1583890199
Contains: - 1m-brag - tem - VaultMesh_Catalog_v1 - VAULTMESH-ETERNAL-PATTERN 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
3.4 KiB
3.4 KiB
Page Title: SSH Key Architecture (Forge + Mesh) Summary: VaultMesh uses a strict per-node ed25519 SSH key model with IdentitiesOnly isolation, ControlMaster multiplexing, and mesh-wide access via Tailscale. nexus-0 serves as the primary forge node; brick, v1-nl-gate, gate-vm, and shield-vm are first-class SSH targets with dedicated keys.
Key Findings:
- One keypair per destination node (id_gamma, id_brick, id_v1-nl-gate, id_gate-vm, id_shield-vm, etc.).
- IdentitiesOnly enforces key isolation and prevents cross-host key probing.
- ControlMaster/ControlPath provide fast multiplexed SSH sessions.
- Tailscale hostnames (story-ule.ts.net) give stable addressing; LAN IPs are fallback.
- External service keys (GitHub/GitLab) are separate from infra keys.
Components:
- Per-node private keys (
~/.ssh/id_{node}). - Public keys (
~/.ssh/id_{node}.pub). - SSH config with host-specific IdentityFile blocks.
- Control sockets (
~/.ssh/cm-%r@%h:%p).
Key Inventory (Infra Nodes):
| Key File | Target Node | Algorithm |
|---|---|---|
| id_gamma | gamma | ed25519 |
| id_beta | beta | ed25519 |
| id_brick | brick | ed25519 |
| id_w3 | w3 | ed25519 |
| id_v1-nl-gate | v1-nl-gate | ed25519 |
| id_gate-vm | gate-vm | ed25519 |
| id_debian-golden | debian-golden | ed25519 |
| id_shield-vm | shield-vm | ed25519 |
Forge + Mobile:
| Key File | Target | Algorithm |
|---|---|---|
| id_nexus-0 | nexus-0 | ed25519 |
| id_kali-forge | kali-forge | ed25519 |
| id_shield | shield | ed25519 |
| id_bank-mobile | bank-mobile | ed25519 |
External Service Keys:
| Key File | Service |
|---|---|
| id_ed25519_github | GitHub |
| id_ed25519_gitlab | GitLab |
SSH Config Structure:
Host *
ServerAliveInterval 30
ServerAliveCountMax 3
TCPKeepAlive yes
ControlMaster auto
ControlPath ~/.ssh/cm-%r@%h:%p
ControlPersist 10m
IdentitiesOnly yes
HashKnownHosts no
StrictHostKeyChecking accept-new
AddKeysToAgent yes
UseKeychain yes
Compression yes
Host nexus-0
HostName 100.67.39.1
User root
IdentityFile ~/.ssh/id_nexus-0
Host brick
HostName brick.story-ule.ts.net
User sovereign
IdentityFile ~/.ssh/id_brick
Host gate-vm
HostName gate-vm.story-ule.ts.net
User debian
IdentityFile ~/.ssh/id_gate-vm
Host shield-vm
HostName shield-vm.story-ule.ts.net
User debian
IdentityFile ~/.ssh/id_shield-vm
Security Notes:
- ed25519 keys provide strong security with small keys/signatures.
- IdentitiesOnly ensures ssh never offers the wrong key to the wrong host.
- StrictHostKeyChecking=accept-new uses TOFU while still catching host key changes.
- No password authentication; all critical nodes are key-only.
Key Generation:
ssh-keygen -t ed25519 -f ~/.ssh/id_{node} -C "aurion-to-{node}"
Key Deployment:
ssh-copy-id -i ~/.ssh/id_{node}.pub debian@{node}
# Or manually
cat ~/.ssh/id_{node}.pub | ssh debian@{node} "cat >> ~/.ssh/authorized_keys"
Dependencies:
- OpenSSH client (macOS/Linux/Android).
- ssh-agent and (on macOS) Keychain integration.
- Tailscale for stable hostnames and reachability.