SSH Key Deployment

Overview

This page documents which hosts have YubiKey SSH keys configured for authentication.

SSH Key Types

Key File Type Purpose

id_ed25519_sk_rk_d000

YubiKey resident (sk)

Primary personal domain key

id_ed25519_sk_rk_d000_secondary

YubiKey resident (sk)

Secondary/backup YubiKey

id_ed25519_d000

Standard Ed25519

Fallback (non-hardware)

id_ed25519_sk_rk_d001

YubiKey resident (sk)

Work domain primary

id_ed25519_sk_rk_d001_secondary

YubiKey resident (sk)

Work domain backup

Host Deployment Inventory

Infrastructure Hosts

Host

IP

User

Keys Configured

alienware

10.50.10.138

evanusmodestus

d000-yubikey, d000-secondary, d000

thinkpad-x1

10.50.10.155

evanusmodestus

d000-yubikey, d000-secondary, d000

razer

10.50.10.111

evanusmodestus

d000-yubikey, d000-secondary, d000

nas-01 (synology)

10.50.1.70

adminerosado

d000-yubikey, d000-secondary, d000

pfsense

10.50.1.1

admin

d000-yubikey, d000-secondary, d000

certmgr-01

10.50.1.60

ansible

d000-yubikey, d000-secondary, d000

ipsk-manager

10.50.1.30

evanusmodestus

d000-yubikey, d000-secondary, d000, certmgr-01-deploy

kvm-host

10.50.1.99

evanusmodestus

d000-yubikey, d000-secondary, d000, certmgr-01-deploy

Git Services

Host

Key File

Purpose

github.com

id_ed25519_github

GitHub SSH

gitlab.com

id_ed25519_gitlab

GitLab SSH

codeberg.org

id_ed25519_codeberg

Codeberg SSH

bitbucket.org

id_ed25519_bitbucket

Bitbucket SSH

gitea (10.50.1.70:2222)

id_ed25519_gitea

Self-hosted Gitea

Ansible Deploy Key

The certificate manager (certmgr-01) uses a dedicated deploy key for automated deployments:

Property Value

Key Location

~/.secrets/.ssh/id_ed25519_deploy

Public Key

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0Zo2xvn4UfMNX2/OrGhTNGUBs1a438jtnNdKQHIeaV certmgr-01-deploy

Fingerprint

SHA256:BOQRz5nWyqro+tYZmvjmNjcNsSaFl2xzOp/Dcc0INCg

Deployed To

nas-01, gitea-01, kvm-01, pfsense-01, ipsk-mgr-01

Adding Keys to a New Host

Step 1: Copy Public Keys

# Display keys to copy
cat ~/.ssh/id_ed25519_sk_rk_d000.pub
cat ~/.ssh/id_ed25519_sk_rk_d000_secondary.pub
cat ~/.ssh/id_ed25519_d000.pub

Step 2: Add to Remote Host

# On the remote host
mkdir -p ~/.ssh && chmod 700 ~/.ssh

# Add public keys to authorized_keys
cat >> ~/.ssh/authorized_keys << 'EOF'
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFHfsGSAFAkqwYj6EGS9sA2MROjs28zM6LJds3gagsCkAAAACHNzaDpkMDAw evanusmodestus@d000-yubikey
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEBZ+kus4aTHzQt1zNnEnGxJs+Lf56vrCdcyvqLhpp9hAAAACHNzaDpkMDAw evanusmodestus@d000-secondary
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3vaIABqHOwy88p/5GcX3ZNU044GAz/3T5dH8GIU7DS evanusmodestus@d000
EOF

chmod 600 ~/.ssh/authorized_keys

Step 3: Test Connection

# Test with YubiKey (will prompt for touch)
ssh hostname "hostname"

# Expected output:
# Enter passphrase for key '/home/evanusmodestus/.ssh/id_ed25519_sk_rk_d000':
# Confirm user presence for key ED25519-SK SHA256:...
# User presence confirmed
# hostname

SSH Config Entry Template

Add new hosts to ~/.ssh/config:

Host newhost
    HostName 10.50.x.x
    User username
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000_secondary
    IdentityFile ~/.ssh/id_ed25519_d000
    PasswordAuthentication yes
    PreferredAuthentications publickey,password

Verification Commands

# List all configured hosts
grep -E "^Host " ~/.ssh/config | grep -v "*"

# Test connection to host
ssh -v hostname "echo OK"

# Check which key was used
ssh -v hostname 2>&1 | grep "Offering public key"

# View key fingerprints
ssh-keygen -lf ~/.ssh/id_ed25519_sk_rk_d000.pub

Related Documentation