From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [RFC cluster 0/2] fix #4886: improve SSH handling
Date: Thu, 21 Dec 2023 10:53:11 +0100 [thread overview]
Message-ID: <20231221095313.156390-1-f.gruenbichler@proxmox.com> (raw)
RFC since this would be a bigger change in how we approach intra-cluster
SSH access.
there are still a few parts that currently don't use SSHInfo, but
would need to be switched over if we want to pursue this approach:
- get_vnc_connection_info in PVE::API2::Nodes
- 'upload' API endpoint in PVE::API2::Storage::Status
- SSH proxy in pvesh
these changes would need to happen coordinated with the patches from
this RFC series!
next steps afterwards:
- unmerge known hosts in `pvecm updatecerts`, instead of merging
-- to disentangle regular ssh from intra-cluster SSH
-- to allow `ssh-keygen -f .. -R ..` to work properly again
-- existing keys would still be preserved for not-yet-upgraded nodes, so this
should be do-able without waiting for a major release..
- evaluate whether we want to split out
-- the client config (we currently force a cipher order there)
-- the client key (could live in /etc/pve/priv instead?)
-- or even the sshd instance altogether (would allow not touching the
regular sshd config at all)
Fabian Grünbichler (2):
fix #4886: write node SSH hostkey to pmxcfs
fix #4886: SSH: pin node's host key if available
src/PVE/Cluster/Setup.pm | 15 +++++++++++++++
src/PVE/SSHInfo.pm | 15 ++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
--
2.39.2
next reply other threads:[~2023-12-21 9:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 9:53 Fabian Grünbichler [this message]
2023-12-21 9:53 ` [pve-devel] [RFC cluster 1/2] fix #4886: write node SSH hostkey to pmxcfs Fabian Grünbichler
2023-12-21 9:53 ` [pve-devel] [RFC cluster 2/2] fix #4886: SSH: pin node's host key if available Fabian Grünbichler
[not found] ` <mailman.334.1704776560.335.pve-devel@lists.proxmox.com>
2024-01-09 8:57 ` [pve-devel] [RFC cluster 0/2] fix #4886: improve SSH handling Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231221095313.156390-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.