From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6D125C0BE6 for ; Fri, 12 Jan 2024 13:41:16 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4EB8831129 for ; Fri, 12 Jan 2024 13:40:46 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 12 Jan 2024 13:40:45 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 719084910F; Fri, 12 Jan 2024 13:40:45 +0100 (CET) Date: Fri, 12 Jan 2024 13:40:44 +0100 (CET) From: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= To: Proxmox VE development discussion Cc: Esi Y Message-ID: <1558621713.2884.1705063244732@webmail.proxmox.com> In-Reply-To: References: <20240111105123.370028-1-f.gruenbichler@proxmox.com> <20240111105123.370028-7-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.6-Rev57 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL 0.065 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH docs 2/2] ssh: document PVE-specific setup X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2024 12:41:16 -0000 > Esi Y via pve-devel hat am 12.01.2024 13:33= CET geschrieben: > On Thu, Jan 11, 2024 at 11:51:20AM +0100, Fabian Gr=C3=BCnbichler wrote: > > such as adapted configs and managed files. > >=20 > > Signed-off-by: Fabian Gr=C3=BCnbichler > > --- > > Notes: actual version needs to be inserted! > >=20 > > pvecm.adoc | 18 ++++++++++++++++++ > > 1 file changed, 18 insertions(+) > >=20 > > diff --git a/pvecm.adoc b/pvecm.adoc > > index 5b5b27b..3a32cfb 100644 > > --- a/pvecm.adoc > > +++ b/pvecm.adoc > > @@ -918,6 +918,24 @@ transfer memory and disk contents. > > =20 > > * Storage replication > > =20 > > +SSH setup > > +~~~~~~~~~ > > + > > +On {pve} systems, the following changes are made to the SSH configurat= ion/setup: > > + > > +* the `root` user's SSH client config gets setup to prefer `AES` over = `ChaCha20` > > + > > +* the `root` user's `authorized_keys` file gets linked to > > + `/etc/pve/priv/authorized_keys`, merging all authorized keys within = a cluster >=20 > Will you be opening a new fix # thread on this one or intending to keep i= t as-is (even as the known_hosts changes are rolled out)? see the cover letter - if this series gets applied in its current form, the= n changing the (client) key setup (both the keys used, and the authorized k= eys handling) would be a potential (but not required) follow-up. the main i= ssue with that is that setups out there might rely on the current behaviour= (e.g., ssh-copy-id to one node registering the key automatically with all = nodes in the cluster), so it's likely only possible to switch by default on= the next major bump, if we decide to go down that route.