INC-2026-04-07-001: Prevention

Prevention

Short-term (This Week)

  • Add SSH config block for reverse tunnel access — Evan

    Host razer-tunnel
    HostName localhost
    Port 2222
    User evanusmodestus
    IdentityFile ~/.ssh/id_ed25519_d000

  • Load keys into agent on login — add ssh-add ~/.ssh/id_ed25519_d000 to shell profile or use AddKeysToAgent yes in SSH config — Evan

  • Document reverse tunnel procedure in infrastructure runbook — Evan

Long-term (This Quarter)

  • Evaluate Tailscale as VLAN-agnostic SSH path — bypasses firewall restrictions entirely — Evan

  • Add VyOS rule for P16g→Razer SSH on management VLAN — assess whether VLAN 50→10 SSH should be permitted for admin hosts — Evan

  • Create ~/.ssh/config block for each machine with explicit IdentityFile for direct and tunnel access — Evan

Lessons Learned

What Went Well

  • Reverse SSH tunnel was identified and deployed within 5 minutes

  • StrictHostKeyChecking correctly prevented connection to mismatched host key — security control worked as designed

  • ssh -vvv debug output immediately revealed the empty agent and missing default keys

What Could Be Improved

  • No documented procedure for cross-VLAN SSH access when direct path is blocked

  • SSH agent not auto-loaded after reboot — 16 keys available but none offered

  • sudo ssh was attempted before diagnosing — wasted a step

Key Takeaways

  1. Reverse SSH tunnels bypass firewall restrictions by initiating from the permitted direction. The tunnel endpoint appears as localhost traffic, invisible to the network firewall.

  2. Custom key filenames require explicit -i or SSH config IdentityFile — SSH only auto-discovers five default names. If all keys are suffixed, default lookup finds nothing.

  3. ssh -vvv is the diagnostic — it shows exactly which keys are offered, which agent is consulted, and why auth fails. Run it before guessing.

  4. sudo ssh uses root’s keys — never the right move for user auth. It authenticates as a different identity entirely.