cal/claude-home
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
docs/ansible-controller-setup
claude-home/networking/examples/ssh-key-management.md
Cal Corum 4b7eca8a46
All checks were successful
Reindex Knowledge Base / reindex (push) Successful in 3s
Details
docs: add YAML frontmatter to all 151 markdown files 
Adds title, description, type, domain, and tags frontmatter to every
doc for improved KB semantic search. The description field is prepended
to every search chunk, and domain/type/tags enable filtered queries.

Type values: context, guide, runbook, reference, troubleshooting
Domain values match directory structure (networking, docker, etc.)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 09:00:44 -05:00

108 lines
3.6 KiB
Markdown
Raw Permalink Blame History

---
title: "SSH Key Management Patterns"
description: "Best practices for SSH key management in homelab environments including dual-key strategy, lifecycle management, network segmentation, backup, and recovery procedures."
type: guide
domain: networking
tags: [ssh, keys, security, backup, recovery, best-practices]
---
# SSH Key Management for Home Labs
## Overview
This document outlines best practices for managing SSH keys in home lab environments, focusing on security, reliability, and maintainability.
## Core Principles
### Dual-Key Strategy
- **Primary keys**: Daily use authentication
- **Emergency keys**: Backup access when primary keys fail
- **Separate key pairs**: Home network vs cloud servers
- **Multiple authorized keys**: Each server accepts both primary and emergency
### Key Lifecycle Management
- **Generation**: 4096-bit RSA keys with descriptive comments
- **Distribution**: Automated deployment with `ssh-copy-id`
- **Backup**: Centralized storage on NAS with recovery documentation
- **Rotation**: Annual for primary keys, bi-annual for emergency keys
- **Monitoring**: Monthly health checks and access verification
## Architecture Patterns
### Network Segmentation
```
Home Network (10.10.0.0/24)
├── Primary: ~/.ssh/homelab_rsa
├── Emergency: ~/.ssh/emergency_homelab_rsa
└── Wildcard config for easy access
Cloud Servers (Public IPs)
├── Primary: ~/.ssh/cloud_servers_rsa
├── Emergency: ~/.ssh/emergency_cloud_rsa
└── Individual host configurations
```
### Backup Strategy
```
NAS Storage: /mnt/NV2/ssh-keys/
├── backup-YYYYMMDD-HHMMSS/
│ ├── All key pairs (*.rsa, *.rsa.pub)
│ ├── SSH config
│ └── RECOVERY_INSTRUCTIONS.md
└── maintenance-YYYYMMDD-HHMMSS/
├── Current state backup
├── Key health report
└── MAINTENANCE_REPORT.md
```
## Security Considerations
### Authentication Methods
- **Eliminate password authentication** after key deployment
- **Use key-based authentication** exclusively
- **Deploy multiple keys** per server for redundancy
- **Maintain console access** as ultimate fallback
### Access Control
- **User-specific keys** (avoid root when possible)
- **Service-specific aliases** for organized access
- **Strict host key checking** for unknown servers
- **Accept-new policy** for trusted home network
### Key Protection
- **Proper file permissions** (600 for private keys)
- **No passphrase** for automation (home lab context)
- **Regular backup verification**
- **Secure storage location** on NAS
## Maintenance Practices
### Automated Monitoring
- **Monthly maintenance script** via cron
- **Key health verification**
- **Connection testing**
- **Backup rotation** (keep 10 most recent)
- **Age-based rotation alerts**
### Recovery Procedures
- **Emergency key deployment** for immediate access
- **NAS backup restoration** for complete recovery
- **Console access documentation** for worst-case scenarios
- **Provider web console** access for cloud servers
## Implementation Guidelines
1. **Start with key generation** using standardized naming
2. **Deploy primary keys first** and test thoroughly
3. **Add emergency keys** to all servers
4. **Configure SSH client** with aliases and settings
5. **Implement backup strategy** with NAS storage
6. **Schedule maintenance automation**
7. **Document recovery procedures**
8. **Test emergency access regularly**
## Related Documentation
- Implementation: `examples/networking/ssh-homelab-setup.md`
- Troubleshooting: `reference/networking/ssh-troubleshooting.md`
- Security patterns: `patterns/networking/security.md`
Reference in New Issue View Git Blame Copy Permalink