authorized_keys file has unknown keys

K

Killua_148

New Member
May 18, 2023
5
0
1
Hi, today I looked through /root/.ssh/authorized_keys and there were 3 keys:

1) ssh-rsa from root@pve
2) ssh-rsa from my desktop (from where I usually manage proxmox)
3) ssh-ed25519 from u0_a129@localhost

Now, I recognize the 2nd key, but what about the 1st and 3rd keys?
I read somewhere that proxmox use ssh to manage cluster with multiple nodes, but mine is a simple setup with just one node.

Can (should) I remove those keys?
 
The first one is probably the one created by PVE (in case your node is named "pve").
If you didn`t installed the 3rd one yourself (or some scripts/packages you installed) you shouldn't only remove that key but also check if your host got comprimized.
 
Dunuin said:
The first one is probably the one created by PVE (in case your node is named "pve").
If you didn`t installed the 3rd one yourself (or some scripts/packages you installed) you shouldn't only remove that key but also check if your host got comprimized.
Click to expand...
My node is not called pve (`hostname` gives a different output)

The third key, being called localhost, makes me think some package installed it, but I have really few manually installed bare metal. I need to check whether Tailscale could be the culprit.

I doubt my host has been compromised, mainly because it's not exposed directly to the internet (even though the VMs are), meaning no port 22 forwarding ecc, and it's just a personal server... But who knows. Are there any logs for ssh I can check?
 
From the logs I can see that the first ever accesses were for pve indeed, so I probably renamed the node some time ago and I forgot. That means the first key should be fine.

Also, no logs for the third key, but this doesn't matter much, since if the system really is compromised, then the attacker could have removed the log.

For the third key, I'll just remove it and hope something will stop working, so that I can figure out which packages (if any) put it there.

Tailscale docs clearly says that it doesn't edit authorized_keys file
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back