Oh, will you look at this. It's right here . . .
We must vet the guard at the outer wall, before we lower the drawbridge to the castle.
“Jumpserver evaluation pending”
— including verification of SSH access, DNS resolution for internal hostnames, confirmation of valid target hosts, and review of access policies.
== Prelude
Camelot stands not only as a server, but as a secure entry point into broader systems. By configuring SSH keys for access, Camelot begins its role as a trusted node—a place from which administrative scripts and secure connections may reach deeper into the network, or even as far as distant servers abroad.
Today Camelot holds both the key and the gate, serving as the foundation for orchestrated management across the kingdom.
This document records the establishment of SSH key authentication to Camelot, securing access and preparing for its evolving role.
= SPEC-002: SSH Key Setup for Camelot
:sectnums:
:toc:
== Background
This document outlines the technical steps to configure SSH key-based authentication from Frodo (a laptop) to Camelot (a Proxmox server), replacing password-based SSH login with a more secure and streamlined method.
== Requirements
Frodo: a laptop with a terminal and OpenSSH client
Camelot: a Proxmox server accessible via SSH using password authentication
Existing working SSH login from Frodo to Camelot as user allison
== Steps
=== 1. Generate SSH Key on Frodo
On Frodo, generate a new SSH key pair (if none exists):
ssh-keygen -t ed25519 -C "allison@frodo"
Press Enter to accept the default location (~/.ssh/id_ed25519) and optionally enter a passphrase.
=== 2. Copy Public Key to Camelot
To authorize Frodo's key on Camelot, copy the public key:
ssh-copy-id allison@10.42.0.18
Alternatively, copy manually:
scp ~/.ssh/id_ed25519.pub allison@10.42.0.18:/home/allison/
Then, on Camelot:
mkdir -p ~/.ssh
cat ~/id_ed25519.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
rm ~/id_ed25519.pub
=== 3. Test SSH Login
From Frodo, test SSH login without a password:
ssh allison@10.42.0.18
If successful, SSH will connect without prompting for a password.
== Implementation Notes
SSH key files are stored at ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public) on Frodo.
Camelot authorizes the key via /home/allison/.ssh/authorized_keys.
No SSH daemon configuration changes are required if PasswordAuthentication and PubkeyAuthentication are enabled by default.
== Milestones
== Optional Enhancements
Disable SSH password authentication in /etc/ssh/sshd_config on Camelot for improved security:
PermitRootLogin no
PasswordAuthentication no
Restart SSH after making configuration changes:
systemctl restart ssh
== Verification
SSH key authentication is verified when ssh allison@10.42.0.18 connects without a password prompt and with expected access rights.
This document serves as an operational reference for enabling SSH key-based authentication from Frodo to Camelot.
A final note: with the key installed, it can truly be said that Frodo has received the Key to Camelot, and the gates now open in trust.
SSH key authentication is verified when ssh allison@10.42.0.18 connects without a password prompt and with expected access rights.
This document serves as an operational reference for enabling SSH key-based authentication from Frodo to Camelot.
Frodo can fully prepare in just 2 commands:
Create key directory (optional, but organized):
mkdir -p ~/.ssh/camelotGenerate SSH key:
ssh-keygen -t ed25519 -f ~/.ssh/camelot/id_ed25519 -C "frodo@camelot"
-
Generates private key →
~/.ssh/camelot/id_ed25519 -
Generates public key →
~/.ssh/camelot/id_ed25519.pub -
Adds helpful comment in key for tracking
allison@frodo:~/.ssh/camelot$ ls -l
total 8
-rw------- 1 allison allison 399 May 4 12:23 id_ed25519
-rw-r--r-- 1 allison allison 95 May 4 12:23 id_ed25519.pub
Edit ~/.ssh/config
Host camelot
HostName <ip-or-hostname>
User camelot
IdentityFile ~/.ssh/camelot/id_ed25519
Copy the key
ssh-copy-id -i ~/.ssh/camelot/id_ed25519.pub camelot@<Camelot-IP>
allison@frodo:~/.ssh/camelot$ ssh-copy-id -i ~/.ssh/camelot/id_ed25519.pub camelot@10.42.0.18
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/allison/.ssh/camelot/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
camelot@10.42.0.18's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'camelot@10.42.0.18'"
and check to make sure that only the key(s) you wanted were added.
camelot@camelot:~$ chmod 700 ~/.ssh
camelot@camelot:~$ chmod 600 ~/.ssh/authorized_keys
camelot@camelot:~$ chown camelot:camelot ~/.ssh ~/.ssh/authorized_keysOn Frodo
edit ~/.ssh/config# SSH config for Camelot access
Host camelot
HostName 10.42.0.18
User camelot
IdentityFile ~/.ssh/camelot/id_ed25519
allison@frodo:~/.ssh/camelot$ ssh camelot
allison@frodo:~/.ssh/camelot$ ssh camelot
Linux camelot 6.8.12-4-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-4 (2024-11-06T15:04Z) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 4 23:34:31 2025 from 10.42.0.100
camelot@camelot:~$
🎉 YESSSS!!! 🏰✨
The key worked. Frodo passed through the gate without a password prompt.
✅ SSH key-based login succeeded
✅ No sudo edit needed yet (since default config + explicit key path worked)
✅ Frodo is inside Camelot as camelot user, authenticated by key
This right here:
👉 “The moment Frodo unlocked the gate to Camelot using the Key.”
== Pending Next Steps
“Jumpserver evaluation pending” — including verification of SSH access, DNS resolution for internal hostnames, confirmation of valid target hosts, and review of access policies.
Gatehouse8 (the prospective jumpserver) must be validated independently before granting it a role as entry point to Camelot or broader systems. Once proven secure and functional, it may be admitted as the trusted gate.