Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Getting started
Connecting

Connecting to fremforge

Most fremforge orgs default to HTTPS-only Git access (SSH disabled at the org-policy layer since 2026-05-22) — see the Secure sign-in guide for the recommended HTTPS + Git Credential Manager setup. The page below applies when your org admin has explicitly re-enabled SSH at <your-org>/_admin/auth-policy/. The SSH path still exists; it’s just no longer the default.

Before you push code or pull repositories over SSH, your SSH client will ask you to confirm the server’s identity. The sections below cover what to verify and how to configure SSH for networks that block port 22.

Verify the host key

On first connection, your SSH client will ask you to confirm the server’s host key fingerprint. Before accepting, verify the fingerprint matches the values published at frem.sh/ssh-fingerprints.

Do not accept a fingerprint that does not appear on that page.

First-connection verification flow

Port 22 is not exposed. fremforge serves SSH on port 443 via the hostname ssh.frem.sh, see the Host alias snippet below for the canonical ~/.ssh/config once-and-done config that lets you keep writing git@frem.sh in your git remotes.

  1. Run the authentication test (works without any ~/.ssh/config change):
ssh -T -p 443 git@ssh.frem.sh
  1. Your terminal shows output similar to:
The authenticity of host '[ssh.frem.sh]:443 ([203.0.113.10]:443)' can't be established.
ED25519 key fingerprint is SHA256:AAAA....
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

  1. Compare the displayed fingerprint with the published values at https://www.frem.sh/ssh-fingerprints/. If they match, type yes.

  2. SSH writes the accepted key to ~/.ssh/known_hosts. On all subsequent connections it verifies silently. No further prompts unless the key changes.

  3. On success, you see:

Hi <username>! You've successfully authenticated, but fremforge does not provide shell access.

If you see Permission denied (publickey) instead, your key is either not added to your account or the wrong key is being offered. See Getting started for key setup.

Checking known_hosts manually

To see what key SSH has stored for ssh.frem.sh:

ssh-keygen -F '[ssh.frem.sh]:443'

To remove a stored key (for example if the server key legitimately rotated and you have been notified):

ssh-keygen -R '[ssh.frem.sh]:443'

Then reconnect and verify the new fingerprint against https://www.frem.sh/ssh-fingerprints/ before accepting.

HTTPS on port 443 (required, port 22 is not exposed)

fremforge does not expose port 22 on frem.sh. SSH is served on port 443 via the hostname ssh.frem.sh, the same SSH protocol on a port firewalls typically leave open for HTTPS. This is the only SSH path, not a fallback.

Configure your SSH client to use it whenever you write frem.sh in a git remote:

# ~/.ssh/config
Host frem.sh
    Hostname ssh.frem.sh
    Port 443

With this in place, git clone git@frem.sh:<org>/<repo>.git and all other frem.sh Git operations use port 443 automatically. No changes to remote URLs are needed.

Test the connection directly before relying on it:

ssh -T -p 443 git@ssh.frem.sh
# Hi <username>! You've successfully authenticated, but fremforge does not provide shell access.

The same host key fingerprints apply on port 443. Verify them against https://www.frem.sh/ssh-fingerprints/ on first use.

HTTPS clone (second fallback)

If SSH is not available at all, clone and push over HTTPS:

git clone https://frem.sh/<org>/<repo>.git

Git prompts for your username and password. Use your fremforge username and a personal access token (PAT) as the password. Your account password does not work for HTTPS Git operations.

Generate a PAT at User settings → Applications → Generate new token. The minimum required scope for read-only clone is repo:read; for push you need repo:write.

To avoid repeated prompts, store the credential in Git’s credential helper:

git config --global credential.helper osxkeychain   # macOS
git config --global credential.helper manager        # Windows (Git Credential Manager)
git config --global credential.helper store          # Linux (plaintext — use only on trusted machines)

HTTPS over port 443 is always available regardless of port 22 or the ssh.frem.sh fallback. It is the most universally compatible connection method.

Cross-references