cal/claude-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7edb4a3a9c
claude-home/patterns/networking/ssh-key-management.md
Cal Corum 704bad1547 CLAUDE: Add comprehensive SSH key management documentation 
- Add SSH key management patterns with dual-key strategy and NAS backup architecture
- Add complete SSH home lab setup implementation with scripts and configurations
- Add SSH troubleshooting reference with common issues and emergency procedures
- Update CLAUDE.md with SSH keyword triggers for automatic context loading
- Add .gitignore to exclude temporary files

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-08 21:02:46 -05:00

3.2 KiB
Raw Blame History

SSH Key Management for Home Labs

Overview

This document outlines best practices for managing SSH keys in home lab environments, focusing on security, reliability, and maintainability.

Core Principles

Dual-Key Strategy

  • Primary keys: Daily use authentication
  • Emergency keys: Backup access when primary keys fail
  • Separate key pairs: Home network vs cloud servers
  • Multiple authorized keys: Each server accepts both primary and emergency

Key Lifecycle Management

  • Generation: 4096-bit RSA keys with descriptive comments
  • Distribution: Automated deployment with ssh-copy-id
  • Backup: Centralized storage on NAS with recovery documentation
  • Rotation: Annual for primary keys, bi-annual for emergency keys
  • Monitoring: Monthly health checks and access verification

Architecture Patterns

Network Segmentation

Home Network (10.10.0.0/24)
├── Primary: ~/.ssh/homelab_rsa
├── Emergency: ~/.ssh/emergency_homelab_rsa
└── Wildcard config for easy access

Cloud Servers (Public IPs)
├── Primary: ~/.ssh/cloud_servers_rsa
├── Emergency: ~/.ssh/emergency_cloud_rsa
└── Individual host configurations

Backup Strategy

NAS Storage: /mnt/NV2/ssh-keys/
├── backup-YYYYMMDD-HHMMSS/
│   ├── All key pairs (*.rsa, *.rsa.pub)
│   ├── SSH config
│   └── RECOVERY_INSTRUCTIONS.md
└── maintenance-YYYYMMDD-HHMMSS/
    ├── Current state backup
    ├── Key health report
    └── MAINTENANCE_REPORT.md

Security Considerations

Authentication Methods

  • Eliminate password authentication after key deployment
  • Use key-based authentication exclusively
  • Deploy multiple keys per server for redundancy
  • Maintain console access as ultimate fallback

Access Control

  • User-specific keys (avoid root when possible)
  • Service-specific aliases for organized access
  • Strict host key checking for unknown servers
  • Accept-new policy for trusted home network

Key Protection

  • Proper file permissions (600 for private keys)
  • No passphrase for automation (home lab context)
  • Regular backup verification
  • Secure storage location on NAS

Maintenance Practices

Automated Monitoring

  • Monthly maintenance script via cron
  • Key health verification
  • Connection testing
  • Backup rotation (keep 10 most recent)
  • Age-based rotation alerts

Recovery Procedures

  • Emergency key deployment for immediate access
  • NAS backup restoration for complete recovery
  • Console access documentation for worst-case scenarios
  • Provider web console access for cloud servers

Implementation Guidelines

  1. Start with key generation using standardized naming
  2. Deploy primary keys first and test thoroughly
  3. Add emergency keys to all servers
  4. Configure SSH client with aliases and settings
  5. Implement backup strategy with NAS storage
  6. Schedule maintenance automation
  7. Document recovery procedures
  8. Test emergency access regularly

Related Documentation

  • Implementation: examples/networking/ssh-homelab-setup.md
  • Troubleshooting: reference/networking/ssh-troubleshooting.md
  • Security patterns: patterns/networking/security.md