From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH cluster/manager/storage/docs 0/9] fix #4886: improve SSH handling
Date: Thu, 11 Jan 2024 11:51:14 +0100 [thread overview]
Message-ID: <20240111105123.370028-1-f.gruenbichler@proxmox.com> (raw)
this series replaces the old mechanism that used a cluster-wide merged known
hosts file with distributing of each node's host key via pmxcfs, and pinning
the distributed key explicitly for internal SSH connections.
the main changes in pve-cluster somewhat break the old manager and
storage versions, but only when such a partial upgrade is mixed with a
host key rotation of some sort.
pve-storage uses a newly introduced helper, so needs a versioned
dependency accordingly.
the last pve-docs patch has a placeholder for the actual version shipping the
changes which needs to be replaced when applying.
there's still some potential for follow-ups:
- 'pvecm ssh' wrapper to debug and/or re-use the host key pinning (and other
future changes)
- also add non-RSA host keys
- key (and thus authorized keys) and/or sshd disentangling (this
potentially also affects external access, so might be done on a major
release to give more heads up)
cluster:
Fabian Grünbichler (4):
fix #4886: write node SSH hostkey to pmxcfs
fix #4886: SSH: pin node's host key if available
ssh: expose SSH options on their own
pvecm: stop merging SSH known hosts by default
src/PVE/CLI/pvecm.pm | 10 ++++++++--
src/PVE/Cluster/Setup.pm | 24 +++++++++++++++++++++---
src/PVE/SSHInfo.pm | 31 +++++++++++++++++++++++++++----
3 files changed, 56 insertions(+), 9 deletions(-)
docs:
Fabian Grünbichler (2):
ssh: make pitfalls a regular section instead of block
ssh: document PVE-specific setup
pvecm.adoc | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
manager:
Fabian Grünbichler (2):
vnc: use SSH command helper
pvesh: use SSH command helper
PVE/API2/Nodes.pm | 3 ++-
PVE/CLI/pvesh.pm | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
storage:
Fabian Grünbichler (1):
upload: use SSH helper to get ssh/scp options
src/PVE/API2/Storage/Status.pm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--
2.39.2
next reply other threads:[~2024-01-11 10:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-11 10:51 Fabian Grünbichler [this message]
2024-01-11 10:51 ` [pve-devel] [PATCH cluster 1/4] fix #4886: write node SSH hostkey to pmxcfs Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH cluster 2/4] fix #4886: SSH: pin node's host key if available Fabian Grünbichler
[not found] ` <mailman.431.1705316883.335.pve-devel@lists.proxmox.com>
2024-01-15 11:51 ` Fabian Grünbichler
[not found] ` <mailman.436.1705329114.335.pve-devel@lists.proxmox.com>
2024-01-16 9:00 ` Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH cluster 3/4] ssh: expose SSH options on their own Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH cluster 4/4] pvecm: stop merging SSH known hosts by default Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH docs 1/2] ssh: make pitfalls a regular section instead of block Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH docs 2/2] ssh: document PVE-specific setup Fabian Grünbichler
[not found] ` <mailman.409.1705062826.335.pve-devel@lists.proxmox.com>
2024-01-12 12:40 ` Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH manager 1/2] vnc: use SSH command helper Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH manager 2/2] pvesh: " Fabian Grünbichler
2024-01-11 10:51 ` [pve-devel] [PATCH storage 1/1] upload: use SSH helper to get ssh/scp options Fabian Grünbichler
2024-01-12 12:12 ` [pve-devel] [PATCH cluster/manager/storage/docs 0/9] fix #4886: improve SSH handling Fabian Grünbichler
2024-01-15 15:53 ` Hannes Dürr
2024-01-16 10:34 ` Thomas Lamprecht
2024-01-16 10:40 ` Fabian Grünbichler
2024-01-16 10:49 ` Thomas Lamprecht
2024-01-16 11:58 ` Hannes Dürr
2024-04-19 7:11 ` [pve-devel] applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240111105123.370028-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal