vaultsovereign/test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
53b9d363b4e70709d562daf93bd94f8e14b12027
test/VaultMesh_Catalog_v1/pages/page4-ssh-architecture.md
Vault Sovereign 1583890199 Initial commit - combined iTerm2 scripts 
Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 03:58:39 +00:00

102 lines
3.4 KiB
Markdown
Raw Blame History

Page Title: SSH Key Architecture (Forge + Mesh)
Summary: VaultMesh uses a strict per-node ed25519 SSH key model with IdentitiesOnly isolation, ControlMaster multiplexing, and mesh-wide access via Tailscale. nexus-0 serves as the primary forge node; brick, v1-nl-gate, gate-vm, and shield-vm are first-class SSH targets with dedicated keys.
Key Findings:
- One keypair per destination node (id_gamma, id_brick, id_v1-nl-gate, id_gate-vm, id_shield-vm, etc.).
- IdentitiesOnly enforces key isolation and prevents cross-host key probing.
- ControlMaster/ControlPath provide fast multiplexed SSH sessions.
- Tailscale hostnames (story-ule.ts.net) give stable addressing; LAN IPs are fallback.
- External service keys (GitHub/GitLab) are separate from infra keys.
Components:
- Per-node private keys (`~/.ssh/id_{node}`).
- Public keys (`~/.ssh/id_{node}.pub`).
- SSH config with host-specific IdentityFile blocks.
- Control sockets (`~/.ssh/cm-%r@%h:%p`).
Key Inventory (Infra Nodes):
| Key File | Target Node | Algorithm |
|------------------|----------------|-----------|
| id_gamma | gamma | ed25519 |
| id_beta | beta | ed25519 |
| id_brick | brick | ed25519 |
| id_w3 | w3 | ed25519 |
| id_v1-nl-gate | v1-nl-gate | ed25519 |
| id_gate-vm | gate-vm | ed25519 |
| id_debian-golden | debian-golden | ed25519 |
| id_shield-vm | shield-vm | ed25519 |
Forge + Mobile:
| Key File | Target | Algorithm |
|------------------|--------------|-----------|
| id_nexus-0 | nexus-0 | ed25519 |
| id_kali-forge | kali-forge | ed25519 |
| id_shield | shield | ed25519 |
| id_bank-mobile | bank-mobile | ed25519 |
External Service Keys:
| Key File | Service |
|----------------------|------------|
| id_ed25519_github | GitHub |
| id_ed25519_gitlab | GitLab |
SSH Config Structure:
```sshconfig
Host *
ServerAliveInterval 30
ServerAliveCountMax 3
TCPKeepAlive yes
ControlMaster auto
ControlPath ~/.ssh/cm-%r@%h:%p
ControlPersist 10m
IdentitiesOnly yes
HashKnownHosts no
StrictHostKeyChecking accept-new
AddKeysToAgent yes
UseKeychain yes
Compression yes
Host nexus-0
HostName 100.67.39.1
User root
IdentityFile ~/.ssh/id_nexus-0
Host brick
HostName brick.story-ule.ts.net
User sovereign
IdentityFile ~/.ssh/id_brick
Host gate-vm
HostName gate-vm.story-ule.ts.net
User debian
IdentityFile ~/.ssh/id_gate-vm
Host shield-vm
HostName shield-vm.story-ule.ts.net
User debian
IdentityFile ~/.ssh/id_shield-vm
```
Security Notes:
- ed25519 keys provide strong security with small keys/signatures.
- IdentitiesOnly ensures ssh never offers the wrong key to the wrong host.
- StrictHostKeyChecking=accept-new uses TOFU while still catching host key changes.
- No password authentication; all critical nodes are key-only.
Key Generation:
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_{node} -C "aurion-to-{node}"
```
Key Deployment:
```bash
ssh-copy-id -i ~/.ssh/id_{node}.pub debian@{node}
# Or manually
cat ~/.ssh/id_{node}.pub | ssh debian@{node} "cat >> ~/.ssh/authorized_keys"
```
Dependencies:
- OpenSSH client (macOS/Linux/Android).
- ssh-agent and (on macOS) Keychain integration.
- Tailscale for stable hostnames and reachability.
Reference in New Issue View Git Blame Copy Permalink