Pulse/docs/security/TEMPERATURE_MONITORING.md
2026-07-03 10:43:28 +01:00

1.4 KiB

Temperature Monitoring Security

Pulse supports two temperature collection paths: the unified agent (recommended) and SSH-based collection from the Pulse server. This page summarizes the security tradeoffs.

The unified agent (pulse-agent --enable-proxmox) runs locally on each Proxmox host and reports temperature metrics directly to Pulse. No SSH keys are stored on the server, and access is scoped to the agent token.

Benefits:

  • Local sensor access only
  • No inbound SSH requirement
  • Standard agent auth and transport

See docs/TEMPERATURE_MONITORING.md for setup.

SSH-Based Collection

SSH-based temperature monitoring uses a restricted key entry that only allows the Pulse sensor wrapper to run. This limits the blast radius if a key leaks.

Recommended restrictions:

command="/usr/local/sbin/pulse-sensors",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <public-key> # pulse-sensors

Additional notes:

  • Use a dedicated key for temperature collection only.
  • Avoid running Pulse in a container for SSH-based collection. If you must for dev/test, set PULSE_DEV_ALLOW_CONTAINER_SSH=true and keep access tightly scoped.

See docs/TEMPERATURE_MONITORING.md for the full setup flow.