this series replaces the old mechanism that used a cluster-wide merged known hosts file with distributing of each node's host key via pmxcfs, and pinning the distributed key explicitly for internal SSH connections.
the main changes in pve-cluster somewhat break the old manager and storage versions, but only when such a partial upgrade is mixed with a host key rotation of some sort. pve-storage uses a newly introduced helper, so needs a versioned dependency accordingly. the last pve-docs patch has a placeholder for the actual version shipping the changes which needs to be replaced when applying. there's still some potential for follow-ups: - 'pvecm ssh' wrapper to debug and/or re-use the host key pinning (and other future changes) - also add non-RSA host keys - key (and thus authorized keys) and/or sshd disentangling (this potentially also affects external access, so might be done on a major release to give more heads up) cluster: Fabian Grünbichler (4): fix #4886: write node SSH hostkey to pmxcfs fix #4886: SSH: pin node's host key if available ssh: expose SSH options on their own pvecm: stop merging SSH known hosts by default src/PVE/CLI/pvecm.pm | 10 ++++++++-- src/PVE/Cluster/Setup.pm | 24 +++++++++++++++++++++--- src/PVE/SSHInfo.pm | 31 +++++++++++++++++++++++++++---- 3 files changed, 56 insertions(+), 9 deletions(-) docs: Fabian Grünbichler (2): ssh: make pitfalls a regular section instead of block ssh: document PVE-specific setup pvecm.adoc | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) manager: Fabian Grünbichler (2): vnc: use SSH command helper pvesh: use SSH command helper PVE/API2/Nodes.pm | 3 ++- PVE/CLI/pvesh.pm | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) storage: Fabian Grünbichler (1): upload: use SSH helper to get ssh/scp options src/PVE/API2/Storage/Status.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
