From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1704BBC11D for ; Thu, 21 Dec 2023 10:53:22 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F22781726C for ; Thu, 21 Dec 2023 10:53:21 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 21 Dec 2023 10:53:21 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3DF7248A54 for ; Thu, 21 Dec 2023 10:53:21 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Thu, 21 Dec 2023 10:53:12 +0100 Message-Id: <20231221095313.156390-2-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231221095313.156390-1-f.gruenbichler@proxmox.com> References: <20231221095313.156390-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.064 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [RFC cluster 1/2] fix #4886: write node SSH hostkey to pmxcfs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2023 09:53:22 -0000 so that we can explicitly pin just this key when doing intra-cluster SSH connections. this works similar to the certificate cache we use for API proxying, but without automatic invalidation, since node A doesn't have access to node B's host key.. Signed-off-by: Fabian Grünbichler --- Notes: we could store more than just the RSA one there, but that would have some potential for fallout.. src/PVE/Cluster/Setup.pm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 4b12bb8..ca73765 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -220,6 +220,20 @@ sub ssh_unmerge_known_hosts { PVE::Tools::file_set_contents($ssh_system_known_hosts, $old); } +sub ssh_create_node_known_hosts { + my ($nodename) = @_; + + my $hostkey = PVE::Tools::file_get_contents($ssh_host_rsa_id); + # Note: file sometimes containe emty lines at start, so we use multiline match + die "can't parse $ssh_host_rsa_id" if $hostkey !~ m/^(ssh-rsa\s\S+)(\s.*)?$/m; + $hostkey = $1; + + my $raw = "$nodename $hostkey"; + PVE::Tools::file_set_contents("/etc/pve/nodes/$nodename/ssh_known_hosts", $raw); + + # TODO: also setup custom keypair and client config here to disentangle entirely from /root/.ssh? +} + sub ssh_merge_known_hosts { my ($nodename, $ip_address, $createLink) = @_; @@ -823,6 +837,7 @@ sub updatecerts_and_ssh { $p->("merge authorized SSH keys and known hosts"); ssh_merge_keys(); ssh_merge_known_hosts($nodename, $local_ip_address, 1); + ssh_create_node_known_hosts($nodename); gen_pve_vzdump_files(); } -- 2.39.2