Skip to content

Inbound SSH to saltierpoop: humans and agents

Saltierpoop (192.168.6.243, user someone) is a Saltbox VM. Homelab Ansible manages OS layer only; container operations use Saltbox (sb install, inventory).

Related: infra-services-inbound-ssh-humans-and-agents.md, ssh-keys-and-infra-services.md.

Three access paths

Who Command Key Notes
You (interactive) ssh saltierpoop ~/.ssh/id_rsa_saltedpoop (or 1Password) May prompt for passphrase
Cursor / agents (direct) ssh saltierpoop-cursor ~/.ssh/cursor-infra Same key as infra-services-cursor
C&C from infra-services sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@192.168.6.243 patch-controller (root-readable) Restricted to from="192.168.6.17" on server

Patch-controller and backup-fetch keys are installed by ansible-pull (site.yml

  • saltbox-host role). They only work from infra-services, not from your laptop.

Workstation SSH config

Add alongside infra-services-cursor:

Host saltierpoop-cursor
    HostName 192.168.6.243
    User someone
    IdentityFile ~/.ssh/cursor-infra
    IdentitiesOnly yes
    IdentityAgent none

Human alias (existing):

Host saltierpoop
    HostName 192.168.6.243
    User someone
    IdentityFile ~/.ssh/id_rsa_saltedpoop

Authorize the agent key (one-time)

The cursor-infra public key must be in /home/someone/.ssh/authorized_keys.

Option A — from infra-services (patch-controller already trusted):

# On your workstation — pipe pubkey through C&C jump
type %USERPROFILE%\.ssh\cursor-infra.pub | ssh infra-services-cursor \
  "sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@192.168.6.243 \
   'mkdir -p .ssh && chmod 700 .ssh && cat >> .ssh/authorized_keys && chmod 600 .ssh/authorized_keys'"

Option B — while logged in as you (ssh saltierpoop):

echo 'PASTE_cursor-infra.pub_ONE_LINE' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Do not commit the pubkey to git; it is operator-local (same pattern as infra-services).

Verification

# Where Command Expect
1 Cursor terminal ssh -o BatchMode=yes saltierpoop-cursor 'echo ok' ok
2 infra-services sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@192.168.6.243 hostname VM hostname

Troubleshooting

Hangs from Windows with ssh saltierpoop

The personal key (id_rsa_saltedpoop) likely has a passphrase and Cursor cannot prompt. Use saltierpoop-cursor for agents, or IdentityAgent none on a dedicated Host stanza.

Permission denied from infra-services without sudo

The patch-controller private key is 0400 root:root under /etc/homelab/patch-controller/. Always use sudo ssh -i ….

Fallback: Proxmox guest agent

If SSH is broken but VM 100 is running on prox:

# From infra-services
sudo ssh -i /etc/homelab/patch-controller/id_ed25519 root@192.168.6.71 \
  qm guest exec 100 -- docker ps

Read-only emergency access only — prefer fixing SSH.

Agent convention

From Cursor, prefer:

ssh -o BatchMode=yes -o ConnectTimeout=10 saltierpoop-cursor "<command>"

For patching orchestration, infra-services uses patch-controller (already wired in coordinated-os-patching.md).