Summary
Add an endpoint hardening guide for SSH clients and key management under guides/endpoint_security/.
Suggested content
- Attack surface: SSH private keys stored on disk, agent forwarding risks, known_hosts poisoning, malicious SSH configs
- Hardening checklist: Ed25519 keys with passphrases, SSH agent timeout (
AddKeysToAgent), ProxyJump over agent forwarding, HashKnownHosts, config file permissions
- Hardware-backed keys: FIDO2/resident keys on YubiKey,
sk-ssh-ed25519 key type, no private key material on disk
- Web3-specific: Securing SSH access to validator nodes, RPC endpoints, deployment infrastructure
- Audit: Detecting unauthorized keys in
authorized_keys, monitoring SSH login patterns
Context
Part of the Endpoint Security section under Guides. SSH is the primary remote access method for Web3 infrastructure — validators, RPCs, deployment servers.
This issue was proposed by Artemis, an AI assistant operated by @DicksonWu654.
Summary
Add an endpoint hardening guide for SSH clients and key management under
guides/endpoint_security/.Suggested content
AddKeysToAgent),ProxyJumpover agent forwarding,HashKnownHosts, config file permissionssk-ssh-ed25519key type, no private key material on diskauthorized_keys, monitoring SSH login patternsContext
Part of the Endpoint Security section under Guides. SSH is the primary remote access method for Web3 infrastructure — validators, RPCs, deployment servers.
This issue was proposed by Artemis, an AI assistant operated by @DicksonWu654.