[pve-devel] [RFC cluster] pvecmn: add sshkeyscan

Thomas Lamprecht t.lamprecht at proxmox.com
Sun Nov 27 20:56:50 CET 2016 


On 27.11.2016 11:17, Dietmar Maurer wrote:
> The problem is that ssh always uses the hostname/IP from
> the command line. I found a pending patch for ssh that
> would solve the problem here:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html
>
> But it seems it does not get applied (pending for more than one year).
>
> So what if we always use the same name on the command line, but change
> the DNS resolver instead?
>

A PVE::Tools::ssh_run_command() which uses the LD_PRELOAD hack to resolve
the nodename to the respective IP we currently need? Sounds good to me.

> Here is a small LD_PRELOAD hack:
>
> ---fakehost.c---------------------------------
> #define _GNU_SOURCE
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <dlfcn.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netdb.h>
>
> int getaddrinfo(const char *node, const char *service,
> 		const struct addrinfo *hints,
> 		struct addrinfo **res)
> {
> 	int (*orig_getaddrinfo)(const char *node, const char *service,
> 				const struct addrinfo *hints,
> 				struct addrinfo **res);
>
> 	orig_getaddrinfo = dlsym(RTLD_NEXT, "getaddrinfo");
>
> 	const char *fakehost_env = getenv("FAKEHOST");
>
> 	if (!fakehost_env)
> 		goto org;
>
> 	char *fakehost = strdupa(fakehost_env);
>
> 	char *name = strtok(fakehost, ":");
> 	if (!name || (strcmp(name, node) != 0))
> 		goto org;
>
> 	char *new_node = strtok(NULL, ":");
> 	if (!new_node)
> 		goto org;
>
> 	return (*orig_getaddrinfo)(new_node, service, hints, res);
>
> org:
> 	return (*orig_getaddrinfo)(node, service, hints, res);
> }
> ------------------------------------
>
> You can compile and test that using:
>
> # gcc -Wall -fPIC -shared -o fakehost.so fakehost.c -ldl
> # LD_PRELOAD=./fakehost.so FAKEHOST="testname:1.2.3.4" ssh testname
>
> Do you think that would solve the problem?
>

Yes, this works for me here.
It's a valid solution which spares us from any setup or hassle in situation
where we connect over another network to another node.

>
>> On November 19, 2016 at 11:40 AM Thomas Lamprecht <t.lamprecht at proxmox.com>
>> wrote:
>>
>>
>> On 19.11.2016 09:53, Dietmar Maurer wrote:
>>> this looks extremely clumsy to me. Are there any alternatives?
>>>
>>
>> If we want to automate it I did not found any better way yet. Using
>> ssh-keyscan is nice as its fast and does accepts multiple hosts at once.
>> Using the unique sort is just a security measurement against spamming the
>> known_host files with multiple duplicate entries.
>> And gathering the IPs I miss-used the new pvecm mtunnel --get_migration_ip
>> command, this is not ideal from a nameing perspective, but seamed to practical
>> to me to not use it as a hack :)
>>
>> We could just document how to use ssh-keyscan manually to simplify this
>> process for the user and omit this entirely.
>> But the process would be almost the same, apart of the automatic IP gathering,
>> the user knows already the IPs of his hosts.

More information about the pve-devel mailing list