How do you handle secure remote admin (while away from home)?
My infra is about 3 home servers and 2 cloud VMs running various services for family and myself.
Currently I strictly separate user from admin tasks. This means I am treating myself as a normal user. Almost all admin work can only be done from my Linux laptop in separate admin browser profile or with the SSH keys on that laptop. I am also transitioning more and more admin tasks to ansible, that also only lives on my laptop. (Of course the laptop has backups I can access in other ways.)
This means my phone/tablet (iOS) only have very limited user-level access to services. I am somewhat hesistant to trust closed-source systems and also the saas-based terminals for iOS.
This feels secure, but it has a major downside: when I am away with only phone + tablet and something breaks, I cannot really do any maintenance. Hence I carry my laptop whenever I am away for longer. I don't really like that as the laptop is heavy and bulky.
Options I am thinking about:
- Put admin SSH keys on my mobile devices: Maybe my distrust in phones is outdated. Phones are much more secure nowadays than PCs. I could just put Termius on there and access everything.
- Add a dedicated management box at home, reachable only via VPN, that can act as a bastion / ansible runner. Basically a "management machine". I would secure it tightly (only does ssh, no other services, no password access, only via VPN). However, that would be a single point of failure then -- master key to everything. But maybe with enough security features, I shouldn't be that hesistant. I could combine option 1+2, access the management box through my phone.
- A more complex setup of only allowing certain commands via ssh for certain users (admin via phone ssh, but limited options). That was a recommendation I found, but I find it complicated and again a tradeoff.
- Stick to my system, just accept the limitation that only my linux laptop can do thing -- look for a smaller, lighter laptop.
Any other ideas? How do you handle this tradeoff between security and being able to fix things while away from your main workstation?
Thanks!