Reburn Report

Technical Reports from the Front Lines of Software & Systems.

[
[
[

]
]
]

It’s Nice When a Plan Comes Together

Sometimes I SSH into my VM just to leave.

No task. No deployment. No debugging session. I connect… admire it… and exit.

Because it’s smooth. Effortless. Frictionless in a way that only someone who has wrestled with infrastructure for hours can truly appreciate.

One command:

ssh starter-proxmox-vm.lan.reburn.us

And I’m in.

No username prompt.
No password.
No “Are you sure you want to continue connecting (yes/no)?”
No blind acceptance of a mystery fingerprint.

Just clean, deterministic trust.

If something’s wrong, I’ll know. Immediately. That’s how it should be.

The End of TOFU

Let’s be blunt: most people use SSH with what amounts to a security shrug.

The first time they connect to a host, they see the fingerprint warning. They type yes. They move on. That’s TOFU — Trust On First Use.

It’s convenient. It’s fast.

It also permanently bypasses a security layer designed to protect against man-in-the-middle attacks.

After that first “yes,” you’re assuming the host you connected to was legitimate. If it wasn’t? You’ve just memorialized an attacker’s key in your known_hosts.

That never sat well with me.

So I eliminated it.

The Golden Path

Now when I connect to any machine in my homelab, this happens:

  • The VM was created from a hardened golden template.
  • The host key was signed by Vault.
  • My client key was signed by Vault.
  • My machine verifies the host certificate automatically.
  • The server verifies my client certificate automatically.
  • An audit trail is recorded.

All before I ever see a shell prompt.

Nobody gets into my VM unless Vault signs off on it.

Some security purists will argue that SSH shouldn’t be exposed at all. In production? I agree. In a homelab built for experimentation and iteration? Secure, authenticated SSH with certificate-backed auditing is exactly the right tool.

This isn’t recklessness.

It’s deliberate.

The Golden Path

Now when I connect to any machine in my homelab, this happens:

  • The VM was created from a hardened golden template.
  • The host key was signed by Vault.
  • My client key was signed by Vault.
  • My machine verifies the host certificate automatically.
  • The server verifies my client certificate automatically.
  • An audit trail is recorded.

All before I ever see a shell prompt.

Nobody gets into my VM unless Vault signs off on it.

Some security purists will argue that SSH shouldn’t be exposed at all. In production? I agree. In a homelab built for experimentation and iteration? Secure, authenticated SSH with certificate-backed auditing is exactly what I’m looking for.

Setting up the Trust

Here’s the magic that makes host verification seamless:

vault read -field=public_key ssh-host-signer/config/ca \
  | sed 's/^/@cert-authority *.lan.reburn.us /' \
  | tee -a ~/.ssh/known_hosts >/dev/null

Run once.

That command:

  1. Authenticates to Vault.
  2. Retrieves the SSH Host Certificate Authority public key.
  3. Formats it correctly for OpenSSH.
  4. Appends it to ~/.ssh/known_hosts.

From then on, any host under *.lan.reburn.us must present a host key signed by that CA.

If it isn’t signed by Vault? Connection denied.

No prompt. No negotiation. No human guesswork.

Vault does the heavy lifting. I get cryptographic certainty.

The Two Pillars: Host Signing and Client Signing

Before going deeper, it’s important to separate the two mechanisms at play.

1. Host Key Signing

This solves: “Am I connecting to the machine I think I am?”

Instead of trusting the first key I see, I trust a Certificate Authority. Vault signs each server’s SSH host key. My workstation trusts the CA.

This shifts trust from an ad-hoc, one-time fingerprint acceptance to a centrally managed, auditable authority model.

It’s the difference between:

  • “Yeah, that looks right.”
  • “This was cryptographically vouched for by an authority I control.”

2. Client Key Signing

This solves: “Should this user be allowed in?”

Instead of scattering static public keys across servers, Vault signs short-lived SSH certificates for users.

Servers trust the Vault CA.
Users authenticate to Vault.
Vault signs their key for a defined period.
Access is logged.

No permanent keys floating around.
No stale credentials forgotten on old machines.
No mystery access six months later.

Access becomes intentional and traceable.

Crawl Before You Walk

I spent hours massaging my mono-repo and restructuring my lab before moving forward.

Some would have jumped straight to orchestrating workloads.

Not me.

I wanted identity and trust correct first.

Because once the foundation is solid, everything else is acceleration.

And now?

Now I SSH in just to experience it.

Because when the command runs cleanly, when cryptography does its quiet work behind the scenes, when no prompts interrupt the flow — that’s when you know the plan came together.

And that’s beautiful.

Leave a comment