[pve-devel] [PATCH RFC 05/21] create a cluster wide SSH CA
Dietmar Maurer
dietmar at proxmox.com
Mon Nov 28 08:08:57 CET 2016
Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
data/PVE/Cluster.pm | 43 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 42 insertions(+), 1 deletion(-)
diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index f84461b..4f26cc3 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -4,7 +4,7 @@ use strict;
use warnings;
use POSIX qw(EEXIST);
use File::stat qw();
-
+use File::Path;
use Socket;
use Storable qw(dclone);
use IO::File;
@@ -233,6 +233,44 @@ sub gen_pve_www_key {
die "unable to generate pve www key:\n$@" if $@;
}
+sub gen_pve_ssh_ca {
+
+ return 0 if -s $ssh_cluster_ca_priv && -s $ssh_cluster_ca_cert;
+
+ my $ssh_ca_changes = 0;
+
+ my $tmpdir = "/tmp/.pve-ssh-keygen-$$";
+ eval {
+
+ return if -s $ssh_cluster_ca_priv && -s $ssh_cluster_ca_cert;
+
+ $ssh_ca_changes = 1;
+
+ mkdir $tmpdir;
+
+ my $name = "pve-ssh-ca";
+
+ PVE::Tools::run_command(['ssh-keygen', '-q', '-t', 'rsa', '-b', 2048,
+ '-N', '', '-f', "$tmpdir/$name",
+ '-C', 'PVE-SSH-CA']);
+
+ my $cmd = "cp '$tmpdir/$name' '$ssh_cluster_ca_priv'";
+ system($cmd) == 0 ||
+ die "cannot copy ssh CA file '$ssh_cluster_ca_priv'\n";
+
+ $cmd = "cp '$tmpdir/$name.pub' '$ssh_cluster_ca_cert'";
+ system($cmd) == 0 ||
+ die "cannot copy ssh CA cert '$ssh_cluster_ca_cert'\n";
+ };
+ my $err = $@;
+
+ rmtree $tmpdir;
+
+ die $err if $err;
+
+ return $ssh_ca_changes;
+}
+
sub update_serial {
my ($serial) = @_;
@@ -337,6 +375,9 @@ sub gen_pve_node_files {
# for CSRFR prevention
gen_pve_www_key();
+ # make sure we have a cluster wide SSH CA
+ gen_pve_ssh_ca();
+
# make sure we have a (per node) private key
gen_pve_ssl_key($nodename);
--
2.1.4
More information about the pve-devel
mailing list