[pve-devel] [PATCH docs 2/2] ssh: document PVE-specific setup
Esi Y
esiy0676+proxmox at gmail.com
Fri Jan 12 13:33:05 CET 2024
On Thu, Jan 11, 2024 at 11:51:20AM +0100, Fabian Grünbichler wrote:
> such as adapted configs and managed files.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> Notes: actual version needs to be inserted!
>
> pvecm.adoc | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/pvecm.adoc b/pvecm.adoc
> index 5b5b27b..3a32cfb 100644
> --- a/pvecm.adoc
> +++ b/pvecm.adoc
> @@ -918,6 +918,24 @@ transfer memory and disk contents.
>
> * Storage replication
>
> +SSH setup
> +~~~~~~~~~
> +
> +On {pve} systems, the following changes are made to the SSH configuration/setup:
> +
> +* the `root` user's SSH client config gets setup to prefer `AES` over `ChaCha20`
> +
> +* the `root` user's `authorized_keys` file gets linked to
> + `/etc/pve/priv/authorized_keys`, merging all authorized keys within a cluster
Will you be opening a new fix # thread on this one or intending to keep it as-is (even as the known_hosts changes are rolled out)?
> +
> +* `sshd` is configured to allow logging in as root with a password
> +
> +NOTE: Older systems might also have `/etc/ssh/ssh_known_hosts` set up as symlink
> +pointing to `/etc/pve/priv/known_hosts`, containing a merged version of all
> +node host keys. This system was replaced with explicit host key pinning in
> +`pve-cluster <<INSERT VERSION>>`, the symlink can be deconfigured if still in
> +place by running `pvecm updatecerts --unmerge-known-hosts`.
> +
> Pitfalls due to automatic execution of `.bashrc` and siblings
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list