From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 46321C143E
 for <pve-devel@lists.proxmox.com>; Mon, 15 Jan 2024 12:52:21 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 212F41A761
 for <pve-devel@lists.proxmox.com>; Mon, 15 Jan 2024 12:51:51 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Mon, 15 Jan 2024 12:51:49 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 59E7741B4F;
 Mon, 15 Jan 2024 12:51:49 +0100 (CET)
Date: Mon, 15 Jan 2024 12:51:48 +0100 (CET)
From: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Esi Y <esiy0676+proxmox@gmail.com>
Message-ID: <1169764233.3317.1705319508414@webmail.proxmox.com>
In-Reply-To: <mailman.431.1705316883.335.pve-devel@lists.proxmox.com>
References: <20240111105123.370028-1-f.gruenbichler@proxmox.com>
 <20240111105123.370028-3-f.gruenbichler@proxmox.com>
 <mailman.431.1705316883.335.pve-devel@lists.proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.6-Rev57
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.065 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com, sshinfo.pm]
Subject: Re: [pve-devel] [PATCH cluster 2/4] fix #4886: SSH: pin node's host
 key if available
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2024 11:52:21 -0000

> On Thu, Jan 11, 2024 at 11:51:16AM +0100, Fabian Gr=C3=BCnbichler wrote:
> > if the target node has already stored their SSH host key on pmxcfs, pin=
 it and
> > ignore the global known hosts information.
> >=20
> > Signed-off-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
> > ---
> >  src/PVE/SSHInfo.pm | 15 ++++++++++++++-
> >  1 file changed, 14 insertions(+), 1 deletion(-)
> >=20
> > diff --git a/src/PVE/SSHInfo.pm b/src/PVE/SSHInfo.pm
> > index c351148..fad23bf 100644
> > --- a/src/PVE/SSHInfo.pm
> > +++ b/src/PVE/SSHInfo.pm
> > @@ -49,11 +49,24 @@ sub get_ssh_info {
> > =20
> >  sub ssh_info_to_command_base {
> >      my ($info, @extra_options) =3D @_;
> > +
> > +    my $nodename =3D $info->{name};
> > +
> > +    my $known_hosts_file =3D "/etc/pve/nodes/$nodename/ssh_known_hosts=
";
> > +    my $known_hosts_options =3D undef;
> > +    if (-f $known_hosts_file) {
> > +=09$known_hosts_options =3D [
> > +=09    '-o', "UserKnownHostsFile=3D$known_hosts_file",
> > +=09    '-o', 'GlobalKnownHostsFile=3Dnone',
>=20
> why does Global need to be none, even as this only applies if the snippet=
 exists?

because we want to only let SSH look at our pinned file, not the regular on=
e, which might contain bogus information. since our pinned file contains an=
 entry for our host key alias which must match, the global file can never i=
mprove the situation, but it can cause a verification failure.

> > +=09];
> > +    }=20
> > +
> >      return [
> >  =09'/usr/bin/ssh',
> >  =09'-e', 'none',
> >  =09'-o', 'BatchMode=3Dyes',
> > -=09'-o', 'HostKeyAlias=3D'.$info->{name},
> > +=09'-o', 'HostKeyAlias=3D'.$nodename,
> > +=09defined($known_hosts_options) ? @$known_hosts_options : (),
> >  =09@extra_options
> >      ];
> >  }
> > --=20
> > 2.39.2
> >=20
> >=20
> >=20
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel