[SOLVED] Can't connect to destination address using public key TASK ERROR: migration aborted

Mikepop

Member
Feb 6, 2018
27
0
6
46
I've seen other post related to this issue but I cannot see any clear solution.
root@int102:~# /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=int103' root@10.10.10.103 /bin/true
Host key verification failed.
root@int102:~# ssh 10.10.10.103
Linux int103 4.13.13-6-pve #1 SMP PVE 4.13.13-42 (Fri, 9 Mar 2018 11:55:18 +0100) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 22 14:08:43 2018

I have quorum and everything works except migration. I'm confused with relations between /root/.ssh/know_hosts, /etc/pve/priv/known_host and /etc/ssh/ssh_known_hosts and how to sync them.

Regards
 

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
3,067
521
133
South Tyrol/Italy
shop.maurer-it.com
Hi,

Are you on latest package versions?

If so could you please run:
Code:
pvecm updatecerts
on both nodes?

If that does not help you additionally manually connect between the two nodes:
Code:
ssh -o "HostKeyAlias=NODENAME" root@NODEIP
Replace NODENAME/IP with the respective target node.

I'm confused with relations between /root/.ssh/know_hosts, /etc/pve/priv/known_host and /etc/ssh/ssh_known_hosts and how to sync them.
We track the known cluster nodes over our shared cluster filesystem.

So we link a few seemingly local configuration files into the cluster file system:
Code:
/etc/ssh/ssh_known_hosts -> /etc/pve/priv/known_hosts
/root/.ssh/authorized_keys -> /etc/pve/priv/authorized_keys
The first above is for tracking if we connect to a legitimate node, i.e. no MITM or other tampering, we normally ensure that our own correct key gets synced there one cluster join, and cluster filesystem start (i.e. every boot or cluster update). The latter is to know who is allowed to access us via public key authorization.
It looks like in your case the first step somehow failed, and thus the nodes do not trust "know" each other on a SSH level, pvecm updatecerts should fix this.
(sorry if over explained, but maybe someone else finds this helpful too someday).

Edit:
Oh and we now use HostKeyAlias (node name, not it's IP), as you see in my proposed command above, to avoid running into problems if the nodes IP changes, or if a new network is added.
 
  • Like
Reactions: comsono and chrone

Mikepop

Member
Feb 6, 2018
27
0
6
46
Thanks for the detailed answer Thomas, but pvecm updatecerts did not solved the issue, on all nodes:

root@int102:~# pvecm updatecerts
root@int102:~# /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=int103' root@10.10.10.103 /bin/true
Host key verification failed.

root@int102:~# ssh -o "HostKeyAlias=103" root@10.10.10.103
The authenticity of host '103 (10.10.10.103)' can't be established.
ECDSA key fingerprint is SHA256:OuSwK1+NwPw1XrL9la0MswUuvEvQGGAPmOFP0k/B1Vs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '103' (ECDSA) to the list of known hosts.
Linux int103 4.13.13-6-pve #1 SMP PVE 4.13.13-42 (Fri, 9 Mar 2018 11:55:18 +0100) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 23 08:30:06 2018


root@int102:~# /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=int103' root@10.10.10.103 /bin/true
Host key verification failed.

Regards
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!