[pve-devel] [RFC container v2 2/3] setup: base: remove existing ssh host keys
Daniel Kral
d.kral at proxmox.com
Fri Jul 4 20:23:35 CEST 2025
Remove existing SSH host keys after container creation to prevent
multiple containers sharing the same SSH host keys, especially those
which are not overwritten/generated by rewrite_ssh_host_keys() later.
This is called in the Base's post_create_hook(...) to prevent unwanted
removal for certain types of containers, e.g., unmanaged containers.
Signed-off-by: Daniel Kral <d.kral at proxmox.com>
---
Because of the HA Rules stuff, I unfortunately didn't get the time to
properly test these with any container images, but wanted to send them
anyway.
src/PVE/LXC/Setup/Base.pm | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index dbfc775..ea6f598 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -466,6 +466,30 @@ sub set_user_password {
}
}
+sub remove_existing_ssh_host_keys {
+ my ($self) = @_;
+
+ my $ssh_rootdir = "$self->{rootdir}/etc/ssh";
+
+ return if !-d $ssh_rootdir;
+
+ PVE::Tools::dir_glob_foreach(
+ $ssh_rootdir,
+ qr/ssh_host_.*/,
+ sub {
+ my ($key_filename) = @_;
+
+ next if $self->ct_is_file_ignored($key_filename);
+
+ print "Remove existing ssh host key '$key_filename' ...\n";
+
+ $self->protected_call(sub {
+ $self->ct_unlink($key_filename);
+ });
+ },
+ );
+}
+
my $parse_home_dir = sub {
my ($self, $passwdfile, $user) = @_;
@@ -687,6 +711,7 @@ sub post_create_hook {
&$randomize_crontab($self, $conf);
$self->set_user_password($conf, 'root', $root_password);
+ $self->remove_existing_ssh_host_keys();
$self->set_user_authorized_ssh_keys($conf, 'root', $ssh_keys) if $ssh_keys;
$self->setup_init($conf);
$self->setup_network($conf);
--
2.39.5
More information about the pve-devel
mailing list