SSH Key Commands

Overview

SSH key management commands provide comprehensive functionality for generating, managing, deploying, and maintaining SSH authentication keys used for server access and repository operations. These commands integrate with user management and server configuration.

cpm ssh-key generate
cpm ssh-key list
cpm ssh-key show
cpm ssh-key push
cpm ssh-key pull
cpm ssh-key delete

cpm ssh-key generate

Description

Generate a new ed25519 SSH key pair with secure permissions. Keys are stored in the cpm keys directory and registered in the database for tracking.

Syntax

cpm ssh-key generate <name>

Arguments

Argument	Required	Description
`name`	Yes	Key pair name (used for file naming and identification)

Behavior

Validates key name (no path separators)
Checks for existing key with same name
Generates ed25519 key pair (4096-bit strength)
Saves private key with 0600 permissions
Saves public key with 0644 permissions
Registers key in database
Displays key fingerprint and location

Examples

cpm ssh-key generate main-server

# Output:
# Generating ed25519 SSH key pair...
# Key pair 'main-server' generated successfully
#
# Private key: /home/user/.cpm/keys/main-server
# Public key:  /home/user/.cpm/keys/main-server.pub
# Fingerprint: SHA256:abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
#
# Key registered in database (ID: 1)
#
# To deploy this key to a server:
#   cpm ssh-key push main-server --to user@host

cpm ssh-key generate backup-key

# Output:
# Generating ed25519 SSH key pair...
# Key pair 'backup-key' generated successfully
#
# Private key: /home/user/.cpm/keys/backup-key
# Public key:  /home/user/.cpm/keys/backup-key.pub
# Fingerprint: SHA256:xyz789abc123def456ghi789jkl012mno345pqr678stu901
#
# Key registered in database (ID: 2)

Key Storage

Keys are stored in: ~/.cpm/keys/

~/.cpm/keys/
├── main-server (private key, 0600)
├── main-server.pub (public key, 0644)
├── backup-key (private key, 0600)
└── backup-key.pub (public key, 0644)

Common Errors

Error	Cause	Solution
`key already exists`	Key with name exists	Choose different name or delete existing
`invalid key name`	Name contains / or invalid chars	Use alphanumeric, hyphens, underscores
`permission denied`	Can't write to keys directory	Check ~/.cpm/keys permissions

cpm ssh-key list

Description

List all managed SSH keys with their details including ID, name, path, fingerprint, and creation date.

Syntax

cpm ssh-key list [flags]

Flags

Flag	Type	Description
`--format <type>`	string	Output format: table, json, yaml

Examples

cpm ssh-key list

# Output:
# SSH KEYS
#
# ID  Name          Private Key Path                      Created
# --  ------------  ------------------------------------  -------------------
# 1   main-server   /home/user/.cpm/keys/main-server     2024-01-15 10:30:00
# 2   backup-key    /home/user/.cpm/keys/backup-key      2024-01-15 11:00:00
# 3   prod-deploy   /home/user/.cpm/keys/prod-deploy     2024-01-16 09:00:00
#
# Total: 3 keys

cpm ssh-key list --format json

# Output:
# [
#   {
#     "id": 1,
#     "name": "main-server",
#     "private_key_path": "/home/user/.cpm/keys/main-server",
#     "public_key_path": "/home/user/.cpm/keys/main-server.pub",
#     "fingerprint": "SHA256:abc123...",
#     "created_at": "2024-01-15T10:30:00Z"
#   }
# ]

cpm ssh-key show

Description

Display the public key content for a given key name. Useful for copying keys or verifying key deployment.

Syntax

cpm ssh-key show <name>

Arguments

Argument	Required	Description
`name`	Yes	Key name to display

Examples

cpm ssh-key show main-server

# Output:
# SSH PUBLIC KEY: main-server
#
# Path: /home/user/.cpm/keys/main-server.pub
# Type: ed25519
# Fingerprint: SHA256:abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
#
# Key Content:
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl main-server

# Copy to clipboard (Linux)
cpm ssh-key show main-server | grep "^ssh-" | xclip -selection clipboard

# Copy to clipboard (macOS)
cpm ssh-key show main-server | grep "^ssh-" | pbcopy

cpm ssh-key push

Description

Push (deploy) a public key to a remote server's authorized_keys file. Establishes authentication for future SSH connections.

Syntax

cpm ssh-key push <name> --to <server>

Arguments

Argument	Required	Description
`name`	Yes	Name of key to push

Flags

Flag	Type	Required	Description
`--to <server>`	string	Yes	Target server (format: user@host or user@host:port)

Behavior

Reads public key from local filesystem
Connects to remote server via SSH (requires existing access)
Creates ~/.ssh directory on remote if needed (permissions: 0700)
Backs up existing authorized_keys file
Adds key to ~/.ssh/authorized_keys
Sets appropriate permissions (0600)
Verifies key deployment
Does not duplicate if key already exists

Examples

cpm ssh-key push main-server --to git@git.example.com

# Output:
# Pushing key 'main-server' to git@git.example.com...
# Connecting to server...
# Reading public key...
# Checking for existing key...
# Adding key to authorized_keys...
# Setting permissions...
#
# Key successfully deployed to git@git.example.com
# The key can now be used for authentication

cpm ssh-key push backup-key --to admin@192.168.1.100

# Output:
# Pushing key 'backup-key' to admin@192.168.1.100...
# Key already exists in authorized_keys
# No changes made

# Custom port
cpm ssh-key push prod-deploy --to deploy@prod.example.com:2222

# Output:
# Pushing key 'prod-deploy' to deploy@prod.example.com:2222...
# [deployment process...]
# Key successfully deployed

Common Errors

Error	Cause	Solution
`key not found`	Key doesn't exist locally	Generate key first
`connection refused`	Server unreachable	Check server address and network
`permission denied`	No SSH access to server	Need existing access to deploy keys
`authentication failed`	Can't authenticate	Use password or existing key for initial access

cpm ssh-key pull

Description

Retrieve and display the authorized_keys file from a remote server. Useful for auditing which keys have access to a server.

Syntax

cpm ssh-key pull --from <server>

Flags

Flag	Type	Required	Description
`--from <server>`	string	Yes	Source server (format: user@host)
`--save <path>`	string	No	Save to file instead of displaying

Examples

cpm ssh-key pull --from git@git.example.com

# Output:
# Retrieving authorized_keys from git@git.example.com...
# Connected successfully
#
# AUTHORIZED KEYS (3 keys found)
#
# 1. Type: ed25519
#    Fingerprint: SHA256:abc123...
#    Comment: main-server
#    Key: ssh-ed25519 AAAAC3Nz... main-server
#
# 2. Type: ed25519
#    Fingerprint: SHA256:def456...
#    Comment: backup-key
#    Key: ssh-ed25519 AAAAC3Nz... backup-key
#
# 3. Type: rsa
#    Fingerprint: SHA256:ghi789...
#    Comment: legacy-key
#    Key: ssh-rsa AAAAB3Nz... legacy-key

# Save to file
cpm ssh-key pull --from git@git.example.com --save server-keys.txt

# Output:
# Retrieving authorized_keys from git@git.example.com...
# Saved to: server-keys.txt

cpm ssh-key delete

Description

Delete an SSH key pair from local system and database. This is a destructive operation requiring confirmation.

Syntax

cpm ssh-key delete <name>

Arguments

Argument	Required	Description
`name`	Yes	Name of key to delete

Behavior

Prompts for confirmation
Removes key from database
Deletes private key file
Deletes public key file
Cannot be undone
Does not remove from remote servers' authorized_keys

Examples

cpm ssh-key delete old-key

# Prompt:
# WARNING: This will permanently delete SSH key 'old-key'
# - Private key will be deleted: /home/user/.cpm/keys/old-key
# - Public key will be deleted: /home/user/.cpm/keys/old-key.pub
# - Database record will be removed
# - This action cannot be undone
# - Keys will remain in any server authorized_keys files
#
# Type the key name to confirm: old-key

# Output:
# Deleting SSH key 'old-key'...
# Removed from database
# Deleted private key: /home/user/.cpm/keys/old-key
# Deleted public key: /home/user/.cpm/keys/old-key.pub
#
# SSH key 'old-key' successfully deleted
#
# Note: You may need to manually remove this key from server authorized_keys files

SSH Key Management Workflows

Initial Server Setup

# Generate key for server
cpm ssh-key generate main-server

# Deploy to server (requires password or existing key)
cpm ssh-key push main-server --to git@git.example.com

# Verify deployment
cpm ssh-key pull --from git@git.example.com

# Test SSH connection
ssh -i ~/.cpm/keys/main-server git@git.example.com

Multi-Server Deployment

# Generate one key for multiple servers
cpm ssh-key generate infrastructure

# Deploy to all servers
cpm ssh-key push infrastructure --to git@server1.com
cpm ssh-key push infrastructure --to git@server2.com
cpm ssh-key push infrastructure --to git@server3.com

# Verify on all servers
for server in server1.com server2.com server3.com; do
  echo "Checking $server..."
  cpm ssh-key pull --from git@$server
done

Key Rotation

# Generate new key
cpm ssh-key generate main-server-new

# Deploy new key to all servers
cpm ssh-key push main-server-new --to git@server1.com
cpm ssh-key push main-server-new --to git@server2.com

# Test new key works
ssh -i ~/.cpm/keys/main-server-new git@server1.com

# Remove old key (after verification)
cpm ssh-key delete main-server

# Manually remove old key from servers
ssh git@server1.com "sed -i '/main-server$/d' ~/.ssh/authorized_keys"

Key Audit

# List all local keys
cpm ssh-key list

# Check each server
cpm ssh-key pull --from git@server1.com --save server1-keys.txt
cpm ssh-key pull --from git@server2.com --save server2-keys.txt

# Compare deployed keys
diff server1-keys.txt server2-keys.txt

Best Practices

Key Generation

Use ed25519 keys (modern, secure, fast)
Generate unique keys for different purposes
Use descriptive names: prod-deploy, backup-server, dev-workstation
Store keys only in cpm keys directory
Never commit private keys to git

Key Deployment

Test deployment on non-critical server first
Keep backup of server's authorized_keys before changes
Verify key works before removing old keys
Document which keys are deployed where
Use comments in keys for identification

Key Rotation

Rotate keys every 6-12 months
Immediately rotate if key may be compromised
Maintain overlap period with both old and new keys
Remove old keys after verification
Update documentation after rotation

Security

Set proper permissions: private (0600), public (0644)
Never share private keys
Use passphrases for high-security keys
Restrict key usage with SSH authorized_keys options
Regular audits of deployed keys
Remove keys for departed team members

Key Organization

Development keys:
- dev-laptop
- dev-desktop

Production keys:
- prod-deploy
- prod-backup

Server-specific keys:
- git-server-1
- git-server-2
- backup-server

Integration with Other Commands

With Server Commands

# Add server with specific key
cpm servers add origin git.example.com --key ~/.cpm/keys/main-server

# Server configuration uses the key for all operations
cpm push myrepo --to origin  # Uses configured key

With User Commands

# Add user with SSH key
cpm user add alice --key-file ~/.cpm/keys/alice.pub

# User's key stored in database for access control

SSH Key Commands

Overview

Table of Contents

cpm ssh-key generate

Description

Syntax

Arguments

Behavior

Examples

Key Storage

Common Errors

cpm ssh-key list

Description

Syntax

Flags

Examples

cpm ssh-key show

Description

Syntax

Arguments

Examples

cpm ssh-key push

Description

Syntax

Arguments

Flags

Behavior

Examples

Common Errors

cpm ssh-key pull

Description

Syntax

Flags

Examples

cpm ssh-key delete

Description

Syntax

Arguments

Behavior

Examples

SSH Key Management Workflows

Initial Server Setup

Multi-Server Deployment

Key Rotation

Key Audit

Best Practices

Key Generation

Key Deployment

Key Rotation

Security

Key Organization

Integration with Other Commands

With Server Commands

With User Commands

See Also