Cluster fingerprint, join information and SSH keys

[jimpd]

Hi all
Where exactly is the "cluster fingerprint" generated from? As far as I can see it is not something from the SSH public key.
Also the join information code, from what is it? Is it just some random string? Where is it stored?

How would I get both information via cli?

Which SSH key is used after the initial connection with the root password? The generated one ~/.ssh/id_rsa? Or /etc/pve/priv/authkey.key?

 

[Stefan_R]

• "Cluster fingerprint" is the SHA-256 fingerprint of the SSL (HTTPS) certificate (necessary since the cluster join happens via the HTTP API)
• Join Information is just some JSON data encoded as base64. Try the following: echo "<join info string>" | base64 -d
  • You do not need these for joining a node via CLI, you can just do pvecm add <cluster-node-ip> and manually verify the key shown in the terminal
• '~/.ssh/id_rsa' is used when you type 'ssh' yourself, for cluster commands '/etc/pve/priv/authkey.key' is used. Both are authorized, if you do ls -l ~/.ssh you will see that 'authorized_keys' points to '/etc/pve/priv/authorized_keys' which contains the public keys for all of the above

Hope that helps!

 

[jimpd]

Thanks. ~/.ssh/id_rsa is generated by proxmox, can I safely delete it?

 

[Stefan_R]

No, certain commands still use SSH instead of the HTTP API internally. These will fail, if public key authentication via the standard 'ssh' command doesn't work. Why bother deleting it at all though?

 

[fabian]

/etc/pve/priv/authkey.key is not used for SSH at all.. it's used by the ticket authentication mechanism.

 

[jimpd]

Can you elaborate this a bit more?
It does hopefully not mean proxmox staff members can access the server if I would write a ticket?

 

[fabian]

Can you elaborate this a bit more?
It does hopefully not mean proxmox staff members can access the server if I would write a ticket?

sure. PVE uses a ticket mechanism for login sessions. whenever a user logs in via the API/GUI, they get a ticket (a signed blob containing a timestamp of the login, and the userid). this ticket is valid for at most 2 hours. within that timeframe, the user can request another ticket using the one they already have - to extend their login session. if they don't, their session automatically expires and they need to re-login using username+password (+ optionally, a second factor). the ticket needs to be transmitted as HTTP cookie on all authenticated API requests (which are basically all of them, except those needed to get the information for logging in).

the authkey is the RSA key used to sign those tickets (and other, special tickets for VNC and Spice). it gets rotated automatically once a day. this ticketing mechanism has nothing to do with enterprise support tickets, and of course, Proxmox staff does not have access to any data or keys stored on your system unless you explicitly provide such access to them.