on slow or high-latency connections |
| Connection Multiplexing | ControlMaster=auto |
Reuse a single TCP connection for multiple SSH sessions to the same host. Subsequent connections open instantly without re-authenticating. RustConn adds ControlPersist=10m so the master connection stays alive for 10 minutes after the last session closes. When RustConn exits, all ControlMaster sockets are automatically closed to prevent stale sockets from lingering in the filesystem |
| Waypipe | waypipe ssh ... |
Forward Wayland GUI applications (see Waypipe below) |
| Verbose | -v |
Show detailed SSH debug output in the terminal for diagnosing connection issues (auth failures, key negotiation, resets) |
Configure:
- Edit an SSH connection → Protocol tab
- Scroll to the Session group
- Toggle the desired options
- Click Save
All toggles are off by default. They can be combined freely — for example, enabling both Agent Forwarding and Compression at the same time adds -A -C to the SSH command.
Pass arbitrary -o options to the SSH command. This is for advanced SSH configuration that doesn't have a dedicated UI toggle.
Configure:
- Edit an SSH connection → Protocol tab → Session group
- In the Custom Options field, enter comma-separated
Key=Valuepairs
Format: Key1=Value1, Key2=Value2
You can also paste options in the -o Key=Value format directly from the command line — the -o prefix is stripped automatically.
Examples:
| Custom Options field | Resulting SSH flags |
|---|---|
StrictHostKeyChecking=no, ServerAliveInterval=60 |
-o StrictHostKeyChecking=no -o ServerAliveInterval=60 |
-o StrictHostKeyChecking=no, -o ServerAliveInterval=60 |
Same result (prefix stripped) |
ServerAliveCountMax=3 |
-o ServerAliveCountMax=3 |
ProxyCommand=nc -X 5 -x proxy:1080 %h %p |
-o ProxyCommand=nc -X 5 -x proxy:1080 %h %p |
Note: For port forwarding (-L, -R, -D), use the dedicated Port Forwarding section instead of Custom Options. The subtitle in the dialog reminds you of this.
Dangerous directives (ProxyCommand, LocalCommand, PermitLocalCommand) are filtered for security — they are logged as warnings but still passed through if explicitly set.
Run a command automatically after the SSH connection is established.
Configure:
- Edit an SSH connection → SSH tab → Session group
- Enter the command in the Startup Command field
The command is appended to the SSH invocation and executes in the remote shell immediately after login.
Examples:
htop— open system monitor on connectcd /var/log && tail -f syslog— jump to logstmux attach || tmux new— attach to or create a tmux session
Enable SSH debug output to diagnose connection issues such as resets by remote devices, authentication failures, or key negotiation problems.
Configure:
- Edit an SSH connection → Protocol tab → Session group
- Enable the Verbose checkbox
- Save and connect
When enabled, RustConn adds the -v flag to the SSH command. Detailed debug output appears directly in the terminal, showing each handshake phase, key exchange, authentication method tried, and any errors.
When to use:
- Connection is reset by the remote device without explanation
- Authentication fails but the reason is unclear
- Need to verify which SSH key or auth method is being used
- Diagnosing proxy jump or port forwarding issues
Tip: Disable verbose mode after debugging — the output is noisy and clutters normal terminal sessions.
Waypipe forwards Wayland GUI applications from a remote host to your local
Wayland session — the Wayland equivalent of X11 forwarding (ssh -X).
When enabled, RustConn wraps the SSH command as waypipe ssh user@host,
creating a transparent Wayland proxy between the machines.
Requirements:
waypipeinstalled on both local and remote hosts (sudo apt install waypipe/sudo dnf install waypipe)- A running Wayland session locally (not X11)
- The remote host does not need a running display server
Setup:
- Open the connection dialog for an SSH connection
- In the Session options group, enable the Waypipe checkbox
- Save and connect
RustConn will execute waypipe ssh user@host (with automatic password injection
for vault-authenticated connections). If waypipe is not found on PATH, the
connection falls back to a standard SSH session with a log warning.
You can verify waypipe availability in Settings → Clients.
Example — running a remote GUI application:
After connecting with Waypipe enabled, launch any Wayland-native application in the SSH terminal:
# Run Firefox from the remote host — the window appears on your local desktop
firefox &
# Run a file manager
nautilus &
# Run any GTK4/Qt6 Wayland app
gnome-text-editor &The remote application window opens on your local Wayland desktop as if it were a local window. Clipboard, keyboard input, and window resizing work transparently.
Tips:
- The remote application must support Wayland natively. X11-only apps will not work through waypipe (use X11 Forwarding for those).
- For best performance over slow links, waypipe compresses the Wayland
protocol traffic automatically. You can pass extra flags via SSH custom
options if needed (e.g.,
--compress=lz4). - If the remote host uses GNOME, most bundled apps (Files, Text Editor, Terminal, Eye of GNOME) work out of the box.
- Qt6 apps work if
QT_QPA_PLATFORM=waylandis set on the remote host. - To check which display protocol your local session uses:
echo $XDG_SESSION_TYPE(should printwayland).
Keeps the remote RDP session awake and prevents the remote desktop from locking by sending periodic input.
- Configure in Connection Dialog → RDP → Features: enable Mouse Jiggler and set the interval (10–600 seconds, default 60)
- Auto-starts when the RDP session connects, auto-stops on disconnect
- Each tick sends a small mouse movement (keeps the session from idle-disconnecting) and a no-op Scroll Lock keystroke. The keystroke is required because Windows does not reset its workstation lock / screensaver timer on RDP-injected mouse motion alone
- Embedded (IronRDP) mode only. The External FreeRDP client runs as a separate process with no input channel from RustConn, so the jiggler cannot drive it — switch to Embedded mode if you need this feature
RustConn provides two methods for transferring files to and from RDP sessions:
Shared Folders (Drive Redirection):
Map local directories into the remote session. Files appear as network drives (\\tsclient\<share_name>) inside the remote desktop.
- Open Connection Dialog → RDP → Shared Folders
- Add a local directory and give it a share name
- Connect — the folder is accessible in Windows Explorer under "This PC → Network Locations"
Works with both IronRDP embedded and FreeRDP external modes.
Clipboard File Transfer (IronRDP embedded mode only):
When the remote Windows user copies files to the clipboard (Ctrl+C in Explorer), RustConn detects the file list and shows a "Save N Files" button in the RDP toolbar.
- On the remote desktop, select files and press Ctrl+C
- The "Save N Files" button appears in the RustConn toolbar
- Click it and choose a local folder — files are downloaded from the remote clipboard
This uses the RDP clipboard channel (CF_HDROP / FILEDESCRIPTORW format) and works without shared folders. Progress is tracked per-file. Only available in embedded mode (IronRDP), not with FreeRDP external.
On HiDPI/4K displays, the embedded IronRDP client automatically sends the correct scale factor to the Windows server (e.g. 200% on a 2× display), so remote UI elements render at the correct logical size. The Scale Override setting in the connection dialog allows manual adjustment if needed.
When you resize the RustConn window, the embedded RDP session automatically adjusts its resolution to match the new window size. This works in two ways depending on server capabilities:
-
Display Control Channel (MS-RDPEDISP) — modern Windows 10/11 desktops and properly configured Windows Server with Remote Desktop Session Host support seamless in-place resolution changes without disconnecting. The session continues uninterrupted.
-
Automatic reconnect fallback — if the server does not support the Display Control Channel (common on Windows Server 2008/2012/2016 without the RDSH role, or older RDP configurations), RustConn automatically performs a brief reconnect with the new resolution. This avoids distorted scaling where the remote desktop is stretched or squished to fit the new window size.
"Reconnect on Resize" option (Connection Dialog → Protocol → Features):
| Setting | Behavior |
|---|---|
| Unchecked (default) | Tries dynamic resize first; if server doesn't support it, falls back to reconnect automatically |
| Checked | Always reconnects immediately on resize without attempting dynamic resize; useful when you know the server doesn't support Display Control and want to skip the 500ms detection delay |
Tip: For Windows Server connections where you notice a brief reconnect on every resize, enable "Reconnect on Resize" to make the transition slightly faster by skipping the Display Control probe.
The embedded IronRDP client provides bidirectional clipboard sync via the CLIPRDR channel. Text copied on the remote desktop is automatically available locally (Ctrl+V), and local clipboard changes are announced to the server. The Copy/Paste toolbar buttons remain available as manual fallback. Clipboard sync requires the "Clipboard" option enabled in the RDP connection settings.
When server-side paste is blocked (GPO, Citrix policy, UAC dialogs, password fields that reject Ctrl+V), the Autotype feature sends text character-by-character as individual keystrokes using the RDP Unicode Keyboard Event PDU. This bypasses all clipboard restrictions and is keyboard-layout independent.
Two input modes:
- Type Clipboard — reads the local clipboard and types its contents into the remote session
- Type Text… — opens a dialog where you enter text (with optional password mode that hides input) and sends it as keystrokes; the text never touches the system clipboard, making it ideal for passwords
Per-connection timing settings (Connection Dialog → RDP → Features):
| Setting | Range | Default | Purpose |
|---|---|---|---|
| Autotype Delay | 5–200 ms | 20 ms | Pause between each character. Increase for Citrix gateways or slow connections that drop characters |
| Autotype Initial Delay | 0–5000 ms | 0 ms | Pause before typing starts. Gives time to focus the target input field |
Technical details:
- Uses
TS_UNICODE_KEYBOARD_EVENTPDU — layout-independent (DE/US/FR mismatches don't matter) - Iterates by Unicode grapheme clusters (composed characters like é, ñ are sent as single units)
- Only available in embedded IronRDP mode (external FreeRDP runs in a separate process)
The embedded RDP toolbar includes a Quick Actions dropdown menu for launching common Windows administration tools on the remote desktop. Actions send scancode key sequences directly through the RDP session with a 30ms inter-key delay for reliability.
The menu is split into two sections separated by a divider:
Quick Shortcuts:
| Action | Shortcut Sent | Description |
|---|---|---|
| Settings | Win+I | Opens Windows Settings |
| Task Manager | Ctrl+Shift+Esc | Opens Windows Task Manager |
Admin Consoles (alphabetical):
| Action | Shortcut Sent | Description |
|---|---|---|
| Computer Management | Win+R → compmgmt.msc |
Opens Computer Management (disks, services, users, event log) |
| Device Manager | Win+R → devmgmt.msc |
Opens Device Manager |
| Disk Management | Win+R → diskmgmt.msc |
Opens Disk Management console |
| Event Viewer | Win+R → eventvwr.msc |
Opens Event Viewer |
| Registry Editor | Win+R → regedit |
Opens Registry Editor |
| Resource Monitor | Win+R → resmon |
Opens Resource Monitor (CPU, memory, disk, network) |
| Server Manager | Win+R → servermanager |
Opens Windows Server Manager |
| Services | Win+R → services.msc |
Opens Services console |
The Quick Actions menu is accessible via the dropdown button (arrow icon) on the RDP toolbar. All labels are translatable.
The Scripts dropdown (terminal icon) in the RDP toolbar provides two sections:
Shell Launchers:
Open a shell on the remote Windows machine via Win+R. The user sees when the shell is ready (prompt appears) before running scripts.
| Launcher | Action |
|---|---|
| PowerShell | Win+R → powershell → Enter |
| PowerShell (Admin) | Win+R → elevated PowerShell via UAC |
| CMD | Win+R → cmd → Enter |
| CMD (Admin) | Win+R → elevated CMD via UAC |
Scripts (User Snippets):
Snippets with target "Windows" or "Any" (configured in the Snippet dialog → Target field) appear in the Scripts section. When clicked, the snippet command is sent via autotype (Unicode keyboard events) into the already-open shell, followed by Enter.
How It Works:
- Click a Shell Launcher to open a shell on the remote machine
- Wait for the shell prompt to appear (user controls timing)
- Click a script from the Scripts section — it types the command and presses Enter
This approach eliminates timing issues: no clipboard delays, no shell startup guessing.
Snippets can be marked with a target execution platform:
| Target | Where visible | Use case |
|---|---|---|
| Terminal (SSH/Local) | Terminal context menu | Linux/Unix commands |
| Windows (RDP) | RDP Scripts dropdown | PowerShell/CMD commands |
| Any | Both contexts | Universal commands (e.g., ping) |
Configure the target in the Snippet dialog → Target field.
Launch individual remote applications instead of a full desktop session. The remote application window appears on your local desktop as if it were a native window — no full desktop is rendered.
Configure RemoteApp:
- Open Connection Dialog → RDP → RemoteApp section
- Enter the Program path — either an alias (
||notepad) or a full path (C:\Program Files\app.exe) - Optionally set Arguments (command-line arguments passed to the application)
- Optionally set Display Name (shown in taskbar and window title)
How It Works:
- RemoteApp uses the RAIL (Remote Applications Integrated Locally) protocol extension
- RustConn automatically uses FreeRDP for RemoteApp sessions — IronRDP does not support RAIL
- FreeRDP must be installed on the system (bundled in Flatpak builds)
- The Arguments and Display Name fields appear only after entering a Program path
Program Path Format:
| Format | Example | Description |
|---|---|---|
| Alias | ||notepad |
Published RemoteApp alias (configured on the RD server) |
| Full path | C:\Program Files\app.exe |
Direct path to the executable on the remote server |
Import from .rdp files:
RemoteApp settings are automatically imported from .rdp files containing remoteapplicationprogram, remoteapplicationcmdline, and remoteapplicationname fields.
Limitations:
- Requires FreeRDP (not available with IronRDP embedded mode)
- The RDP server must have RemoteApp programs published or allow arbitrary program execution
- Not all RDP servers support RAIL (Windows Server with Remote Desktop Session Host role required)
Embedded RDP, VNC, and SPICE viewers support hiding the local OS cursor to eliminate the "double cursor" effect (local + remote cursor visible simultaneously). Toggle "Show Local Cursor" in the connection dialog's Features section. Enabled by default for backward compatibility.
When you use External RDP mode, RustConn launches the FreeRDP SDL client (sdl-freerdp3 / sdl-freerdp). That client has its own built-in shortcuts that use Right Shift as the modifier by default. These are handled entirely inside FreeRDP — RustConn does not intercept them:
| Shortcut | Action |
|---|---|
| Right Shift + Enter | Toggle fullscreen |
| Right Shift + R | Toggle window resizable |
| Right Shift + G | Toggle keyboard/mouse grab (release input back to the local system) |
| Right Shift + D | Disconnect the session |
| Right Shift + M | Minimize the window |
If you press Right Shift + D by accident the session closes immediately. The grab toggle is Right Shift + G (not "Win+Esc").
Configuring or disabling the hotkeys
FreeRDP reads its shortcut configuration from $XDG_CONFIG_HOME/freerdp/sdl-freerdp.json. Because the bundled FreeRDP runs inside the RustConn sandbox, the path is not the one used by the standalone com.freerdp.FreeRDP Flatpak. Use the location for your install type:
| Install | Config file path |
|---|---|
| Flatpak | ~/.var/app/io.github.totoshko88.RustConn/config/freerdp/sdl-freerdp.json |
| System / native | ~/.config/freerdp/sdl-freerdp.json |
Note: /etc/FreeRDP/sdl-freerdp.json is read from inside the sandbox filesystem for the Flatpak build, so a file placed in the host's /etc/FreeRDP/ is not visible to it — use the per-user path above.
Disable all hotkeys (the safest option if you only need a single release/grab key):
{
"SDL_KeyModMask": ["KMOD_NONE"]
}Or keep the modifier but move just the disconnect action onto a key you will never press by accident, while leaving grab on Right Shift + G:
{
"SDL_KeyModMask": ["KMOD_RSHIFT"],
"SDL_Disconnect": "SDL_SCANCODE_F24"
}Recognised keys (with their defaults): SDL_KeyModMask (KMOD_RSHIFT), SDL_Fullscreen (SDL_SCANCODE_RETURN), SDL_Resizeable (SDL_SCANCODE_R), SDL_Grab (SDL_SCANCODE_G), SDL_Disconnect (SDL_SCANCODE_D), SDL_Minimize (SDL_SCANCODE_M). Modifier names come from SDL_Keymod and key names from SDL_Scancode.
Quick setup (Flatpak):
mkdir -p ~/.var/app/io.github.totoshko88.RustConn/config/freerdp
cat > ~/.var/app/io.github.totoshko88.RustConn/config/freerdp/sdl-freerdp.json <<'EOF'
{
"SDL_KeyModMask": ["KMOD_NONE"]
}
EOFCreate the freerdp directory first if it does not exist, make sure the JSON is valid (an invalid file is silently ignored), and reconnect — the file is read each time a FreeRDP process starts, so no RustConn restart is needed.
Verify it is being read: start RustConn with RUST_LOG=debug (Flatpak: flatpak run io.github.totoshko88.RustConn from a terminal with RUST_LOG=debug set) and connect. The captured FreeRDP stderr is forwarded to the log; pressing the modifier + a hotkey logs a line such as <KMOD_RSHIFT>+<...> pressed. If hotkeys are disabled, no such line appears.
VNC connections support embedded (vnc-rs) or external (TigerVNC) client modes. Configure encoding (Auto/Tight/ZRLE/Hextile/Raw/CopyRect), compression level, quality level, display scale override, view-only mode, scaling, and clipboard sharing in the VNC protocol tab.
SPICE connections support TLS encryption, CA certificate validation, USB redirection, clipboard sharing, image compression (Auto/Off/GLZ/LZ/QUIC), proxy URL, and shared folders. Available as embedded (spice-client) or external (remote-viewer).
MOSH (Mobile Shell) provides a roaming, always-on terminal session that survives network changes, high latency, and intermittent connectivity. Unlike SSH, MOSH uses UDP for the session transport after an initial SSH handshake.
Create a MOSH Connection:
- Press Ctrl+N → select MOSH protocol
- Enter host and username
- Configure MOSH-specific options in the MOSH tab:
| Parameter | Description | Default |
|---|---|---|
| SSH Port | Port for the initial SSH handshake | 22 |
| Port Range | UDP port range for MOSH session (e.g., 60000:60010) |
System default |
| Predict Mode | Local echo prediction: Adaptive, Always, Never | Adaptive |
| Server Binary | Path to mosh-server on the remote host (optional) |
Auto-detect |
| Custom Arguments | Additional arguments passed to mosh |
— |
Requirements:
moshinstalled on the local machine (sudo apt install mosh/sudo dnf install mosh)mosh-serverinstalled on the remote host- UDP ports open between client and server (default: 60000–61000)
Predict Modes:
- Adaptive (default) — enables local echo prediction when latency is detected
- Always — always show predicted text (useful on very slow links)
- Never — disable prediction entirely
Telnet connections run in an embedded VTE terminal tab using the external telnet client. Configure custom arguments, backspace key behavior, and delete key behavior in the Telnet protocol tab.
Connect to serial devices (routers, switches, embedded boards) via picocom.
Create a Serial Connection:
- Press Ctrl+N → select Serial protocol
- Enter device path (e.g.,
/dev/ttyUSB0) or click Detect Devices to auto-scan/dev/ttyUSB*,/dev/ttyACM*,/dev/ttyS* - Configure baud rate (default: 115200), data bits, stop bits, parity, flow control
- Click Create
- Double-click to connect
Serial Parameters:
| Parameter | Options | Default |
|---|---|---|
| Baud Rate | 9600, 19200, 38400, 57600, 115200, 230400, 460800, 921600 | 115200 |
| Data Bits | 5, 6, 7, 8 | 8 |
| Stop Bits | 1, 2 | 1 |
| Parity | None, Odd, Even | None |
| Flow Control | None, Hardware (RTS/CTS), Software (XON/XOFF) | None |
Device Access (Linux):
Serial devices require dialout group membership:
sudo usermod -aG dialout $USER
# Log out and back in for the change to take effectFlatpak: Serial access works automatically (--device=all permission). picocom is bundled in the Flatpak package.
Snap: Connect the serial-port interface after installation:
sudo snap connect rustconn:serial-portpicocom is bundled in the Snap package.
Connect to Kubernetes pods via kubectl exec -it. Two modes: exec into an existing pod, or launch a temporary busybox pod.
Create a Kubernetes Connection:
- Press Ctrl+N → select Kubernetes protocol
- Configure kubeconfig path (optional, defaults to
~/.kube/config) - Set context, namespace, pod name, container (optional), and shell (default:
/bin/sh) - Optionally enable Busybox mode to launch a temporary pod instead
- Click Create
- Double-click to connect
Kubernetes Parameters:
| Parameter | Description | Default |
|---|---|---|
| Kubeconfig | Path to kubeconfig file | ~/.kube/config |
| Context | Kubernetes context | Current context |
| Namespace | Target namespace | default |
| Pod | Pod name to exec into | Required (exec mode) |
| Container | Container name (multi-container pods) | Optional |
| Shell | Shell to use | /bin/sh |
| Busybox | Launch temporary busybox pod | Off |
Requirements: kubectl must be installed and configured.
Flatpak: kubectl is available as a downloadable component in Flatpak Components dialog.
Browse remote files on SSH connections via your system file manager or Midnight Commander.
SFTP is always available for SSH connections — no checkbox or flag needed. The "Open SFTP" option only appears in the sidebar context menu for SSH connections (not RDP, VNC, SPICE, or Serial).
SSH Key Handling:
Before opening SFTP, RustConn automatically runs ssh-add with your configured SSH key. This is required because neither file managers nor mc can pass identity files directly — the key must be in the SSH agent.
Open SFTP (File Manager):
- Right-click an SSH connection in sidebar → "Open SFTP"
- Or use the
win.open-sftpaction while a connection is selected
RustConn tries file managers in this order: dolphin (KDE), nautilus (GNOME), xdg-open (fallback). The SSH_AUTH_SOCK environment variable is injected into the spawned process so the file manager can access the SSH agent.
On KDE, if dolphin is not found (e.g., in Flatpak), xdg-open is used — which opens whichever application is registered as the sftp:// handler. See SFTP Troubleshooting if the wrong application opens.
SFTP via Midnight Commander:
Settings → Terminal page → Behavior → enable "SFTP via mc". When enabled, "Open SFTP" opens a local shell tab with Midnight Commander connected to the remote server via sh://user@host:port FISH VFS panel.
Requirements for mc mode:
- Midnight Commander must be installed (
mcin PATH). RustConn checks availability before launch. - mc FISH VFS requires SSH key authentication — password and keyboard-interactive auth are not supported. A warning toast is shown if password auth is configured.
- In Flatpak builds, mc 4.8.32 is bundled automatically.
mc-based SFTP sessions run in a VTE terminal, so they support split view (Ctrl+Shift+H / Ctrl+Shift+S) just like SSH tabs.
SFTP can also be created as a standalone connection type. This is useful when you primarily need file transfer access to a server (e.g., transferring files between Windows and Linux systems).
Create an SFTP Connection:
- Press Ctrl+N → select SFTP protocol
- Configure SSH settings (host, port, username, key) — SFTP reuses the SSH options tab
- Click Create
- Double-click to connect — opens file manager (or mc) directly instead of a terminal
SFTP connections use the folder-remote-symbolic icon in the sidebar and behave identically to the "Open SFTP" action on SSH connections, but the file manager opens automatically on Connect.
Choosing the Default SFTP Client (KDE / GNOME / other):
RustConn opens sftp:// URIs via xdg-open, which delegates to your desktop's default handler. On KDE, if FileZilla is installed, it may register itself as the default sftp:// handler instead of Dolphin.
To set Dolphin (recommended for SSH key support):
# Option 1: edit mimeapps.list directly
# Add this line under [Default Applications] in ~/.config/mimeapps.list:
x-scheme-handler/sftp=org.kde.dolphin.desktop
# Option 2: xdg-mime (requires qt6-tools / qttools installed)
xdg-mime default org.kde.dolphin.desktop x-scheme-handler/sftpIf xdg-mime fails with "qtpaths: command not found", use Option 1 or install qt6-qttools (sudo dnf install qt6-qttools / sudo apt install qt6-tools-dev).
On GNOME, Nautilus handles sftp:// by default — no changes needed.
FileZilla Does Not Support SSH Agent:
FileZilla uses its own SSH library and ignores the system SSH agent (SSH_AUTH_SOCK). Even though RustConn adds your key to the agent before opening SFTP, FileZilla will still prompt for a password.
Solutions:
- Switch the
sftp://handler to Dolphin or Nautilus (see above) — both use OpenSSH and respect the SSH agent - Configure the key directly in FileZilla: Site Manager → SFTP tab → Key file
- Use mc mode in RustConn (Settings → Terminal → SFTP via mc) — mc runs in the same process and inherits the agent
Flatpak: File Manager Cannot Access SSH Key:
In Flatpak builds, RustConn runs inside a sandbox with its own SSH agent. When xdg-open launches a file manager (Dolphin, Nautilus), it runs outside the sandbox and uses the host's SSH agent — which does not have the key that RustConn added.
Flatpak: SSH Key Paths and Document Portal:
When you select an SSH key via the file chooser in Flatpak, the system creates a temporary document portal path (e.g., /run/user/1000/doc/XXXXXXXX/key.pem). These paths become stale after Flatpak rebuilds or reboots. RustConn automatically copies selected keys to a stable location (~/.var/app/io.github.totoshko88.RustConn/.ssh/) with correct permissions (0600). At connect time, stale portal paths are resolved via fallback lookup in this directory.
Solutions for file manager SFTP (pick one):
- Use mc mode (recommended) — Settings → Terminal → SFTP via mc. Midnight Commander runs inside the Flatpak sandbox and inherits RustConn's SSH agent. Works without any extra setup. This is enabled by default in Flatpak builds.
- Add the key on the host — run
ssh-add ~/.ssh/your_keyin a regular terminal before opening SFTP. The file manager will then find the key in the host agent. - Store keys in
~/.ssh/— keys in~/.ssh/are accessible to both the Flatpak sandbox and the host.
This limitation does not affect native packages (deb, rpm, Snap) where RustConn and the file manager share the same SSH agent.
RustConn supports connecting through identity-aware proxy services (Zero Trust). For detailed provider setup and configuration, see the dedicated Zero Trust Providers guide.
Supported providers: AWS Session Manager, GCP IAP Tunnel, Azure Bastion, Azure SSH (AAD), OCI Bastion, Cloudflare Access, Teleport, Tailscale SSH, HashiCorp Boundary, Hoop.dev, Generic Command.
Web bookmark connections store website URLs and open them in the system's default browser. No embedded browser is used — RustConn delegates to the OS via GTK4 UriLauncher (portal-aware, works in Flatpak).
Use cases:
- Quick access to web-based admin panels (AWS Console, Grafana, Proxmox, etc.)
- Storing credentials for web services alongside SSH/RDP connections
- Organizing all infrastructure access points in one place
Creating a Web bookmark:
- Click "New Connection" → select Web protocol
- Enter the full URL in the URL field (must start with
http://orhttps://) - Optionally set username/password — these are stored in the configured secret backend for copy-to-clipboard via the sidebar context menu
- Click Save
Connecting:
- Double-click the connection in the sidebar → the URL opens in your default browser
- The sidebar status briefly shows "connecting" (yellow) then clears — Web bookmarks have no persistent session
Context menu actions:
- Copy Username / Copy Password — copies stored credentials to clipboard (auto-clears after 30 seconds)
CLI:
rustconn-cli add --name "AWS Console" --protocol web --host "https://console.aws.amazon.com"Limitations:
- No embedded browser — always opens in the system default
- No auto-fill — credentials are for copy-to-clipboard only
- Port field is hidden (not applicable for URLs)
| Protocol | Session Type |
|---|---|
| SSH | Embedded VTE terminal tab |
| RDP | Embedded IronRDP or external FreeRDP (bundled in Flatpak) |
| VNC | Embedded vnc-rs or external TigerVNC |
| SPICE | Embedded spice-client or external remote-viewer |
| MOSH | MOSH via VTE terminal (external mosh client) |
| Telnet | Embedded VTE terminal tab (external telnet client) |
| Serial | Embedded VTE terminal tab (external picocom client) |
| Kubernetes | Embedded VTE terminal tab (external kubectl exec) |
| ZeroTrust | Provider CLI in terminal |
| Local Shell | Local VTE terminal tab (user's default shell) |
Local Shell: Open a local terminal tab without connecting to any remote host. Useful as a quick terminal emulator or for running local commands alongside remote sessions. Start via Menu → File → Local Shell, the startup action (Settings → Interface → Startup → Local Shell), or rustconn --shell.
Custom Shell Command: Configure a custom command for Local Shell in Settings → Terminal → Local Shell → Command. When set, Local Shell runs this command instead of the default login shell. Examples:
fish— use Fish shell instead of bashbash --norc— bash without loading .bashrcneofetch && bash— show system info on startup, then drop into bashtmux new-session— start a tmux session/usr/bin/zsh -l— explicit path to zsh as login shell
Leave the field empty to use the system default shell ($SHELL).
The Display Mode setting in the connection dialog (Advanced tab → Window Mode) controls how RDP and VNC sessions are displayed. The setting applies per-connection.
| Mode | RDP Behavior | VNC Behavior |
|---|---|---|
| Embedded (default) | IronRDP widget in a notebook tab | vnc-rs widget in a notebook tab |
| Fullscreen | Maximizes the main window | Maximizes the main window |
| External Window | Launches xfreerdp in a separate window |
Launches external VNC viewer (TigerVNC/vncviewer) in a separate window |
Configure:
- Edit connection → Advanced tab → Window Mode section
- Select Embedded, External Window, or Fullscreen from the dropdown
- For External Window mode, enable Remember Position to save window geometry between sessions (RDP only)
Notes:
- Fullscreen mode maximizes the RustConn window, not the remote desktop. Use F11 to toggle true fullscreen of the entire application.
- External Window mode for VNC requires an external VNC viewer installed (TigerVNC, vncviewer, gvncviewer, or similar). If no viewer is found, a toast notification shows the install hint.
- External Window mode for RDP uses FreeRDP. In the Flatpak build, FreeRDP (SDL3 client) is bundled — no separate installation needed. On native installs, RustConn auto-detects available FreeRDP variants in priority order:
wlfreerdp3>wlfreerdp>sdl-freerdp3>sdl-freerdp>xfreerdp3>xfreerdp. - The VNC protocol tab also has its own Client Mode (Embedded/External) setting. When Display Mode is set to External Window, it takes precedence over the protocol-level Client Mode.
- Switch — Click tab or Ctrl+Tab / Ctrl+Shift+Tab
- Close — Click X or Ctrl+W / Ctrl+Shift+W
- Reorder — Drag tabs
- Tab Overview — Click the grid icon (▦) at the right end of the tab bar, or press Ctrl+Shift+O, to open a full-screen grid view of all open tabs. Useful when you have many tabs open and need to visually locate a session. Click any thumbnail to switch to it.
- Tab Switcher — Press Ctrl+% (or open Command Palette with Ctrl+P and type
%) to fuzzy-search across all open tabs by name. Results show protocol type and tab group. Select and press Enter to switch instantly. - Pin Tab — Right-click a tab → Pin Tab. Pinned tabs stay at the left edge of the tab bar and are never scrolled out of view. Useful for long-running sessions you need constant access to. Right-click again → Unpin Tab to restore normal behavior.
Split view works with terminal-based sessions: SSH, Telnet, Serial, Kubernetes, Local Shell, and SFTP (mc mode).
- Horizontal Split — Ctrl+Shift+H splits the current tab horizontally (side by side)
- Vertical Split — Ctrl+Shift+S splits the current tab vertically (top and bottom)
- Close Pane — Ctrl+Shift+X closes the focused pane; if only one pane remains, the split is dissolved and the session returns to normal tab mode
- Focus Next Pane — Ctrl+` cycles focus between panes
- Select Tab — click the "Select Tab..." button in an empty pane to pick which session to display; sessions already in other split views show a colored indicator
- Move between splits — a session can be moved from one split to another via "Select Tab"; the original split keeps a placeholder in the vacated panel, and the session's own tab shows a "Displayed in Split View" page with a "Go to Split View" button
- Tab Overview — split-view tabs render correctly in Tab Overview (Ctrl+Shift+O) with live thumbnails showing the split layout
Sidebar shows connection status:
- 🟢 Green dot — Connected
- 🔴 Red dot — Disconnected
Enable in Settings → Interface page → Session Restore:
- Sessions saved on app close
- Restored on next startup
- Optional prompt before restore
- Configurable maximum age
When a terminal session disconnects (SSH, Telnet, Serial, Kubernetes), a "Reconnect" banner appears at the top of the terminal tab. Click it to re-establish the connection in one click without opening the connection dialog.
- The banner appears automatically when the VTE child process exits
- Reconnect uses the same connection settings (host, credentials, protocol options)
- If the connection fails again, the banner reappears
- Close the tab normally with Ctrl+W to dismiss
Three logging modes (Settings → Terminal page → Logging):
- Activity — Track session activity changes
- User Input — Capture typed commands
- Terminal Output — Full transcript
Optional timestamps (Settings → Terminal page → Logging):
- Enable "Timestamps" to prepend
[HH:MM:SS]to each line in log files
Per-connection logging options (Connection dialog → Logging tab → Content Options):
- Log Activity — Record connection and disconnection events
- Log Input — Record keyboard input sent to remote
- Log Output — Record terminal output from remote
- Add Timestamps — Prepend timestamp to each log line
Open with Ctrl+Shift+F in any terminal session.
- Text search — Plain text matching (default)
- Regex — Toggle "Regex" checkbox for regular expression patterns; invalid patterns show an error message
- Case sensitive — Toggle case sensitivity
- Highlight All — Highlights all matches in the terminal (enabled by default)
- Navigation — Up/Down buttons or Enter to jump between matches; search wraps around
- Highlights are cleared automatically when closing the dialog (Close button or Escape)
Note: Terminal search is a GUI-only feature (VTE widget). Not available in CLI mode.
Record terminal sessions in scriptreplay-compatible format for later playback. Recordings capture terminal output with timing information and automatically sanitize sensitive data (passwords, API keys, tokens).
Enable Recording (per-connection):
- Edit connection → Advanced tab
- Enable Session Recording
- Save
When recording is active, the tab title shows a ●REC indicator. A red media-record-symbolic dot also appears next to the connection in the sidebar (with tooltip and screen-reader label) while any of its sessions is being recorded, so an active recording is visible at a glance.
Recording Files:
Recordings are saved to $XDG_DATA_HOME/rustconn/recordings/ (typically ~/.local/share/rustconn/recordings/) with two files per session:
| File | Contents |
|---|---|
{name}_{timestamp}.data |
Raw terminal output bytes |
{name}_{timestamp}.timing |
Timing data (delay + byte count per chunk) |
Playback:
scriptreplay --timing=session.timing session.dataSanitization: Recordings automatically redact password prompts and responses, API keys and tokens, AWS credentials, and private key content.
Per-session activity and silence detection for terminal tabs, inspired by KDE Konsole. Each SSH terminal session can independently track output events and notify you when activity resumes after a quiet period or when a terminal goes silent.
Monitoring Modes:
| Mode | Behavior | Default Timeout |
|---|---|---|
| Off | No monitoring (default) | — |
| Activity | Notify when new output appears after a configurable quiet period | 10 seconds |
| Silence | Notify when no output occurs for a configurable duration | 30 seconds |
Activity mode is useful when you've started a long-running command in a background tab and want to know when it produces output again.
Silence mode is useful when you're watching a stream of output (logs, compilation) and want to know when it stops — indicating the process has finished or stalled.
Notification Channels:
- Tab indicator icon — an icon appears on the tab (ℹ for activity, ⚠ for silence)
- In-app toast — a toast message like "Activity detected: Web-01" or "Silence detected: Build-Server"
- Desktop notification — a system notification when the RustConn window is not focused
The tab indicator and notification are cleared automatically when you switch to that tab.
Configure Global Defaults:
- Open Settings (Ctrl+,) → Monitoring tab
- Set Default Mode (Off / Activity / Silence)
- Set Default Quiet Period (1–300 seconds, default: 10)
- Set Default Silence Timeout (1–600 seconds, default: 30)
Per-Connection Override: Edit connection → Advanced tab → Activity Monitor section.
Quick Mode Toggle: Right-click any terminal tab → Monitor: Off/Activity/Silence to cycle through modes.
Define regex-based patterns to highlight matching text in terminal output with custom colors. Rules can be global (apply to all connections) or per-connection.
Built-in Defaults:
| Rule | Pattern | Colors |
|---|---|---|
| ERROR | ERROR |
Red foreground |
| WARNING | WARNING |
Yellow foreground |
| CRITICAL/FATAL | CRITICAL|FATAL |
Red background |
Configure Global Rules:
- Settings → Terminal → Highlighting Rules section
- Click Add Rule
- Enter rule name, regex pattern, and choose foreground/background colors
- Toggle Enabled to activate/deactivate individual rules
Configure Per-connection Rules:
- Edit connection → Advanced tab → Highlighting Rules section
- Add rules that apply only to this connection
- Per-connection rules take priority over global rules
Rule Properties:
| Property | Description |
|---|---|
| Name | Display name for the rule |
| Pattern | Regular expression (Rust regex syntax) |
| Foreground Color | Text color in #RRGGBB format (optional) |
| Background Color | Background color in #RRGGBB format (optional) |
| Enabled | Toggle rule on/off |
Invalid regex patterns are rejected with an error message during validation.
Note: Lines containing only whitespace are not processed by the highlight overlay. This prevents stale highlights from appearing after the clear command erases the terminal screen. Highlight rules that intentionally match whitespace-only patterns will not render.
Override terminal colors (background, foreground, cursor) on a per-connection basis. Useful for visually distinguishing production vs. development environments.
Configure:
- Edit connection → Advanced tab → Terminal Theme section
- Click the color buttons to set Background, Foreground (text), and Cursor colors
- Colors are in
#RRGGBBor#RRGGBBAAformat - Click Reset to clear overrides and use the global theme
- Save
Tips:
- Use a red-tinted background for production servers
- Use a green-tinted background for development/staging
- Combine with tab coloring for maximum visual distinction
- Ctrl+Shift+G or click folder icon
- Right-click in sidebar → New Group
- Right-click on group → New Subgroup
- Rename — F2 or right-click → Rename
- Move — Drag-drop or right-click → Move to Group
- Delete — Delete key (shows choice dialog: Keep Connections, Delete All, or Cancel)
The sidebar toolbar has a list icon button (view-list-symbolic) that activates Group Operations Mode for bulk actions on multiple connections at once.
Activate: Click the list icon in the sidebar toolbar (or right-click → Group Operations)
Available actions in the toolbar:
| Button | Action |
|---|---|
| New Group | Create a new group |
| Move to Group | Move all selected connections to a chosen group |
| Select All | Select all visible connections |
| Clear | Deselect all |
| Delete | Delete all selected connections (with confirmation) |
Workflow:
- Click the list icon to enter Group Operations Mode
- Checkboxes appear next to each connection in the sidebar
- Select individual connections by clicking their checkboxes, or use Select All
- Choose an action: Move to Group or Delete
- Confirm the action in the dialog
- Click the list icon again (or press Escape) to exit Group Operations Mode
This is useful for reorganizing large numbers of connections, cleaning up after an import, or bulk-deleting obsolete entries.
Groups can store default credentials (Username, Password, Domain) that are inherited by their children.
Configure Group Credentials:
- Right-click a group → Edit Group → Identity tab
- Expand the Default Credentials section (toggle the switch to enable)
- Select Password Source:
- Prompt — Ask for password on each connection
- Vault — Store in the configured secret backend (KeePass, Keyring, Bitwarden, 1Password, Passbolt); click the folder icon to load an existing password from the vault
- Variable — Use a named secret global variable (dropdown shows only variables marked as secret in Tools → Variables)
- Inherit — Inherit from parent group
- None — No password
- Password source determines which UI is shown: Vault shows a password field with load button, Variable shows a dropdown of secret variables
Inherit Credentials:
- Create a connection inside the group
- In Authentication tab, set Password Source to Inherit from Group
- Connection will use group's stored credentials
- Use "Load from Group" buttons to auto-fill Username and Domain from parent group
KeePass Hierarchy: Group credentials are stored in KeePass with hierarchical paths:
RustConn/
└── Groups/
├── Production/ # Group password
│ └── Web Servers/ # Nested group password
└── Development/
└── Local/
Groups can define Expect Rules and Post-login Scripts that are automatically inherited by all connections in the group (and subgroups). This lets you configure automation once for hundreds of connections.
Configure Group Automation (GUI):
- Right-click a group → Edit Group → Automation tab
- Toggle the Automation switch to enable
- Expect Rules — add rules that auto-respond to terminal patterns:
- Click Add Rule to create a blank rule
- Or click From Template to pick a preset — SSH-specific templates are marked with "(SSH)":
- Sudo Password (SSH) — auto-respond to
[sudo] password for ...: - SSH Host Key Confirmation (SSH) — auto-accept host key fingerprint
- Login Prompt — auto-fill username and password at login prompts
- Press Enter to Continue — auto-dismiss "Press Enter" prompts
- MOTD Pager — auto-dismiss
--More--pager prompts
- Sudo Password (SSH) — auto-respond to
- Each rule has: Pattern (regex), Response, Priority, Timeout, Enabled/One-shot toggles
- Each rule has ↑ ↓ 🗑️ buttons at the top-right to reorder or delete individual rules
- Use the ➕ button next to Response to insert variable placeholders (
${password},${username},${host},${port},\n) without typing them manually - Invalid regex patterns are highlighted in red with an error message
- Click Clear All to remove all rules at once
- Pattern Tester (collapsible) — type text to test against your rules in real time; shows which rule matches and what response would be sent
- Post-login Scripts — add individual commands to run after login:
- Click Add Script to add a new command entry
- Each script has its own row with a delete button
- Example commands:
cd /app,source .env,export TERM=xterm-256color
- Click Save
Note: Disabling the Automation switch shows a confirmation dialog — all rules and scripts will be cleared.
Tip: Responses support
${password},${username},${host},${port}, and${VARIABLE_NAME}placeholders that are resolved at connection time.${password}is automatically filled from the connection's configured secret backend (Vault, Variable, etc.). Use the ➕ button next to the Response field to insert these without typing.
Configure Group Automation (CLI):
# Add a sudo password expect rule
rustconn-cli group edit "Production" \
--add-expect-rule '{"pattern":"\\[sudo\\] password for \\w+:","response":"${password}\\n","priority":10,"timeout_ms":30000,"one_shot":true}'
# Add multiple rules at once
rustconn-cli group edit "Production" \
--add-expect-rule '{"pattern":"password:\\s*$","response":"${password}\\n"}' \
--add-expect-rule '{"pattern":"yes/no","response":"yes\\n"}'
# Clear all rules and start fresh
rustconn-cli group edit "Production" --clear-expect-rules \
--add-expect-rule '{"pattern":"login:","response":"${username}\\n"}'
# Add post-login scripts
rustconn-cli group edit "Production" \
--add-post-login-script "cd /app" \
--add-post-login-script "source .env"
# Clear and replace post-login scripts
rustconn-cli group edit "Production" --clear-post-login-scripts \
--add-post-login-script "export TERM=xterm-256color"
# View group automation config
rustconn-cli group show "Production"Inheritance Rules:
- Connections with empty automation config automatically inherit from their parent group
- If a connection has its own Expect Rules, group rules are not merged — the connection's rules take precedence
- Expect rules and post-login scripts are inherited independently — rules may come from one group and scripts from another
- Inheritance walks up the group hierarchy: child group → parent group → grandparent group
- To override group automation for a specific connection, add at least one rule in the connection's Automation tab
Example — Sudo password for all servers in a group:
- Edit the "Production Servers" group
- Enable Automation → click From Template → select Sudo Password (SSH)
- The template adds a rule: pattern
\[sudo\] password for \w+:→ response${password}\n - Save the group
- All SSH connections in "Production Servers" now auto-respond to sudo prompts using their vault password
- Alphabetical by default (case-insensitive, by full path)
- Drag-drop for manual reordering
- Click Sort button in toolbar to reset
Pin frequently used connections to a dedicated "Favorites" section at the top of the sidebar.
Pin a Connection:
- Right-click a connection → Pin / Unpin
- The connection appears in the ★ Favorites group at the top of the sidebar
Unpin a Connection:
- Right-click a pinned connection → Pin / Unpin
- The connection returns to its original group
Favorites persist across sessions. Pinned connections remain in their original group as well — the Favorites section shows a reference, not a move.
Smart Folders are dynamic, filter-based views that automatically group connections matching specific criteria. Unlike regular groups, Smart Folders don't move connections — they show a live, read-only list of matching connections.
Create a Smart Folder:
- Right-click in the Smart Folders sidebar section → New Smart Folder
- Enter a name
- Configure filter criteria (all filters use AND logic):
| Filter | Description | Example |
|---|---|---|
| Protocol | Match connections of a specific protocol | SSH |
| Tags | Connection must have ALL listed tags | production, web |
| Host Pattern | Glob pattern matching against host | *.prod.example.com |
| Parent Group | Connections in a specific group | Production |
- Click Create
Custom Icons:
Smart Folders support custom emoji icons displayed in the sidebar instead of the default 📁. Set the icon in the "Icon" field when creating or editing a Smart Folder, or via CLI:
rustconn-cli smart-folder create --name "Production" --icon "🏢" --protocol ssh
rustconn-cli smart-folder edit "Production" --icon "🚀" # Change icon
rustconn-cli smart-folder edit "Production" --icon "none" # Reset to default 📁Behavior:
- Smart Folders appear in a dedicated sidebar section with a 🔍 icon
- Connections in Smart Folders are read-only (no drag-drop)
- Double-click a connection to connect (same as regular connections)
- Right-click a Smart Folder → Edit or Delete
- Empty filter criteria → empty result (not "match all")
Dynamic Folders generate connections automatically by executing a user-defined script. Unlike Smart Folders (which filter existing connections), Dynamic Folders create new connections from external data sources — cloud APIs, infrastructure tools, or custom scripts.
Use Cases:
- Import EC2 instances from AWS:
aws ec2 describe-instances --query ... - List Kubernetes nodes:
kubectl get nodes -o json | jq ... - Query Ansible inventory:
ansible-inventory --list | jq ... - Scan Proxmox VMs: custom API script
- Read from a CMDB or asset database
Configure a Dynamic Folder:
- Create or edit a group
- In the group settings, expand Dynamic Folder section
- Enter the script command (executed via
sh -c) - Optionally set:
- Working Directory — where the script runs
- Timeout — maximum execution time (default: 30 seconds)
- Refresh Interval — auto-refresh period (leave empty for manual only)
- Save
Script Output Format:
The script must output a JSON array to stdout:
[
{
"name": "web-01",
"host": "10.0.1.10",
"port": 22,
"protocol": "ssh",
"username": "admin",
"group": "web-servers",
"tags": ["production", "nginx"],
"description": "Primary web server"
},
{
"name": "db-master",
"host": "10.0.2.5",
"protocol": "ssh"
}
]Required fields: name, host
Optional fields:
| Field | Default | Description |
|---|---|---|
port |
Protocol default (22, 3389, 5900...) | Connection port |
protocol |
ssh |
One of: ssh, rdp, vnc, spice, telnet, mosh |
username |
None | Login username |
group |
None | Sub-group path within the dynamic folder |
tags |
[] |
Tags for filtering |
description |
None | Connection description |
Behavior:
- Generated connections are read-only — they cannot be edited or moved manually
- Connections have stable IDs across refreshes (based on name + host + protocol hash)
- Invalid entries (empty name or host) are skipped with a warning
- The script's stderr is logged for debugging
- Non-zero exit code → error shown in sidebar tooltip
Refresh:
- Manual: Right-click the dynamic group → Refresh Dynamic Folder
- Automatic: If refresh interval is configured, the folder refreshes periodically
CLI Commands:
# List all groups with dynamic folders
rustconn-cli dynamic-folder list
# Show configuration and generated connections
rustconn-cli dynamic-folder show "AWS Servers"
# Create/update dynamic folder on a group
rustconn-cli dynamic-folder set "AWS Servers" --script 'aws ec2 describe-instances ...' --timeout 60
# Refresh (execute script and update connections)
rustconn-cli dynamic-folder refresh "AWS Servers"
# Remove dynamic folder and generated connections
rustconn-cli dynamic-folder remove "AWS Servers"
# JSON output for scripting
rustconn-cli dynamic-folder list --format jsonExample Scripts:
# AWS EC2 instances (requires aws-cli)
aws ec2 describe-instances --query 'Reservations[].Instances[].{name:Tags[?Key==`Name`].Value|[0],host:PrivateIpAddress}' --output json
# Kubernetes nodes
kubectl get nodes -o json | jq '[.items[] | {name: .metadata.name, host: (.status.addresses[] | select(.type=="InternalIP") | .address), protocol: "ssh"}]'
# Simple static list from a file
cat ~/infrastructure/servers.json
# Proxmox VMs via API
curl -s -k "https://proxmox:8006/api2/json/nodes/pve/qemu" -H "Authorization: PVEAPIToken=..." | jq '[.data[] | {name: .name, host: .name, protocol: "spice"}]'Set custom emoji or GTK icon names on connections and groups to visually distinguish them in the sidebar.
Supported Icon Types:
| Type | Example | How It Renders |
|---|---|---|
| Emoji / Unicode | 🇺🇦, 🏢, 🔒, 🐳 |
Displayed as text next to the name |
| GTK icon name | starred-symbolic, network-server-symbolic |
Rendered as a symbolic icon |
Set a Custom Icon:
- Edit a connection or group
- Enter an emoji or GTK icon name in the Icon field
- Save
Leave the field empty to use the default icon (folder for groups, protocol-based for connections).
Optional colored circle indicators on terminal tabs to visually distinguish protocols at a glance.
| Protocol | Color |
|---|---|
| SSH | 🟢 Green |
| RDP | 🔵 Blue |
| VNC | 🟣 Purple |
| SPICE | 🟠 Orange |
| Serial | 🟡 Yellow |
| Kubernetes | 🔵 Cyan |
Enable/Disable: Settings → Interface page → Appearance → Color tabs by protocol
Organize open tabs into named groups with a visible [GroupName] prefix in the tab title.
Assign a Tab to a Group:
- Right-click a tab in the tab bar
- Select Set Group...
- Pick an existing group from the pill buttons, or type a new group name
- Click Apply
The tab title changes to [GroupName] ConnectionName and the tooltip shows the group name.
Remove from Group: Right-click a grouped tab → Remove from Group
Close All in Group: Right-click a grouped tab → Close All in Group (with confirmation dialog)
Monitor Mode Toggle: Right-click any tab → Monitor: Off/Activity/Silence to cycle monitoring mode.
Groups are visual only — they are session-scoped and not persisted across restarts.
Templates are connection presets that store protocol settings, authentication defaults, tags, custom properties, and automation tasks. When you create a connection from a template, all configured fields are copied into the new connection — including the template's icon.
Manage Templates: Menu → Tools → Manage Templates (or rustconn-cli template list)
Create Template:
- From scratch: Open Manage Templates → Click Create Template → configure name, icon (emoji or GTK icon name), protocol, default settings
- From existing connection: Right-click a connection → Create Template from Connection
Use Template:
- From Connection Wizard (Ctrl+N): Choose "Custom Command" → template grid shows your templates and predefined ones; click to fill command and name
- From Quick Connect (Ctrl+Shift+Q): Select a template from the dropdown — fields pre-fill the form
- From Manage Templates: Select a template → click Create Connection
- From CLI:
rustconn-cli template apply "SSH Template" --name "New Server" --host "10.0.0.5"
Template Fields: Protocol, Host/Port, Username/Domain, Password Source, Tags, Icon, Protocol Config, Custom Properties, Pre/Post Tasks, WoL Config.
Predefined Templates: RustConn ships with 20 built-in templates for common CLI tools that don't have dedicated protocol support:
| Category | Templates |
|---|---|
| Remote Desktop | 🖥️ RustDesk, 🔴 AnyDesk, 🌐 Remmina |
| Containers | 🐳 Docker, 🦭 Podman, 📦 LXC/LXD, 🧊 Incus, 🗃️ Distrobox |
| Virtualization | 🖧 Virsh Console, 🟠 Proxmox VM, 🟡 Proxmox CT |
| Hardware | 🔌 IPMI SOL, 🔧 Picocom, 🐟 Redfish BMC |
| Cloud Access | 🛡️ WireGuard+SSH, 🚀 Teleport App, 🎛️ Cockpit |
| Automation | ⚙️ Ansible, ⏰ WoL+SSH, ❄️ Nix Remote Build |
Click "More…" in the wizard grid to browse all predefined templates grouped by category. Your own ZeroTrust templates (created via Manage Templates) appear first in the grid automatically.
Reusable command templates with variable substitution. Snippets let you define frequently used commands once and execute them in any active terminal session with one action.
Syntax: Snippets use ${variable} placeholders that are resolved at execution time.
# Service management
sudo systemctl restart ${service}
# Database backup
pg_dump -h ${host} -U ${user} -d ${database} > /tmp/${database}_backup.sqlVariable Features: Each variable can have a Name, Description (shown as hint), and Default Value (pre-filled when executing).
Manage Snippets: Menu → Tools → Manage Snippets (or rustconn-cli snippet list)
Execute Snippet:
- Connect to a terminal session (SSH, Telnet, Serial, Kubernetes, or local shell)
- Menu → Tools → Execute Snippet (or use Command Palette → Snippets)
- Select a snippet, fill in variable values, click Execute
Global Variables Auto-Resolution:
Snippet variables are automatically resolved from Global Variables (Menu → Tools → Variables) before execution. This means you can define common values once and reuse them across all snippets without manual input.
Resolution order:
- Global Variables — if a
${VAR}matches a defined global variable (including vault-backed secrets), its value is used automatically - Snippet defaults — if no global variable matches, the snippet's own default value is used
- Manual input — if neither is available, the variable input dialog appears
If all variables are resolved automatically, the snippet executes immediately without showing any dialog.
Example — zero-prompt snippet execution:
# Snippet: sudo systemctl restart ${SERVICE_NAME}
# Global Variable: SERVICE_NAME = nginx
# Result: executes immediately → "sudo systemctl restart nginx\n"Example — partial resolution:
# Snippet: pg_dump -h ${DB_HOST} -U ${DB_USER} -d ${database}
# Global Variables: DB_HOST = db.prod.internal, DB_USER = admin
# Result: dialog appears with DB_HOST and DB_USER pre-filled, only "database" needs inputOrganization: Snippets support categories and tags for filtering.
Clusters group multiple connections for simultaneous management. The primary use case is broadcast mode: type a command once and it is sent to all connected cluster members at the same time.
Create Cluster:
- Menu → Tools → Manage Clusters
- Click Create → enter name → add connections → optionally enable Broadcast by default
- Save
Connect Cluster: Open Manage Clusters → select a cluster → Connect All. RustConn opens a terminal tab for each member connection.
Broadcast Mode: When enabled, every keystroke you type in the focused terminal is sent to all connected cluster members simultaneously. Toggle the broadcast switch in the cluster toolbar.
Use cases:
- Rolling out configuration changes across multiple servers
- Running the same diagnostic command on all nodes
- Updating packages on a fleet of machines
Workspace profiles save your current set of open connections (with tab order) as a named snapshot that you can restore later with one click. Unlike session restore (which works automatically on restart), workspaces are named and can be switched manually at any time.
Save a workspace:
- Open the connections you want in the workspace
- Menu → Tools → Workspaces...
- Click Save Current → enter a name → Save
Open a workspace:
- Menu → Tools → Workspaces...
- Select the workspace → click Open
- All connections from the workspace are connected simultaneously
Use cases:
- "Production" workspace with monitoring + DB + web servers
- "Development" workspace with staging servers + bastion
- Quick context switching between projects
Workspaces persist in ~/.config/rustconn/workspace_profiles.toml. If a connection referenced by a workspace is deleted, the entry is automatically removed from the workspace.
Port knocking allows you to open firewall ports by sending a specific sequence of TCP/UDP packets before connecting. This works without any external tools — RustConn has a built-in implementation.
Configure per-connection:
- Edit Connection → Advanced tab → Connection Behavior section
- Enter the knock sequence in the Port Knock Sequence field
- Format:
7000 8000/tcp 9000/udp(space or comma separated, /tcp is default)
How it works:
- Before each connection, RustConn sends the knock sequence to the target host
- Each knock is a TCP connect attempt or UDP datagram (the SYN itself is the knock)
- After all knocks, a 200ms settle time allows the firewall to install its rule
- Then the normal connection proceeds (port check → connect)
Timing defaults:
- Inter-knock delay: 100ms
- Post-knock settle: 200ms
Send keystrokes to multiple terminal sessions simultaneously without setting up a cluster.
Usage:
- Click the Broadcast toggle button in the toolbar
- Checkboxes appear on each terminal tab
- Select the terminals you want to broadcast to
- Type in any selected terminal — keystrokes are sent to all selected terminals
- Click the Broadcast button again to deactivate
| Feature | Ad-hoc Broadcast | Cluster Broadcast |
|---|---|---|
| Setup | No setup — select terminals on the fly | Requires pre-defined cluster |
| Scope | Any open terminal tabs | Connections in a cluster |
| Persistence | Session-only | Saved in configuration |
Open with Ctrl+P (connections) or Ctrl+Shift+P (commands).
A VS Code-style quick launcher with fuzzy search. Type to filter, then select with arrow keys and Enter.
| Prefix | Mode | Description |
|---|---|---|
| (none) | Connections | Fuzzy search saved connections; Enter to connect |
> |
Commands | Application commands (New Connection, Import, Settings, etc.) |
@ |
Tags | Filter connections by tag |
# |
Groups | Filter connections by group |
% |
Open Tabs | Fuzzy search open tabs by name; Enter to switch |
The palette shows up to 20 results with match highlighting. Results are ranked by fuzzy match score. In % mode, results include protocol type and tab group name for quick identification.
Global variables allow you to use placeholders in connection fields that are resolved at connection time.
Syntax: ${VARIABLE_NAME}
Supported Fields: Host, Username, Domain (RDP)
Define Variables:
- Menu → Tools → Variables...
- Click + (Add Variable) in the header bar → a new expanded row appears with focus on the name field
- Enter name and value
- Optionally mark as Secret (value hidden, stored in vault)
- Add a description for documentation purposes
- Click Save
Collapsible Rows:
When you have many variables, each one is displayed as a collapsed row showing only its name. Click the expander arrow to reveal the full editing form. When you add a new variable, all existing rows collapse automatically so you can focus on the new entry.
Duplicate Name Protection:
Variable names must be unique (case-insensitive). If you try to save with duplicate names, the dialog highlights the conflicting entries in red and expands them — saving is blocked until you rename or delete the duplicates.
Secret Variables: Toggle visibility with the eye icon. Secret values are auto-saved to the configured vault backend on dialog save and cleared from the settings file.
KeePass Custom Entry Path:
When using KeePass/KeePassXC as the secret backend, secret variables can reference an existing entry in your KeePass database instead of the default RustConn/rustconn/var/{name} path:
- Mark the variable as Secret
- A KeePass entry field appears (only when KeePass backend is active)
- Enter the full path to an existing entry, e.g.,
Internet/MyRouterorNetwork/Switches/RADIUS - The password is read from that entry's Password attribute at connection time
This avoids duplicating secrets — you can reuse entries already in your KeePass database. When a custom path is set, RustConn reads from the entry but never creates or overwrites it.
If the field is left empty, the default path RustConn/rustconn/var/{name} is used (created automatically on save).
Vault Entry Name (Bitwarden, 1Password, Passbolt, Pass):
When using Bitwarden, 1Password, Passbolt, or Pass as the secret backend, secret variables can reference an existing vault entry by its exact name:
- Mark the variable as Secret
- A Vault entry field appears (only when a non-KeePass backend is active)
- Enter the exact name of an existing vault entry, e.g.,
AD CredentialsorProduction DB - Leave the password field empty — it will be fetched from the vault at connection time
How it works:
- At connection time, RustConn searches your vault for an entry matching the exact name (case-sensitive) and reads the password from it.
- Nothing is written back to the vault — the entry is treated as read-only.
- No credentials are stored locally on disk; only the reference (entry name) is persisted in settings.
- You do not need to enter the password in the variable dialog — the password field can be left blank.
This is the non-KeePass equivalent of "KeePass entry" — it allows reusing credentials already stored in your vault without duplicating them under the rustconn/var/ namespace.
If the Vault entry field is left empty, RustConn uses the default key rustconn/var/{name} (Bitwarden item named RustConn: rustconn/var/{name}). In that case, you must enter the password value, which will be saved to the vault once on creation.
Example:
Variable: PROD_USER = admin
Variable: PROD_DOMAIN = corp.example.com
Variable: RADIUS (secret, KeePass entry: Network/RADIUS_Secret)
Connection Username: ${PROD_USER} → admin
Connection Domain: ${PROD_DOMAIN} → corp.example.com
Connection Password Source: Variable → RADIUS → reads from KeePass entry "Network/RADIUS_Secret"
Tips:
- Variable names are case-sensitive
- Undefined variables remain as literal text
- Combine with Group Credentials for hierarchical credential management
Using Variables as Password Source (shared credentials):
To reuse the same credentials across multiple connections (e.g., one Active Directory account for many RDP sessions):
- Create a secret variable in Tools → Variables (e.g.,
AD_PASSWORD, mark as Secret) - In the Vault entry field, type the exact name of your existing Bitwarden/1Password/Passbolt/Pass entry (e.g.,
AD Credentials) - Leave the password field empty — RustConn will fetch it from the vault at connect time
- In each connection dialog → Password dropdown → select Variable
- Choose your secret variable from the dropdown that appears
All connections that reference the same variable share the credential — change it once in your vault, all connections pick up the updated value. Nothing is duplicated or written back to the vault.
The "+" button next to the dropdown opens the Variables manager directly if you have not created any secret variables yet.
Note: If you do not have an existing vault entry (and want RustConn to manage the secret for you), leave the "Vault entry" field blank and enter the password directly. It will be stored under
rustconn/var/{name}in your vault.
Menu → Tools → Password Generator
Features: Length (4-128 characters), character sets (lowercase, uppercase, digits, special, extended), exclude ambiguous (0, O, l, 1, I), strength indicator with entropy, crack time estimation, copy to clipboard.
Wake sleeping machines before connecting by sending WoL magic packets.
Configure WoL for a connection:
- Edit connection → WOL tab
- Enter MAC address (e.g.,
AA:BB:CC:DD:EE:FF) - Optionally set broadcast address and port
- Save
Send WoL from sidebar: Right-click connection → Wake On LAN. After sending, RustConn polls the host (every 5s for up to 5 minutes) and auto-connects when online.
Auto-WoL on connect: If a connection has WoL configured, a magic packet is sent automatically when you connect (fire-and-forget).
Standalone WoL dialog: Menu → Tools → Wake On LAN...
All GUI sends use 3 retries at 500 ms intervals for reliability.
Menu → Tools → Connection History
- Search and filter past connections by name, host, protocol, or username
- Connect directly from history
- Delete individual entries or clear all history
Menu → Tools → Connection Statistics
Tracks: total connections, success rate, connection duration (average/total), most used connections, protocol breakdown, last connected timestamps. Use Reset to clear all statistics.
Store sensitive notes, certificates, and credentials in AES-256-GCM encrypted documents within RustConn.
Create: Menu → File → New Document → enter name → optionally set protection password → write content → save with Ctrl+S.
Protection: Right-click document → Set/Remove Protection. Protected documents require the password each time they are opened. Unprotected documents are encrypted with the application master key.
Use Cases: Runbooks, API tokens, SSH key passphrases, network diagrams, compliance notes.
Backup: Documents are stored in ~/.config/rustconn/documents/. They are not included in Settings Backup/Restore or in RustConn Native export (.rcn) — back up the documents/ directory manually if needed.
MobaXterm-style monitoring bar below SSH terminals showing real-time system metrics from remote Linux hosts. Completely agentless — no software needs to be installed on the remote host. RustConn collects data by parsing /proc/* and df output over a separate SSH connection. For Telnet and Kubernetes sessions, monitoring is available if the host is also reachable via SSH.
Monitoring Bar:
[CPU: ████░░ 45%] [RAM: ██░░ 62%] [Disk: ██░░ 78%] [1.23 0.98 0.76] [↓ 1.2 MB/s ↑ 0.3 MB/s] [Ubuntu 24.04 (6.8.0) · x86_64 · 15.6 GiB · 8C/16T · 10.0.1.5]
Displayed Metrics:
| Metric | Source | Details |
|---|---|---|
| CPU usage | /proc/stat |
Percentage with level bar; delta-based calculation |
| Memory usage | /proc/meminfo |
Percentage with level bar; swap in tooltip |
| Disk usage | df -Pk |
Root filesystem; all mount points in tooltip |
| Load average | /proc/loadavg |
1, 5, 15 minute values |
| Network throughput | /proc/net/dev |
Download/upload rates (auto-scaled) |
| System info | One-time collection | Distro, kernel, arch, RAM, CPU cores, IP |
Enable Monitoring:
- Open Settings (Ctrl+,) → Monitoring page → General group
- Toggle Enable monitoring
- Configure polling interval (1–60 seconds, default: 3)
- Select which metrics to display in the Visible Metrics group
Per-Connection Override: Edit connection → Advanced tab → Remote Monitoring section → toggle Enable Monitoring ON or OFF. This overrides the global setting for this specific connection — if global monitoring is disabled but the toggle is ON, monitoring will still run for this connection (and vice versa).
Requirements: Remote host must be Linux. No agent installation needed. Works with SSH, Telnet, and Kubernetes connections.
Available only in Flatpak environment
Menu → Flatpak Components...
Download and install additional CLI tools directly within the Flatpak sandbox:
Zero Trust CLIs: AWS CLI, AWS SSM Plugin, Google Cloud CLI, Azure CLI, OCI CLI, Teleport, Tailscale, Cloudflare Tunnel, HashiCorp Boundary, Hoop.dev
Password Manager CLIs: Bitwarden CLI, 1Password CLI
Protocol Clients: TigerVNC Viewer
Features: One-click Install/Remove/Update, progress indicators with cancel support, SHA256 checksum verification, automatic PATH configuration.
Installation Location: ~/.var/app/io.github.totoshko88.RustConn/cli/
Standalone window for managing SSH port-forwarding tunnels that run independently of terminal sessions. Unlike per-connection port forwarding (which requires an active SSH terminal tab), standalone tunnels run in the background as headless ssh -N processes.
Open: Menu → SSH Tunnels or Ctrl+T
Create a Tunnel:
- Open SSH Tunnel Manager (Ctrl+T)
- Click Add Tunnel (+ button or the button on the empty state page)
- Enter a name (e.g., "MySQL prod", "SOCKS proxy")
- Select an existing SSH connection — the tunnel inherits host, port, username, SSH key, jump host, and credentials from this connection
- Add one or more port forwarding rules:
| Direction | SSH Flag | Example | Description |
|---|---|---|---|
Local (-L) |
-L 3306:db.internal:3306 |
Forward local port 3306 to db.internal:3306 through the tunnel |
|
Remote (-R) |
-R 9000:localhost:3000 |
Expose local port 3000 on the remote server's port 9000 | |
Dynamic (-D) |
-D 1080 |
SOCKS proxy on local port 1080 |
- Optionally enable Auto-start (tunnel starts when RustConn launches) and Auto-reconnect (tunnel restarts if the SSH process exits unexpectedly)
- Click Save
Manage Tunnels:
The tunnel manager window shows two groups:
- Active — currently running tunnels with a stop button
- Stopped — idle tunnels with a start button
Each tunnel row displays the connection name, forwarding summary (e.g., "L 3306→db:3306, D 1080"), and status. Click the toggle to start or stop a tunnel. Use the edit (pencil) and delete (trash) buttons to modify or remove tunnels.
Tunnel Options:
| Option | Description | Default |
|---|---|---|
| Auto-start | Start this tunnel automatically when RustConn launches | Off |
| Auto-reconnect | Restart the tunnel if the SSH process exits unexpectedly | Off |
| Enabled | Disabled tunnels are skipped by auto-start | On |
Use Cases:
- Access a database behind a firewall:
L 3306:db.internal:3306→ connect your DB client tolocalhost:3306 - SOCKS proxy for browsing through a remote network:
D 1080→ configure browser to uselocalhost:1080 - Expose a local dev server to a remote machine:
R 8080:localhost:3000 - Persistent tunnels that survive terminal tab closes — the tunnel keeps running until you stop it or quit RustConn
The Visual Tunnel Builder is a 3-step wizard dialog that guides you through creating or editing SSH tunnels. It replaces the previous flat dialog with a structured workflow and a visual path diagram showing the tunnel chain.
Open: From the SSH Tunnel Manager window (Ctrl+T), click Add Tunnel to create a new tunnel, or click the Edit (pencil) button on an existing tunnel.
Step 1 — Connection & Name:
- Enter a tunnel name (1–128 characters)
- Select an SSH connection from the dropdown (filter by typing in the search field)
- If the selected connection has a jump host configured, the bastion is shown automatically on the path diagram
- Optionally override the jump host by selecting a different SSH connection as the bastion
- If no SSH connections exist, a prompt offers to create one
- The visual path diagram updates in real time: localhost → bastion → target
Step 2 — Port Forwards & Options:
- Add port forwarding rules using the Add Forward button (up to 20 rules per tunnel):
| Direction | Fields | Example |
|---|---|---|
Local (-L) |
Local port, remote host, remote port | L 3306 → db.internal:3306 |
Remote (-R) |
Local port, remote host, remote port | R 9000 → localhost:3000 |
Dynamic (-D) |
Local port only | D 1080 (SOCKS) |
- Each rule is shown as a collapsible row with a dynamic summary title
- Port validation: 1–65535 required; ports below 1024 show a privilege warning
- Remote host is required for Local and Remote directions
- Toggle Auto-start (tunnel starts with RustConn) and Auto-reconnect (restart on unexpected exit)
- The path diagram reflects the current configuration
Step 3 — Review & Confirm:
- Full visual path diagram with status indicators (in edit mode: Running, Starting, Failed, Stopped)
- Summary of all configured parameters
- Monospace SSH command preview showing the exact
sshcommand that will be executed (e.g.,ssh -N -L 3306:db:3306 -J bastion user@target -p 22) - Copy button copies the SSH command to clipboard (toast confirms "Copied")
- If no port forwarding rules are configured, an info message is displayed
- Click Create (new tunnel) or Save (editing) to finish
Status Indicators (Edit Mode):
When editing an existing tunnel, the path diagram shows the current tunnel status:
| Status | Visual |
|---|---|
| Running | Green nodes with animated connection line |
| Starting | Yellow/warning nodes with pulsing animation |
| Failed | Red/error nodes with error tooltip |
| Stopped | Dimmed/inactive nodes |
Difference from Per-connection Port Forwarding:
| Feature | Per-connection (SSH tab) | Standalone Tunnel Manager |
|---|---|---|
| Lifecycle | Tied to terminal session | Independent background process |
| Terminal | Opens a terminal tab | No terminal (headless ssh -N) |
| Management | Configured per-connection | Centralized in Tunnel Manager |
| Auto-start | No | Yes |
| Auto-reconnect | No | Yes |
Access via Ctrl+, or Menu → Settings
The settings dialog uses adw::PreferencesDialog with built-in search. Settings are organized into 6 pages:
| Page | Icon | Contents |
|---|---|---|
| Terminal | utilities-terminal-symbolic |
Terminal + Logging |
| Interface | applications-graphics-symbolic |
Appearance, Window, Startup, System Tray, Session Restore, Keybindings + Backup & Restore |
| Secrets | channel-secure-symbolic |
Secret backends + SSH Agent |
| Connection | network-server-symbolic |
Clients |
| Monitoring | power-profile-performance-symbolic |
Remote host metrics (General + Visible Metrics) + Terminal Activity Monitor defaults |
| Cloud Sync | emblem-synchronizing-symbolic |
Sync directory, synced groups, simple sync |
Terminal group: Font (family and size), Scrollback (history buffer lines), Color Theme (Dark, Light, Solarized, Monokai, Dracula, plus user-created custom themes), Cursor (shape and blink mode), Behavior (scroll on output/keystroke, hyperlinks, mouse autohide, bell, SFTP via mc, copy on select, close tab on clean exit).
Close tab on clean exit: When enabled, tabs are automatically closed when the remote session exits cleanly (exit code 0, e.g. user typed exit or logout) instead of showing the reconnect overlay. Disabled by default.
Local Shell group: Command — custom command to run in Local Shell tabs instead of the default login shell (e.g. fish, bash --norc, neofetch && bash). Leave empty for system default.
Custom Themes: Click the + button next to the theme dropdown to create a new custom theme. The theme editor lets you set background, foreground, cursor, and all 16 ANSI palette colors. Custom themes are saved to ~/.config/rustconn/custom_themes.json and appear alongside built-in themes. Edit or delete custom themes with the pencil and trash buttons.
Logging group: Enable Logging (global toggle), Log Directory, Retention Days, Logging Modes (activity, user input, terminal output), Timestamps.
Appearance group: Theme (System, Light, Dark), Language (UI language selector, restart required), Color tabs by protocol, Sidebar width (260–500 pixels, default 320).
Window group: Remember size (restore window geometry on startup).
Startup group: On startup — Do nothing, Local Shell, or connect to a specific saved connection.
System Tray group: Show icon, Minimize to tray (hide window instead of closing).
Session Restore group: Enabled, Ask first, Max age (1–168 hours).
Keybindings group: Customizable keyboard shortcuts for 30+ actions across 6 categories. Record button to capture key combinations. Per-shortcut Reset and Reset All to Defaults.
Secret backend group:
- Preferred Backend — libsecret, KeePassXC, KDBX file, Bitwarden, 1Password, Passbolt, Pass (passwordstore.org)
- Enable Fallback — Use libsecret if primary unavailable
- Credential Encryption — Backend master passwords encrypted with AES-256-GCM + Argon2id (machine-specific key)
- Bitwarden Settings: Vault status, unlock button, master password persistence, save to system keyring, auto-unlock, API key authentication for 2FA
- 1Password Settings: Account status, sign-in button, biometric auth support, service account token
- Passbolt Settings: CLI detection, server URL, GPG passphrase, server configuration status
- Pass Settings: CLI detection, custom
PASSWORD_STORE_DIR, GPG-encrypted files - KeePassXC KDBX Settings: Database path, key file, password/key file authentication
- System Keyring Requirements: Requires
libsecret-tools(secret-toolbinary) - Installed Password Managers — Auto-detected managers with versions
SSH Agent group: Status (running/stopped with socket path), Loaded Keys (with remove option), Available Keys (keys in ~/.ssh/ with add option).
Clients group: Auto-detected CLI tools with versions — Protocol Clients (SSH, RDP, VNC, SPICE, Telnet, Serial, Kubernetes) and Zero Trust (AWS, GCP, Azure, OCI, Cloudflare, Teleport, Tailscale, Boundary, Hoop.dev). Searches PATH and user directories.
Monitoring group: Enable monitoring (global toggle), Polling interval (1–60 seconds, default: 3), Visible Metrics (CPU, Memory, Disk, Network, Load Average, System Info).
Customize all keyboard shortcuts via Settings → Interface page → Keybindings.
- Open Settings (Ctrl+,) → Keybindings tab
- Find the action you want to change
- Click Record next to it
- Press the desired key combination
- The new shortcut is saved immediately
Click the ↩ button next to any shortcut to reset it to default, or Reset All to Defaults at the bottom.
When working in remote sessions with TUI applications (nvim, tmux, htop, mc), RustConn's keyboard shortcuts can conflict with the remote application's bindings. Keyboard passthrough mode disables all application shortcuts so every key combination reaches the remote session.
Toggle passthrough:
- Press Ctrl+Shift+Backspace (works in both normal and passthrough mode)
- Or use the menu: ☰ → Keyboard Passthrough
- Or use the command palette: Ctrl+P → "Toggle Keyboard Passthrough"
When passthrough is active:
- All application shortcuts are disabled (Ctrl+N, Ctrl+F, Ctrl+P, etc. go to the terminal)
- The F10 primary-menu key is also suspended, so F10 reaches the remote session (e.g. Midnight Commander)
- Only three shortcuts remain active: the passthrough toggle itself (Ctrl+Shift+Backspace), Quit (Ctrl+Q), and Fullscreen (F11)
- A toast notification confirms the mode change
- The menu item shows a checkmark when active
Customization: The list of shortcuts that remain active in passthrough mode can be configured in config.toml under [keybindings] passthrough_exceptions.
RustConn adapts to different window sizes using adw::Breakpoint and responsive dialog sizing.
Main window breakpoints:
- Below 600sp: split view buttons hidden from header bar (still accessible via keyboard shortcuts or menu)
- Below 400sp: sidebar collapses to overlay mode (toggle with F9 or swipe gesture)
Dialogs: All dialogs have minimum size constraints and scroll their content. They can be resized down to ~350px width without clipping.
Configure which session opens automatically when RustConn starts.
Settings (GUI):
- Open Settings (Ctrl+,) → Interface page → Startup group
- Select: Do nothing, Local Shell, or <Connection Name> (Protocol)
CLI Override: rustconn --shell or rustconn --connect "Production Server" (overrides persisted setting for a single launch).
Use RustConn as Default Terminal: Create a .desktop file with Exec=rustconn --shell and set it as the default terminal in your desktop environment settings.
Back up your entire RustConn configuration as a single ZIP archive.
Create a Backup: Settings → Interface → Backup & Restore → Backup → choose save location.
Restore from Backup: Settings → Interface → Backup & Restore → Restore → select ZIP → confirm → restart RustConn.
Note: After restoring, any changes made in the Settings dialog before closing it will be discarded. Close the dialog and restart RustConn to apply the restored configuration.
What's Included:
| Included | Not Included |
|---|---|
| Connections and groups | Passwords (stored in secret backend) |
| Templates and snippets | Encrypted documents |
| Clusters | SSH keys |
| Global variables (names only; secret values are in vault) | Session logs |
| Keybindings | Flatpak-installed CLI tools |
| Application settings | |
| Connection history and statistics |
Important: The
.machine-keyfile (~/.local/share/rustconn/.machine-key) is not included in backups. This key is used to encrypt credentials stored locally (AES-256-GCM). To migrate encrypted credentials to a different machine, copy.machine-keyfrom the old machine before restoring the backup, or re-enter passwords after restore.
Supported formats:
- SSH Config (
~/.ssh/config) - Remmina profiles
- Asbru-CM configuration
- Ansible inventory (INI/YAML)
- Royal TS (.rtsz XML)
- MobaXterm sessions (.mxtsessions)
- SecureCRT sessions (.ini directory)
- Remote Desktop Manager (JSON)
- RDP files (.rdp — Microsoft Remote Desktop)
- Virt-Viewer (.vv files — SPICE/VNC from libvirt, Proxmox VE)
- Libvirt / GNOME Boxes (domain XML — VNC, SPICE, RDP from QEMU/KVM VMs)
- RustConn Native (.rcn)
Double-click source to start import immediately.
Merge Strategies:
- Skip Existing — Keep current connections, skip duplicates
- Overwrite — Replace existing connections with imported data
- Rename — Import as new connections with a suffix
Duplicate Handling: If imported connections have names that already exist, RustConn shows a dialog with the duplicate count and three choices — Cancel, Skip Duplicates, or Import All — instead of silently creating renamed copies.
Import Preview: For large imports (10+ connections), a preview is shown before applying.
Import Source Details:
| Source | Auto-scan | File picker | Protocols | Notes |
|---|---|---|---|---|
| SSH Config | ~/.ssh/config |
Any file | SSH | Host blocks → connections |
| Remmina | ~/.local/share/remmina/ |
— | SSH, RDP, VNC, SFTP | One .remmina per connection |
| Asbru-CM | ~/.config/pac/ |
YAML file | SSH, VNC, RDP | Variables converted to ${VAR} |
| Ansible | /etc/ansible/hosts |
INI/YAML file | SSH | Groups preserved |
| Royal TS | — | .rtsz file |
All | Folder hierarchy → groups |
| MobaXterm | — | .mxtsessions |
SSH, RDP, VNC, Telnet, Serial | INI-based sessions |
| SecureCRT | ~/.vandyke/Config/Sessions/ |
Directory or .ini |
SSH, Telnet, RDP, VNC | Folder hierarchy → groups |
| Remote Desktop Manager | — | JSON file | SSH, RDP, VNC | Devolutions JSON export |
| RDP File | — | .rdp file |
RDP | Microsoft Remote Desktop format |
| Virt-Viewer | — | .vv file |
SPICE, VNC | From libvirt, Proxmox VE, oVirt |
| Libvirt / GNOME Boxes | /etc/libvirt/qemu/, ~/.config/libvirt/qemu/ |
XML file | VNC, SPICE, RDP | Domain XML <graphics> elements |
| Libvirt Daemon (virsh) | qemu:///session |
— | VNC, SPICE, RDP | Queries running libvirtd via virsh |
| RustConn Native | — | .rcn file |
All | Full-fidelity backup |
Supported formats: SSH Config, Remmina profiles, Asbru-CM, Ansible inventory, Royal TS (.rtsz), MobaXterm (.mxtsessions), SecureCRT (.ini), RustConn Native (.rcn).
Options: Include passwords (where supported), Export selected only.
Format Limitations:
| Format | Protocols | Passwords | Groups | Notes |
|---|---|---|---|---|
| SSH Config | SSH only | Key paths only | No | Standard ~/.ssh/config format |
| Remmina | SSH, RDP, VNC, SFTP | Encrypted | No | One .remmina file per connection |
| Asbru-CM | SSH, VNC, RDP | Encrypted | Yes | YAML-based, supports variables |
| Ansible | SSH only | No | Yes (groups) | INI or YAML inventory format |
| Royal TS | All | Encrypted | Yes | XML .rtsz archive |
| MobaXterm | SSH, RDP, VNC, Telnet | Encrypted | Yes | INI-based .mxtsessions |
| SecureCRT | SSH, Telnet, RDP, VNC | No | Yes | Directory of .ini files |
| RustConn Native | All | Encrypted | Yes | Full-fidelity backup format |
Import connections from CSV files or export to CSV format. Follows RFC 4180.
CSV Import:
- Menu → Import or Ctrl+I → select CSV format
- Choose the CSV file
- RustConn auto-detects column mapping from headers (
name,host,port,protocol,username,group,tags,description) - Review mapping, select delimiter (comma, semicolon, tab)
- Click Import
Tags: Semicolon-separated in the tags column: web;production;eu
Groups: Slash-separated path in the group column: Production/Web Servers
RustConn registers as a handler for .rdp files. Double-clicking an .rdp file opens RustConn and connects automatically.
How It Works:
- Double-click an
.rdpfile (or runrustconn file.rdp) - RustConn parses the file and creates a temporary connection
- The connection starts immediately
Supported .rdp Fields: full address, username, domain, gatewayhostname, gatewayusername, desktopwidth/desktopheight, session bpp, audiomode, redirectclipboard, remoteapplicationprogram, remoteapplicationcmdline, remoteapplicationname.
Desktop Integration:
xdg-mime default io.github.totoshko88.RustConn.desktop application/x-rdpRustConn registers as a handler for .vv files (SPICE/VNC connections from libvirt, Proxmox VE, oVirt). Double-clicking a .vv file opens RustConn and connects automatically.
How It Works:
- Double-click a
.vvfile (or runrustconn file.vv) - RustConn parses the file and creates a connection with all settings (host, port, TLS, proxy, password)
- The connection starts immediately
Proxmox VE SPICE Tickets:
Proxmox VE generates short-lived .vv files ("SPICE tickets") valid for 30–40 seconds. RustConn handles these correctly:
- Inline PEM CA certificates are automatically saved to
~/.local/share/rustconn/certs/and configured in connection settings - The proxy URL (
pvespiceproxy) is preserved in the SPICE configuration - The connection starts immediately after import, meeting the ticket TTL requirement
Supported Fields: type (spice/vnc), host, port, tls-port, password, title, proxy, ca (file path or inline PEM), host-subject, delete-this-file.
Desktop Integration:
xdg-mime default io.github.totoshko88.RustConn.desktop application/x-virt-viewer- File > Import > Remmina → select data directory
- Review import preview → choose merge strategy → Import
- Re-enter passwords and verify SSH key paths after import
Flatpak ↔ Flatpak: If both RustConn and Remmina are installed as Flatpaks, the Remmina import button may show "Not Found" because Remmina stores its
.remminafiles inside its own sandbox (~/.var/app/org.remmina.Remmina/data/remmina/), which RustConn cannot access by default. See Flatpak Sandbox Overrides → Remmina Import below for the fix.
- Export sessions from MobaXterm → copy
.mxtsessionsfile to Linux - File > Import > MobaXterm → select file → Import
- Locate SecureCRT sessions directory (
~/.vandyke/Config/Sessions/on Linux, or%APPDATA%\VanDyke\Config\Sessions\on Windows — copy to Linux) - File > Import > SecureCRT → select the
Sessionsdirectory → Import - Folder hierarchy is preserved as connection groups; SSH keys, usernames, ports, X11/agent forwarding settings are imported
- In Royal TS: File > Export > Royal TS Document (.rtsz)
- File > Import > Royal TS → select file → Import (folder structure preserved as groups)
- File > Import > SSH Config → select
~/.ssh/config - Each
Hostblock becomes an SSH connection
- File > Import > Ansible → select inventory file
- Host groups become RustConn groups; hosts become SSH connections
- File > Import > Libvirt / GNOME Boxes (auto-scan) or select individual XML files
- Each
<graphics>element becomes a VNC, SPICE, or RDP connection
- Re-enter passwords (no import format includes plaintext credentials)
- Verify SSH key paths (may differ between Windows and Linux)
- Test a connection from each protocol type
- Organize imported connections into groups
- Set up your preferred secret backend
- Delete the import source file if it contains sensitive data
RustConn stores all configuration in ~/.config/rustconn/:
~/.config/rustconn/
├── config.toml # Application settings
├── connections.toml # Connections (hosts, ports, usernames)
├── groups.toml # Group hierarchy and credentials
├── snippets.toml # Command snippets
├── clusters.toml # Broadcast clusters
├── templates.toml # Connection templates
├── history.toml # Connection history (local)
└── trash.toml # Trash (local)
Note: Smart Folders, global variables, keybindings, and all other application settings are stored inside
config.toml— there is no separatesmart_folders.tomlfile.
Git (Recommended):
cd ~/.config/rustconn
git init
echo "history.toml" >> .gitignore
echo "trash.toml" >> .gitignore
git add -A && git commit -m "Initial config"
git remote add origin <your-repo-url>
git push -u origin mainSyncthing / rsync:
rsync -avz ~/.config/rustconn/ user@remote:~/.config/rustconn/Tips:
history.tomlandtrash.tomlare machine-local — exclude them from sync- Passwords stored in KeePass/libsecret/Bitwarden are not in the config files — sync your vault separately
- After syncing, restart RustConn to pick up changes
Synchronize connection configurations between devices and team members through any shared cloud directory (Google Drive, Syncthing, Nextcloud, Dropbox, USB drive — anything that syncs files).
Group Sync is designed for teams. Each root group exports to a dedicated .rcn file using a Master/Import access model.
- Master — full control, exports changes to the sync file
- Import — read-only, imports changes from the sync file
Enable Group Sync:
- Go to Settings → Cloud Sync → set a Sync Directory
- Right-click a root group → Edit Group → Cloud Sync tab → set sync mode to "Master"
- The group is exported to
<sync-dir>/<group-slug>.rcn
Import a shared group:
- Go to Settings → Cloud Sync → "Available in Cloud" section
- Click "Import" next to the
.rcnfile - The group appears in the sidebar with a sync indicator (⟳)
Import groups are read-only for synced fields (name, host, port, protocol). Local-only fields (SSH key path, sort order, pinned status) remain editable. Changes from the Master are auto-imported when the file watcher detects updates (3s debounce).
Credentials are never synced — only variable names are included. Each team member configures their own secret backend values locally.
Simple Sync is for personal multi-device use. A single full-sync.rcn file contains all connections, groups, templates, snippets, and clusters with UUID-based bidirectional merge.
Enable: Settings → Cloud Sync → toggle "Sync everything between your devices"
Deletions are tracked via tombstones (auto-cleaned after 30 days). The device_id prevents circular self-sync.
Groups can define SSH settings (auth method, key path, proxy jump, agent socket) that child connections inherit. This avoids duplicating key paths across dozens of connections and keeps ssh_key_path local-only per device.
Flatpak sandboxes restrict filesystem access by default. Cloud Sync requires read/write access to your sync directory (e.g. Google Drive, Syncthing, Nextcloud folder).
Automatic detection: When selecting a sync directory in Flatpak, RustConn detects XDG Document Portal paths (temporary FUSE mounts that don't support inotify) and shows a warning dialog with the exact
flatpak overridecommand needed. You can copy the command directly from the dialog.
Grant access to a specific directory:
flatpak override --user --filesystem=/path/to/your/sync/folder io.github.totoshko88.RustConnCommon examples:
# Google Drive (via GNOME Online Accounts)
flatpak override --user --filesystem=xdg-run/gvfs io.github.totoshko88.RustConn
# Syncthing default folder
flatpak override --user --filesystem=~/Sync io.github.totoshko88.RustConn
# Nextcloud
flatpak override --user --filesystem=~/Nextcloud io.github.totoshko88.RustConn
# Dropbox
flatpak override --user --filesystem=~/Dropbox io.github.totoshko88.RustConn
# Custom path
flatpak override --user --filesystem=/mnt/shared/rustconn-sync io.github.totoshko88.RustConnVerify access:
flatpak info --show-permissions io.github.totoshko88.RustConn | grep filesystemRevoke access:
flatpak override --user --nofilesystem=/path/to/folder io.github.totoshko88.RustConnAfter granting access, restart RustConn and set the sync directory in Settings → Cloud Sync.
Note: You can also use Flatseal for a graphical interface to manage Flatpak permissions.
Configure:
- Edit a group → SSH Settings section
- Set SSH Key Path, Auth Method, Proxy Jump, or Agent Socket
- Child connections with Key Source = "Inherit" use the group's values
The inheritance chain walks from the connection's immediate group up to the root, returning the first value found.
When connecting to a synced connection that references an unconfigured variable or secret backend, RustConn shows an interactive dialog instead of silently failing:
- Variable Not Configured — an
AdwAlertDialogprompts you to enter the variable value and select a storage backend (LibSecret, KeePassXC, Bitwarden, 1Password). Click "Save & Connect" to store the value and proceed, or "Cancel" to abort. - Secret Backend Not Configured — shown when the connection's password source references a vault that isn't set up on this device. Choose "Enter Password Manually" to proceed with a one-time password prompt, or "Open Settings" to configure the backend first.
- Vault Entry Missing — if the vault is configured but the specific credential entry doesn't exist, a warning toast is shown ("Vault entry not found for '…'") and the connection proceeds without stored credentials; the protocol handler prompts for a password (RDP/VNC password dialog, SSH terminal prompt).
Sidebar sync indicators show the current sync state for each synced group:
- ⟳ (
emblem-synchronizing-symbolic) — synced successfully, tooltip shows "Master — synced to cloud" or "Import — synced from cloud" - ⚠ (
dialog-warning-symbolic) — last sync operation failed, tooltip shows the specific error (e.g. "Sync error: Parse error: invalid JSON")
Sync failure banner: When a sync operation fails (manual Sync Now or background auto-export), a persistent adw::Banner appears below the header bar and stays until you dismiss it or the next successful sync clears it. Success messages still use transient toasts.
RustConn can automatically fill SSH password prompts using credentials stored in your vault. For this to work:
-
Set Password Source to "Vault" — in the connection dialog (Basic tab → Authentication → Password Source), select "Vault". Other sources (Prompt, None) will not trigger auto-login.
-
Store the password in your vault — use the "Load from vault" button (📂) to verify the password is retrievable. The lookup key format depends on your backend:
- KeePass/KDBX:
RustConn/GroupName/ConnectionName (protocol)— hierarchical path matching your group structure - Keyring (libsecret):
ConnectionName (protocol)— e.g. "MyServer (ssh)" - Bitwarden/1Password/Passbolt/Pass:
rustconn/ConnectionName
- KeePass/KDBX:
-
Test before connecting — click the ✓ button next to the password field to run a credential resolution test. It shows the exact lookup key used and whether the vault returned a password.
-
How it works at connect time:
- RustConn resolves credentials from the vault asynchronously
- The resolved password is cached in memory for the session
- When the SSH terminal shows a
password:prompt, the password is automatically sent - The prompt is detected in 15+ languages (English, German, French, Spanish, Ukrainian, Chinese, Japanese, Korean, etc.)
- Passphrase prompts ("Enter passphrase for key…") are excluded to avoid sending the wrong secret
Instead of storing passwords directly per-connection, you can use Global Variables (Menu → Tools → Variables) as a shared credential source:
-
Set Password Source to "Variable" — select "Variable" and choose the variable name from the dropdown (e.g.
RADIUS,DEPLOY_KEY). -
Store the variable value — go to Menu → Tools → Variables and create a secret variable with the password value. The value is stored in your configured vault backend.
-
First-time connection on a new device — if the variable has not been configured on this device yet, RustConn shows a "Variable Not Configured" dialog:
- Enter the password value
- Select a storage backend (LibSecret, KeePassXC, Bitwarden, 1Password)
- Click "Save & Connect" to store the value and proceed immediately
This dialog only appears once per device. After saving, subsequent connections use the stored value automatically.
-
Sharing across connections — multiple connections can reference the same variable. Update the variable value once and all connections pick up the new password at next connect.
| Source | Behavior | Auto-Login |
|---|---|---|
| Vault | Resolves password from configured secret backend using connection name as lookup key | ✅ Yes |
| Variable | Resolves password from a named Global Variable stored in vault | ✅ Yes |
| Script | Executes an external command and uses stdout as password | ✅ Yes |
| Inherit | Walks up the group hierarchy to find the first parent with Vault credentials | ✅ Yes |
| Prompt | Always asks for password at connect time | ❌ No |
| None | No password — relies on SSH keys or other auth methods | ❌ No |
Common issues:
| Symptom | Cause | Fix |
|---|---|---|
| Password prompt appears despite vault configured | Password Source set to "Prompt" or "None" | Change to "Vault" or "Variable" in connection dialog |
| "Vault entry not found" toast | Entry name in vault doesn't match lookup key | Use ✓ test button to see expected key, rename vault entry |
| "Variable Not Configured" dialog appears | Variable value not stored on this device | Enter the value and click "Save & Connect" |
| Password sent but rejected | Wrong password stored in vault | Update the vault entry with correct password |
| Non-English prompt not detected | Unsupported language | Open an issue — we support 15+ languages |
| KeePass lookup fails | Database locked or wrong path | Check Settings → Secrets → KDBX path and password |
| Backend | Best For | Security Level |
|---|---|---|
| System Keyring (libsecret) | Desktop Linux with GNOME Keyring or KDE Wallet | High — OS-managed, session-locked |
| KeePassXC | Users who already use KeePassXC | High — AES-256 encrypted database |
| Bitwarden | Teams using Bitwarden | High — cloud-synced, E2E encrypted |
| 1Password | Teams using 1Password | High — cloud-synced, E2E encrypted |
| Passbolt | Self-hosted team password management | High — GPG-based |
| Pass (passwordstore.org) | CLI-oriented users, git-synced passwords | High — GPG-encrypted files |
| KDBX File | Offline/air-gapped environments | High — AES-256, local file only |
Configure your preferred backend in Settings → Secrets. RustConn falls back to the system keyring if the preferred backend is unavailable.
Fallback Behavior:
When the preferred backend (e.g., KeePassXC) cannot be reached — database password not configured, database file locked, or CLI tool not installed — RustConn automatically falls back to the system keyring (libsecret) for both reading and writing secrets. This requires the "Enable fallback" option in Settings → Secrets (enabled by default).
- Reading: If KeePass returns no result, RustConn checks libsecret before showing the "Variable Not Configured" dialog
- Writing: If KeePass save fails, the secret is stored in libsecret instead
- Variable Not Configured dialog: When a connection requires a variable that has no value on this device, a dialog appears letting you enter the value and choose which backend to store it in — this choice is respected regardless of the global preferred backend setting
Tip: If you see the "Variable Not Configured" dialog repeatedly, check that your KeePass database password is configured in Settings → Secrets. Without it, RustConn cannot read or write entries in the database.
- Use SSH keys instead of passwords whenever possible (Ed25519 or ECDSA recommended)
- Use FIDO2/Security Keys for the strongest SSH authentication (requires OpenSSH 8.2+)
- Set Password Source to a vault backend rather than storing passwords in the RustConn config
- Use Group Credentials to avoid duplicating the same password across multiple connections
- Enable Inherit from Group on child connections to centralize credential management
- Rotate credentials regularly; RustConn resolves passwords from the vault at connection time
- RustConn performs a pre-connect port check before establishing connections
- SSH connections verify host keys via the system
known_hostsfile - Use SSH Proxy Jump for connections behind bastion hosts
- Use Zero Trust providers to eliminate direct SSH exposure
- Enable session logging for audit trails
Where are my passwords stored? Depending on your configured secret backend: libsecret (desktop keyring), KeePassXC (database), KDBX file (local encrypted file), Bitwarden/1Password/Passbolt (cloud vault), or Pass (GPG-encrypted files). Connection files themselves never contain actual passwords.
How do I migrate RustConn to another machine? Use Backup & Restore: Backup on old machine → copy ZIP → Restore on new machine → restart. Re-enter passwords or configure the same secret backend.
Can I use RustConn without a secret backend? Yes. libsecret (desktop keyring) is used by default. If unavailable, use a local KDBX file as a fully offline backend.
How do I share connections with my team?
Export (File > Export) in Native .rcn, SSH Config, or CSV format → send to colleagues → they import via File > Import. Passwords are never included.
Why does RustConn ask for my keyring password on startup? Your desktop keyring may be locked. Configure it to unlock automatically on login, or switch to a different secret backend.
How do I connect to a host behind a jump server?
Set the Proxy Jump field in the SSH connection dialog's Advanced tab (e.g., user@bastion.example.com). Chain multiple jump hosts with commas.
How do I reset RustConn to default settings?
mv ~/.config/rustconn ~/.config/rustconn.backupMy External RDP session disconnects (or goes fullscreen) when I press a key combo.
That is a built-in shortcut of the FreeRDP SDL client, which uses Right Shift as the modifier (e.g. Right Shift + D disconnects, Right Shift + G releases the keyboard/mouse). You can remap or disable these in sdl-freerdp.json — see External FreeRDP Keyboard Shortcuts for the exact Flatpak path and ready-to-use JSON.
- Verify host/port:
ping hostname - Check credentials
- SSH key permissions:
chmod 600 ~/.ssh/id_rsa - Firewall settings
If connecting to libvirt VMs by hostname fails, install the libvirt NSS module:
# Fedora
sudo dnf install libvirt-nss
# Debian/Ubuntu
sudo apt install libnss-libvirtAdd libvirt libvirt_guest to the hosts line in /etc/nsswitch.conf.
Flatpak users: Use the VM's IP address instead of hostname, or configure a local DNS entry.
- Install 1Password CLI from 1password.com/downloads/command-line
- Sign in:
op signin - Or use service account: set
OP_SERVICE_ACCOUNT_TOKEN - Select 1Password backend in Settings → Secrets
See BITWARDEN_SETUP.md for a detailed guide.
Quick checklist:
- Install Bitwarden CLI (Flatpak: via Flatpak Components; Native:
npm install -g @bitwarden/cli) - For self-hosted:
bw config server https://your-serverbefore logging in - Login:
bw login→ Unlock:bw unlock - Select Bitwarden backend in Settings → Secrets
- For 2FA (FIDO2, Duo): use API key authentication
- Enable "Save to system keyring" for auto-unlock
- Install
libsecret-tools:sudo apt install libsecret-toolsorsudo dnf install libsecret - Verify:
secret-tool --version - Ensure a Secret Service provider is running (GNOME Keyring, KDE Wallet)
- Flatpak:
secret-toolis bundled — ensure desktop has a Secret Service provider
- Install
go-passbolt-clifrom github.com/passbolt/go-passbolt-cli - Configure:
passbolt configure --serverAddress https://your-server.com --userPrivateKeyFile key.asc --userPassword - Verify:
passbolt list resource
- Install KeePassXC → enable browser integration
- Configure KDBX path in Settings → Secrets
- Flatpak: KeePassXC on host is detected automatically via
flatpak-spawn --host
- Install
pass:sudo apt install passorsudo dnf install pass - Initialize store:
pass init <gpg-id> - Select Pass backend in Settings → Secrets
- Check IronRDP/vnc-rs features enabled
- For external: verify FreeRDP/TigerVNC installed
- Flatpak: FreeRDP (SDL3) is bundled; TigerVNC via Flatpak Components
- HiDPI: use Scale Override in connection dialog
- Clipboard not syncing: ensure "Clipboard" is enabled in RDP settings
- RDP Gateway: IronRDP doesn't support RD Gateway; falls back to external FreeRDP
- Enable in Settings → Interface → Session Restore
- Check maximum age setting
- Ensure normal app close (not killed)
- Requires
tray-iconfeature - Check DE tray support
- Some DEs need extensions
RUST_LOG=debug rustconn 2> rustconn.log
# Module-specific
RUST_LOG=rustconn_core::connection=debug rustconn
RUST_LOG=rustconn_core::secret=debug rustconn- Add user to
dialoutgroup:sudo usermod -aG dialout $USER - Log out and back in
- Flatpak:
--device=allpermission (automatic) - Snap:
sudo snap connect rustconn:serial-port
- Verify
kubectlis installed and in PATH - Check cluster access:
kubectl cluster-info - Verify pod exists:
kubectl get pods -n <namespace> - Flatpak: install
kubectlvia Flatpak Components
VTE handles screen clearing by scrolling content into scrollback rather than erasing. For Flatpak builds missing clear:
printf '\033[H\033[2J\033[3J'
# Or add alias to ~/.bashrc:
alias clear='printf "\033[H\033[2J\033[3J"'- File access:
flatpak override --user --filesystem=home io.github.totoshko88.RustConn - SSH agent: Forwarded via
--socket=ssh-auth; alternative agent sockets need manual override - Serial devices:
--device=allpermission - CLI tools: Host binaries not visible — use Flatpak Components
- Secret Service: Works via D-Bus portal
- KeePassXC: Detected via
flatpak-spawn --host - Zero Trust / Kubernetes: Cloud CLIs detected via
flatpak-spawn --host; config dirs mounted - FreeRDP: Bundled (SDL3 client)
- Verify SSH connection works normally
- Check remote host has
uptime,free,df,cat /proc/loadavg - Ensure
MaxSessionsinsshd_configallows multiple sessions - Increase polling interval if metrics show "N/A"
The Flatpak build ships with minimal sandbox permissions. Some features require manual overrides:
SSH Agent Sockets:
# KeePassXC
flatpak override --user --filesystem=xdg-run/ssh-agent:ro io.github.totoshko88.RustConn
# Bitwarden
flatpak override --user --filesystem=home/.var/app/com.bitwarden.desktop/data:ro io.github.totoshko88.RustConn
# GPG agent
flatpak override --user --filesystem=xdg-run/gnupg:ro io.github.totoshko88.RustConn
# 1Password
flatpak override --user --filesystem=home/.1password:ro io.github.totoshko88.RustConnHoop.dev:
flatpak override --user --filesystem=home/.hoop:ro io.github.totoshko88.RustConnRemmina Import (Flatpak ↔ Flatpak):
When Remmina is also installed as a Flatpak, its connection files live inside its own sandbox at ~/.var/app/org.remmina.Remmina/data/remmina/ instead of the standard ~/.local/share/remmina/. RustConn cannot see this directory by default, so the import button shows "Not Found."
Option A — Grant read access (recommended):
flatpak override --user --filesystem=home/.var/app/org.remmina.Remmina/data/remmina:ro io.github.totoshko88.RustConnOption B — Flatseal (GUI):
- Open Flatseal → select RustConn
- Scroll to Filesystem → Other files → add
~/.var/app/org.remmina.Remmina/data/remmina:ro
Option C — Symlink (no permission changes):
ln -s ~/.var/app/org.remmina.Remmina/data/remmina ~/.local/share/remminaRestart RustConn after any of the above. The Remmina import should now detect connection files.
RDP Shared Folders:
flatpak override --user --filesystem=home io.github.totoshko88.RustConnView/Reset Overrides:
flatpak override --user --show io.github.totoshko88.RustConn
flatpak override --user --reset io.github.totoshko88.RustConnPress Ctrl+? or F1 for searchable shortcuts dialog.
Note: Sidebar-scoped shortcuts (F2, Delete, Ctrl+E, Ctrl+D, Ctrl+C, Ctrl+V, Ctrl+M) only work when the sidebar has focus.
| Shortcut | Action |
|---|---|
| Ctrl+N | New Connection (Wizard) |
| Ctrl+Shift+N | New Connection (Advanced) |
| Ctrl+Shift+G | New Group |
| Ctrl+Shift+Q | Quick Connect |
| Ctrl+I | Import |
| Ctrl+Shift+E | Export |
| Ctrl+E | Edit Connection (sidebar) |
| F2 | Rename |
| Delete | Delete |
| Ctrl+D | Duplicate |
| Ctrl+C / Ctrl+V | Copy / Paste |
| Ctrl+M | Move to Group |
| Enter | Connect to selected |
| Menu / Shift+F10 | Open context menu for selected row |
| Shortcut | Action |
|---|---|
| Ctrl+Shift+C | Copy |
| Ctrl+Shift+V | Paste |
| Ctrl+Shift+F | Terminal Search |
| Ctrl+W / Ctrl+Shift+W | Close Tab |
| Ctrl+Tab / Ctrl+PageDown | Next Tab |
| Ctrl+Shift+Tab / Ctrl+PageUp | Previous Tab |
| Ctrl+Shift+T | Local Shell |
| Ctrl+Shift+O | Tab Overview |
| Ctrl+% | Switch to Open Tab |
| Ctrl+Scroll | Zoom in/out (font size) |
| Ctrl+Plus / Ctrl+Minus | Zoom in/out (font size) |
| Ctrl+0 | Reset zoom |
RustConn uses VTE, which passes all keystrokes to the shell. Configure vim/emacs mode in your shell:
| Shell | Vim Mode | Emacs Mode (default) |
|---|---|---|
| Bash | set -o vi in ~/.bashrc |
set -o emacs in ~/.bashrc |
| Zsh | bindkey -v in ~/.zshrc |
bindkey -e in ~/.zshrc |
| Fish | fish_vi_key_bindings |
fish_default_key_bindings |
| Shortcut | Action |
|---|---|
| Ctrl+Shift+H | Split Horizontal |
| Ctrl+Shift+S | Split Vertical |
| Ctrl+Shift+X | Close Pane |
| Ctrl+` | Focus Next Pane |
| Shortcut | Action |
|---|---|
| Ctrl+F | Search |
| Ctrl+P | Command Palette (Connections) |
| Ctrl+Shift+P | Command Palette (Commands) |
| Ctrl+1 / Alt+1 | Focus Sidebar |
| Ctrl+2 / Alt+2 | Focus Terminal |
| Ctrl+, | Settings |
| F11 | Toggle Fullscreen |
| F9 | Toggle Sidebar |
| Ctrl+H | Connection History |
| Ctrl+Shift+I | Statistics |
| Ctrl+G | Password Generator |
| Ctrl+Shift+L | Wake On LAN |
| Ctrl+T | SSH Tunnel Manager |
| F10 | Open Menu (suspended in passthrough mode) |
| Ctrl+? / F1 | Keyboard Shortcuts |
| Ctrl+Shift+Backspace | Toggle Keyboard Passthrough |
| Ctrl+Shift+B | Toggle Split Broadcast |
| Ctrl+Q | Quit |
Note: Quitting with Ctrl+Q (or closing the window) while session tabs are open shows a "Close RustConn?" confirmation dialog with the number of open tabs, instead of silently disconnecting everything. This is skipped when minimize-to-tray is enabled (the app keeps running in the tray).
- GitHub: https://github.com/totoshko88/RustConn
- Issues: https://github.com/totoshko88/RustConn/issues
- Releases: https://github.com/totoshko88/RustConn/releases
Made with ❤️ in Ukraine 🇺🇦