[pve-devel] [PATCH cluster/manager/storage/docs 0/9] fix #4886: improve SSH handling

[Esi Y]

On Fri, Jan 12, 2024 at 01:12:50PM +0100, Fabian Grünbichler wrote:
> On January 11, 2024 11:51 am, Fabian Grünbichler wrote:
> > this series replaces the old mechanism that used a cluster-wide merged known
> > hosts file with distributing of each node's host key via pmxcfs, and pinning
> > the distributed key explicitly for internal SSH connections.
> > 
> > the main changes in pve-cluster somewhat break the old manager and
> > storage versions, but only when such a partial upgrade is mixed with a
> > host key rotation of some sort.
> > 
> > pve-storage uses a newly introduced helper, so needs a versioned
> > dependency accordingly.
> > 
> > the last pve-docs patch has a placeholder for the actual version shipping the
> > changes which needs to be replaced when applying.
> > 
> > there's still some potential for follow-ups:
> > - 'pvecm ssh' wrapper to debug and/or re-use the host key pinning (and other
> >   future changes)
> > - also add non-RSA host keys
> > - key (and thus authorized keys) and/or sshd disentangling (this
> >   potentially also affects external access, so might be done on a major
> >   release to give more heads up)
> 
> and one fixup that I just realized thanks to talking to Hannes D. - the
> cluster create API call will also merge the known hosts, that call
> should also be removed if we remove it from `pvecm updatecerts`.

Not sure where to add this here, but FWIW the perspective of unsuspecting passerby when it comes to `pvecm updatecerts` - it will be doing something with certs, i.e. SSL certs. I would expect either there to be extra command for sshkeys and if not, have it somehow behave consistently, e.g. current --force does nothing for SSH keys. In the docs, there's no mention of SSH even on this command.

> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel