Why Build This
Managing SSH across a growing homelab gets tedious fast. You add a Proxmox host, spin up a few VMs, deploy K3s nodes, and suddenly you have 15+ machines with keys and configs that were set up by hand at different times with different conventions. Some hosts have RSA keys from three years ago. Some have entries in ~/.ssh/config, some do not. Key rotation means touching every host manually.
Existing tooling is fragmented. ssh-keygen handles key creation, ssh-copy-id handles distribution, and config management is manual text editing. I wanted a single CLI that covers the full lifecycle: generate a key, distribute it, create the config entry, verify the connection -- in one guided workflow.
The result is ssh-management-suite.
Pure Bash, Intentionally
No Python. No Node. No dependencies beyond what ships with any Linux or macOS system. This was a deliberate constraint, not a default.
Homelab machines do not always have runtimes installed. A fresh Proxmox host has Bash. A minimal Debian VM has Bash. I want to clone the repo and run the tool immediately without installing anything first. Interactive menus use select and basic input prompts -- nothing fancy, but it works everywhere.
The honest trade-off: Bash is harder to test and harder to maintain at scale. String manipulation is painful compared to Python. Error handling requires discipline. For a focused CLI tool with a bounded scope, that trade-off is acceptable. If this needed to grow into a fleet management platform, I would rewrite it. It does not need to, so Bash stays.
Key Management Choices
Ed25519 by default. Smaller keys, faster operations, stronger security profile than RSA. There is no reason to generate RSA keys in 2026 unless you are dealing with legacy systems that do not support Ed25519.
Per-host key generation rather than one key for everything. If a single key is compromised, the blast radius is one host, not the entire lab. This adds key management overhead, but the suite automates that overhead away. Key distribution wraps ssh-copy-id with validation -- it generates the key, copies it to the target, and verifies the connection in a single pass.
Config Generation
The suite generates structured ~/.ssh/config entries with the correct host, user, port, and identity file for each connection. It handles ProxyJump configurations for bastion host setups, which is common in segmented homelab networks where not every host is directly reachable.
Before writing a new entry, it checks for conflicts with existing config blocks. Silently overwriting someone's hand-tuned SSH config is the kind of tool behavior that erodes trust immediately.
Security Defaults
File permissions are enforced automatically -- 700 on ~/.ssh, 600 on private keys. The suite prompts for passphrases during key generation and never stores secrets in plaintext. After distributing a key, it runs a connection test to confirm the setup works before moving on.
These are not features. They are baseline hygiene that should not require the operator to remember.