Hi,
we use ssh certificates (aka signed host keys) in our server infrastructure. Thus we would like to set the permissions of /etc/ssh/ssh_known_hosts (which is a symlink to /etc/pve/priv/known_hosts, which is located on proxmox cluster file system) to world readable: "chmod 644 /etc/pve/priv/known_hosts".
Is pmcfs permission aware? If so, how can the permissions be changed?
Is it save/supported to remove the symlink and use /etc/ssh/ssh_known_hosts directly? Are there any serious side-effects foreseeable regarding proxmox?
Note:
Using ssh certificates there is no need to synchronize /etc/ssh/ssh_known_hosts anymore: Using ssh certificates /etc/ssh/ssh_known_hosts' content becomes constant throughout the infrastructure (restricted to a cluster, a vlan, or all vlans/subdomain is up to you). Getting rid of each user's need to manage ~/.ssh/known_hosts is another huge advantage when deploying ssh certifcates. Our /etc/ssh/ssh_known_hosts (on regular debian systems) contains only one line that looks similar to this on _every_ host:
But currently, as long as this line isn't world readable, this setup is of very limited use: only root-logins profit, a non-root (for example an ansible user account) can't access /etc/ssh/ssh_known_hosts, thus the host key authentication fails!
Conclusion:
Independent of the use of ssh certificates I suggest to set /etc/ssh/ssh_known_hosts world readable by default. And no, world readablity doesn't harm, neither in regard of security, nor in regard of privacy - at least as long as the hostkeys are stored along hashed hostnames (what's the default in current debian/proxmox releases).
What do you think?
Best regards,
proxmix
we use ssh certificates (aka signed host keys) in our server infrastructure. Thus we would like to set the permissions of /etc/ssh/ssh_known_hosts (which is a symlink to /etc/pve/priv/known_hosts, which is located on proxmox cluster file system) to world readable: "chmod 644 /etc/pve/priv/known_hosts".
Is pmcfs permission aware? If so, how can the permissions be changed?
Is it save/supported to remove the symlink and use /etc/ssh/ssh_known_hosts directly? Are there any serious side-effects foreseeable regarding proxmox?
Note:
Using ssh certificates there is no need to synchronize /etc/ssh/ssh_known_hosts anymore: Using ssh certificates /etc/ssh/ssh_known_hosts' content becomes constant throughout the infrastructure (restricted to a cluster, a vlan, or all vlans/subdomain is up to you). Getting rid of each user's need to manage ~/.ssh/known_hosts is another huge advantage when deploying ssh certifcates. Our /etc/ssh/ssh_known_hosts (on regular debian systems) contains only one line that looks similar to this on _every_ host:
Code:
@cert-authority *.subdomainX.example.net,*subdomainY.example.net,subdom... ssh-ed25519 <SSH-CA-PUBKEY_SIGNATURE> <SSH-CA-Key-Comment>But currently, as long as this line isn't world readable, this setup is of very limited use: only root-logins profit, a non-root (for example an ansible user account) can't access /etc/ssh/ssh_known_hosts, thus the host key authentication fails!
Conclusion:
Independent of the use of ssh certificates I suggest to set /etc/ssh/ssh_known_hosts world readable by default. And no, world readablity doesn't harm, neither in regard of security, nor in regard of privacy - at least as long as the hostkeys are stored along hashed hostnames (what's the default in current debian/proxmox releases).
What do you think?
Best regards,
proxmix
