[pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation

[pve-devel] [PATCH container v2 1/3] setup: remove deprecated dsa from ssh host key generation

[Daniel Kral]

OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
is the base version that will be shipped for Debian 13 trixie. Since it
has been marked deprecated for some time and generating DSA signatures
with OpenSSH 10.0 will fail, remove it.

[0] https://www.openssh.com/txt/release-10.0
[1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
 src/PVE/LXC/Setup/Base.pm | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 6bdfb8d..dbfc775 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
 
     return {
         rsa => 'ssh_host_rsa_key',
-        dsa => 'ssh_host_dsa_key',
         ecdsa => 'ssh_host_ecdsa_key',
         ed25519 => 'ssh_host_ed25519_key',
     };
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys

[Daniel Kral]

Remove existing SSH host keys after container creation to prevent
multiple containers sharing the same SSH host keys, especially those
which are not overwritten/generated by rewrite_ssh_host_keys() later.

This is called in the Base's post_create_hook(...) to prevent unwanted
removal for certain types of containers, e.g., unmanaged containers.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Because of the HA Rules stuff, I unfortunately didn't get the time to
properly test these with any container images, but wanted to send them
anyway.

 src/PVE/LXC/Setup/Base.pm | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index dbfc775..ea6f598 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -466,6 +466,30 @@ sub set_user_password {
     }
 }
 
+sub remove_existing_ssh_host_keys {
+    my ($self) = @_;
+
+    my $ssh_rootdir = "$self->{rootdir}/etc/ssh";
+
+    return if !-d $ssh_rootdir;
+
+    PVE::Tools::dir_glob_foreach(
+        $ssh_rootdir,
+        qr/ssh_host_.*/,
+        sub {
+            my ($key_filename) = @_;
+
+            next if $self->ct_is_file_ignored($key_filename);
+
+            print "Remove existing ssh host key '$key_filename' ...\n";
+
+            $self->protected_call(sub {
+                $self->ct_unlink($key_filename);
+            });
+        },
+    );
+}
+
 my $parse_home_dir = sub {
     my ($self, $passwdfile, $user) = @_;
 
@@ -687,6 +711,7 @@ sub post_create_hook {
     &$randomize_crontab($self, $conf);
 
     $self->set_user_password($conf, 'root', $root_password);
+    $self->remove_existing_ssh_host_keys();
     $self->set_user_authorized_ssh_keys($conf, 'root', $ssh_keys) if $ssh_keys;
     $self->setup_init($conf);
     $self->setup_network($conf);
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [RFC container v2 3/3] setup: skip rewriting ignored ssh host keys

[Daniel Kral]

Skip rewriting any SSH host keys that are actively marked as ignored by
the container template.

This is done for consistency with remove_existing_ssh_host_keys(), which
skips removing any ignored SSH host keys as well.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Because of the HA Rules stuff, I unfortunately didn't get the time to
properly test these with any container images, but wanted to send them
anyway.

 src/PVE/LXC/Setup.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 02aefc6..db5d181 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -276,12 +276,22 @@ sub rewrite_ssh_host_keys {
     my $keyfiles = [];
     for my $keytype (keys $keynames->%*) {
         my $basename = $keynames->{$keytype};
+        my $private_basename = "/etc/ssh/$basename";
+        my $public_basename = "/etc/ssh/$basename.pub";
+
+        if (
+            $self->ct_is_file_ignored($private_basename)
+            || $self->ct_is_file_ignored($public_basename)
+        ) {
+            print "Skip generating SSH host key '$basename', because it is ignored.\n";
+            next;
+        }
+
         print "Creating SSH host key '$basename' - this may take some time ...\n";
         my ($id, $private, $public) = generate_ssh_key($keytype, "root\@$hostname");
         print "done: $id\n";
 
-        push $keyfiles->@*, ["/etc/ssh/$basename", $private, 0600],
-            ["/etc/ssh/$basename.pub", $public, 0644];
+        push $keyfiles->@*, [$private_basename, $private, 0600], [$public_basename, $public, 0644];
     }
 
     $self->protected_call(sub { # write them now all to the CTs rootfs at once
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel