[pve-devel] [PATCH cluster 2/4] fix #4886: SSH: pin node's host key if available
Esi Y
esiy0676+proxmox at gmail.com
Mon Jan 15 12:07:21 CET 2024
On Thu, Jan 11, 2024 at 11:51:16AM +0100, Fabian Grünbichler wrote:
> if the target node has already stored their SSH host key on pmxcfs, pin it and
> ignore the global known hosts information.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> src/PVE/SSHInfo.pm | 15 ++++++++++++++-
> 1 file changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/SSHInfo.pm b/src/PVE/SSHInfo.pm
> index c351148..fad23bf 100644
> --- a/src/PVE/SSHInfo.pm
> +++ b/src/PVE/SSHInfo.pm
> @@ -49,11 +49,24 @@ sub get_ssh_info {
>
> sub ssh_info_to_command_base {
> my ($info, @extra_options) = @_;
> +
> + my $nodename = $info->{name};
> +
> + my $known_hosts_file = "/etc/pve/nodes/$nodename/ssh_known_hosts";
> + my $known_hosts_options = undef;
> + if (-f $known_hosts_file) {
> + $known_hosts_options = [
> + '-o', "UserKnownHostsFile=$known_hosts_file",
> + '-o', 'GlobalKnownHostsFile=none',
why does Global need to be none, even as this only applies if the snippet exists?
> + ];
> + }
> +
> return [
> '/usr/bin/ssh',
> '-e', 'none',
> '-o', 'BatchMode=yes',
> - '-o', 'HostKeyAlias='.$info->{name},
> + '-o', 'HostKeyAlias='.$nodename,
> + defined($known_hosts_options) ? @$known_hosts_options : (),
> @extra_options
> ];
> }
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list