viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/scripts/sshd-10-breakglass.conf
Viktor Barzin df332b59e6 break-glass SSH: drop port-knock for exposed key-only :52222; version host config 
Viktor got locked out of the break-glass path (forgot the port-knock setup) and
deleted the edge-router forwards, then asked to review and redesign it from
scratch.

Root cause of the lockout: the knock added no real security (key-only SSH is
already brute-force-proof) and its only benefit — hiding the port — came at the
cost of a circular dependency. The knock sequence lived only in in-cluster
Vault, which is unreachable in the exact away/cold scenario break-glass exists
for. So the unlock secret was unavailable precisely when needed.

New model (self-contained, nothing to remember): plain key-only SSH on the
Proxmox host's :52222, openly reachable. The edge router forwards WAN tcp/52222
-> 192.168.1.127:52222 (external port MUST equal internal on the TP-Link AX6000
- it rejects remaps; port 22 itself is reserved). The exposed port trusts only a
dedicated break-glass key via `Match LocalPort` (a leak of any other root key
does not grant internet access), rate-limited (iptables hashlimit) + fail2ban.

- Removed knockd (package + config) and the legacy Synology SSH forward
  (ext 3333 -> .13:22, a needless WAN exposure the original plan wanted gone).
- Fixed the fail2ban jail for Debian 13 (auth logs under sshd-session, not sshd
  - the stock journalmatch silently never banned).
- Versioned the host config in scripts/ (it was applied ad-hoc, never committed)
  and recorded the deliberate Wave-1 "no public-IP" exception in security.md +
  .claude/CLAUDE.md. Superseded the 2026-05-30 port-knock design docs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 18:23:39 +00:00

31 lines
1.4 KiB
Text
Raw Blame History

# Break-glass SSH drop-in (redesigned 2026-06-11). Source of truth.
# Deploy to the PVE host with:
# scp scripts/sshd-10-breakglass.conf root@192.168.1.127:/etc/ssh/sshd_config.d/10-breakglass.conf
# ssh root@192.168.1.127 'sshd -t && systemctl reload ssh'
#
# :22 = LAN admin, all of root's keys (default AuthorizedKeysFile).
# :52222 = WAN-exposed break-glass. The edge router forwards WAN tcp/52222 ->
# 192.168.1.127:52222 (external port MUST equal internal port on the
# TP-Link AX6000 — it rejects remaps; port 22 itself is reserved).
# The Match LocalPort block trusts ONLY the dedicated break-glass key
# (authorized_keys.breakglass), so a leak of any other root key does
# NOT grant internet access. Rate-limited by the BREAKGLASS iptables
# chain + fail2ban. No port-knock.
#
# NOTE: the trailing `Match all` is REQUIRED. /etc/ssh/sshd_config has
# `Include sshd_config.d/*.conf` near the top but a global `PermitRootLogin`
# further down; without `Match all` resetting context, that later global
# directive would be swallowed into the `Match LocalPort 52222` condition.
Port 22
Port 52222
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password
MaxAuthTries 3
LoginGraceTime 20
Match LocalPort 52222
AuthorizedKeysFile /root/.ssh/authorized_keys.breakglass
PermitRootLogin prohibit-password
Match all
Reference in a new issue View git blame Copy permalink