Re: [pve-devel] [PATCH cluster/manager/storage/docs 0/9] fix #4886: improve SSH handling

Mon, 15 Jan 2024 07:54:14 -0800 

Tested cluster creation with three new nodes on 8.1 and the patches
Cluster creation and further ssh communication (eq. migration) worked flawless 


Tested-by: Hannes Duerr <h.du...@proxmox.com>

On 1/11/24 11:51, Fabian Grünbichler wrote:

this series replaces the old mechanism that used a cluster-wide merged known
hosts file with distributing of each node's host key via pmxcfs, and pinning
the distributed key explicitly for internal SSH connections.

the main changes in pve-cluster somewhat break the old manager and
storage versions, but only when such a partial upgrade is mixed with a
host key rotation of some sort.

pve-storage uses a newly introduced helper, so needs a versioned
dependency accordingly.

the last pve-docs patch has a placeholder for the actual version shipping the
changes which needs to be replaced when applying.

there's still some potential for follow-ups:
- 'pvecm ssh' wrapper to debug and/or re-use the host key pinning (and other
   future changes)
- also add non-RSA host keys
- key (and thus authorized keys) and/or sshd disentangling (this
   potentially also affects external access, so might be done on a major
   release to give more heads up)

cluster:

Fabian Grünbichler (4):
   fix #4886: write node SSH hostkey to pmxcfs
   fix #4886: SSH: pin node's host key if available
   ssh: expose SSH options on their own
   pvecm: stop merging SSH known hosts by default

  src/PVE/CLI/pvecm.pm     | 10 ++++++++--
  src/PVE/Cluster/Setup.pm | 24 +++++++++++++++++++++---
  src/PVE/SSHInfo.pm       | 31 +++++++++++++++++++++++++++----
  3 files changed, 56 insertions(+), 9 deletions(-)

docs:

Fabian Grünbichler (2):
   ssh: make pitfalls a regular section instead of block
   ssh: document PVE-specific setup

  pvecm.adoc | 26 +++++++++++++++++++++-----
  1 file changed, 21 insertions(+), 5 deletions(-)

manager:

Fabian Grünbichler (2):
   vnc: use SSH command helper
   pvesh: use SSH command helper

  PVE/API2/Nodes.pm | 3 ++-
  PVE/CLI/pvesh.pm  | 4 ++--
  2 files changed, 4 insertions(+), 3 deletions(-)

storage:

Fabian Grünbichler (1):
   upload: use SSH helper to get ssh/scp options

  src/PVE/API2/Storage/Status.pm | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)




_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel























					Reply via email to