sshman

sshman is a simple command-line SSH key and connection manager that stores your SSH entries securely in an encrypted vault file (vault.vssh). Unlike traditional SSH key managers that save private keys as files (e.g., in ~/.ssh), sshman keeps SSH private keys encrypted inside the vault file and loads them only in memory during use, greatly reducing the risk of key leakage from disk. It supports adding, listing, updating, deleting, and searching SSH entries, generating RSA key pairs, copying SSH commands to the clipboard, sending public keys to remote servers, and launching direct SSH connections.

---

Features

• Encrypted vault storage using AES-GCM and Argon2 for key derivation
• SSH private keys securely stored only inside the encrypted vault file and kept in memory during usage (no keys saved as separate files on disk)
• Secure password prompt with hidden input
• Custom vault file with .vssh extension
• Add, update, delete, list, and search SSH entries (name, user, host, key data)
• Generate RSA SSH key pairs internally without writing private keys to disk
• Send public keys to remote servers for passwordless login setup
• Copy SSH command to clipboard for quick use
• Direct SSH connection launch from vault entries

---

Installation

Requires Go 1.18+ to build and system ssh-keygen for key generation.

git clone https://github.com/SpikeTheDragon40k/sshman.git
cd sshman
go build -o sshman main.go

Or download a precompiled binary from releases (when available).

---

Usage

Initialize the vault and set a password:

./sshman init

Add an SSH entry:

./sshman add --name myserver --user ubuntu --host 1.2.3.4 --key ~/.ssh/myserver.key

List all entries:

./sshman list

Copy the SSH command for an entry to clipboard:

./sshman copy --name myserver

Connect directly to the server:

./sshman connect --name myserver

Generate a new RSA key pair:

./sshman genkey --name mynewkey --bits 2048

Send the key:

sshman sendkey --name myserver

Delete an entry:

./sshman delete --name myserver

Update an entry:

./sshman update --name myserver --user ubuntu2 --host 1.2.3.5

Search entries by keyword:

./sshman search --query my

---

Vault File

• Vault is stored in the current directory as vault.vssh.

• The vault file format is binary and structured as follows:

  • First 16 bytes: random salt for Argon2 key derivation
  • Next 12 bytes: nonce used for AES-GCM encryption
  • Remaining bytes: AES-GCM encrypted JSON data containing SSH entries

• The vault is encrypted with the password you set during init.

• Important: Never lose your vault password or you will not be able to access your stored entries.

---

Dependencies

• urfave/cli/v2 - CLI framework
• atotto/clipboard - Clipboard support
• golang.org/x/crypto/argon2 - Argon2id password-based key derivation
• golang.org/x/term - Terminal password input (hidden input)
• System dependency: ssh-keygen command for RSA key generation (must be in PATH)

---

Notes

• The genkey command depends on the system ssh-keygen utility.
• Keys generated by genkey are without passphrase for convenience.
• Vault encryption uses Argon2id for secure password strengthening and AES-GCM for authenticated encryption.
• Vault file permissions are set to 0600 to restrict access.
• All commands prompt for the vault password securely.

---

To-Do

• Windows and Mac Versions
• A Gui (?)
• Ubikey/TOTP integration
• More Key Types (ED25519, ECDSA, etc.)
• More Commands (e.g., import/export, key rotation)
• Better error handling and user feedback
• Keyring Integration (e.g., Gnome Keyring, macOS Keychain)

---

Contribution

Check the CONTRIBUTING.md

---