From 780b06de56000cb6c558679d07a27e8e0ca821c5 Mon Sep 17 00:00:00 2001 From: 123kupola Date: Sat, 27 Jun 2026 23:22:23 +0200 Subject: [PATCH] =?UTF-8?q?docs(hive-routing):=20fleet=20SSH=20reliability?= =?UTF-8?q?=20=E2=80=94=20password=20off,=20agent=20keys,=20PF=20limits?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Covers the three root causes discovered during osaβ†’debby SSH setup: 1. PasswordAuthentication no β€” removes fail2ban's reason to exist 2. AddKeysToAgent yes β€” prevents ksshaskpass popups on reconnect 3. FreeBSD PF rate limiting β€” defense in depth for osa Sam & Hermes --- docs/wiki/hive-routing.md | 48 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/docs/wiki/hive-routing.md b/docs/wiki/hive-routing.md index b9eee71..5d3d60a 100644 --- a/docs/wiki/hive-routing.md +++ b/docs/wiki/hive-routing.md @@ -398,3 +398,51 @@ T2.x Eval Harness πŸ“‹ Task success measurement ``` The key insight: local LLM is the **ultimate cache-hit token**. Every token generated on a beefy node's GPU is $0.0000. The routing engine's job is to maximize the use of $0 tokens without compromising task success rates. + +## Fleet SSH reliability + +Two one-liner configs that prevent SSH interruptions and ksshaskpass popups +on fleet nodes: + +### 1. Disable password auth β€” no brute-force surface + +When a fleet node connects and the key doesn't match on first attempt, sshd +falls back to password authentication. Fail2ban counts those as failures and +bans the source IP after `maxretry` attempts. With password auth off, there +is nothing to brute-force: + +```sh +# /etc/ssh/sshd_config +PasswordAuthentication no +``` + +Caveat: nodes with password auth disabled need physical/console access if +they lose their private key. + +### 2. Auto-add keys to agent β€” no ksshaskpass popups + +When `ssh-agent` has no identities, Kitty SSH triggers ksshaskpass on +reconnect. `AddKeysToAgent yes` auto-loads keys on first use: + +``` +# ~/.ssh/config +Host * + AddKeysToAgent yes +``` + +### 3. FreeBSD: PF rate limiting + +On FreeBSD nodes, `max-src-conn-rate 5/60` with `` table +provides the same protection independently of fail2ban: + +```sh +# /etc/pf.conf +table persist +pass in proto tcp to port 22 \ + max-src-conn-rate 5/60 overload flush global +``` + +--- + +β†’ [fail2ban-tailscale skill](../../.agent/skills/fail2ban-tailscale/SKILL.md) +β†’ [freebsd-admin skill](../../.agent/skills/freebsd-admin/SKILL.md) -- 2.45.3