Does Proxmox add authorized_keys on its own to root? Should I be worried?

[Panoramic]

Yesterday I installed Proxmox for the first time. I'm still learning how it works and watching tutorials.

I have a question though.

Today while adding my ssh key in authorized_keys, I found a new key, with the label

root@<MyHostname>

. I added my key, commented it out, rebooted, and the key came back. Is this proxmox? Or have I been compromised somehow?

I still barely did anything with Proxmox, no backups or clusters. I just created a VM and added the firewall. And all this is happening in my home network (no public access), which is also supposedly secure. I'm worried I messed something up. In what circumstances does Proxmox add authorized_keys to root? How can I track these keys?

Thank you.

 

[pvps1]

yes its proxmox, no need to worry.
pve needs the keys for cluster communication, migrations, shared pve-fs etc...

 

[esi_y]

See: https://pve.proxmox.com/wiki/Cluster_Manager#_role_of_ssh_in_proxmox_ve_clusters

SSH setup​

On Proxmox VE systems, the following changes are made to the SSH configuration/setup:

• the root user’s SSH client config gets setup to prefer AES over ChaCha20
• the root user’s authorized_keys file gets linked to /etc/pve/priv/authorized_keys, merging all authorized keys within a cluster
• sshd is configured to allow logging in as root with a password

Yeah, so keep it on the private network.

How can I track these keys?

PVE is not concerned about security, so - keep it separate.

https://bugzilla.proxmox.com/show_bug.cgi?id=5060
https://bugzilla.proxmox.com/show_bug.cgi?id=4670

 

[Panoramic]

Thank you.

 

[gbillr]

See: https://pve.proxmox.com/wiki/Cluster_Manager#_role_of_ssh_in_proxmox_ve_clusters

I am curious to know why sshd is configured to allow password logon in this scenario. I was recently trying to figure out how to disable root ssh with password and came across the same note in the documentation. So essentially, as I read this, there is some need to allow root password SSH (despite the presence of not only a root key, but a key for every other node in the cluster). I have my entire cluster behind an external firewall, but was looking to make root access via ssh a little more secure. I will need to become more familiar with the pve firewall settings for my cluster and nodes (something that I still find a little confusing), to try to restrict ssh login (if even possible in a cluster environment).

Any advice is much appreciated.

 

[esi_y]

I am curious to know why sshd is configured to allow password logon in this scenario.

No good reason, really.

I was recently trying to figure out how to disable root ssh with password and came across the same note in the documentation. So essentially, as I read this, there is some need to allow root password SSH

Not really, you can set prohibit-password, it will continue to work. It is just unfortunate wording, same was once true for Q Device setup [1].

(despite the presence of not only a root key, but a key for every other node in the cluster).

There are however, some pitfalls from the lack of planning [2]. This of course is best solved by own AuthorizedKeysFile directive in the config.

I have my entire cluster behind an external firewall, but was looking to make root access via ssh a little more secure. I will need to become more familiar with the pve firewall settings

I would not bother [3].

for my cluster and nodes (something that I still find a little confusing),

The use of SSH for intra-cluster comms will remain confusing [4].

to try to restrict ssh login (if even possible in a cluster environment).

You cannot disable it completely, that's just how PVE was designed.

Any advice is much appreciated.

I can only suggest putting it completely on separate VLAN for management. Yes, this is not explicitly documented to this day [5].

Also, please add yourself (or anyone, really) to the BZ reports, if you care for any of these, otherwise I will keep receiving complaints about posting too much of them.

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=5140
[2] https://forum.proxmox.com/threads/b...otlogin-prohibit-password.154806/#post-705080
[3] https://bugzilla.proxmox.com/show_bug.cgi?id=5759
[4] https://bugzilla.proxmox.com/show_bug.cgi?id=5170
[5] https://bugzilla.proxmox.com/show_bug.cgi?id=5816

 

[LnxBil]

I am curious to know why sshd is configured to allow password logon in this scenario.

You need(ed) ssh to add/join a node to a cluster with a passwort, the key is linked after joining the cluster. The cluster add/join code has been rewritten to do this via the API, yet the ssh way is still working. It was stated, that removing ssh as the underlying technique is actively worked on.

 

[esi_y]

You need(ed) ssh to add/join a node to a cluster with a passwort, the key is linked after joining the cluster. The cluster add/join code has been rewritten to do this via the API, yet the ssh way is still working. It was stated, that removing ssh as the underlying technique is actively worked on.

So funnily, if you have your keys recognized by the existing cluster member (that you want to join) - this could be from injecting through installer or otherwise - you actually do NOT need to keep the cluster nodes exposed with PermitRootLogin other than prohibit-password.

You can join a cluster with pvecm add existing_member --use_ssh, as you would expect, it won't ask (other than confirm remote host fingerprint if you had not copied that).

This is one more reason to use SSH certificates for production infrastructure. Also, you really do not need the pvecm tooling for a node to join cluster, so even if they break the SSL API some more in the future, this does not matter all that much.