PMG cluster without root SSH connection

N

NathanD

Member
Nov 29, 2019
16
3
23
Hi,

I've two PMG servers and they are stand alone. Now I would like to make a cluster of them, but the state keeps syncing.
So, I ran the pmgcm sync command to gather more information.

The issue is clear for me, but not the solution like a workaround:

syncing master configuration from 'xxx.xxx.xxx.xxx'
root@xxx.xxx.xxx.xxx: Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
syncing master configuration from 'xxx.xxx.xxx.xxx' failed: rsync error: error in rsync protocol data stream (code 12) at io.c(231) [Receiver=3.2.7]

The message is correct because PermitRootLogin on all my servers is set to no, and an alternative user is used which has sudo rights to become root.
I couldn`t imagine the Proxmox team hasn`t a better solution than using root to sync for the cluster setup. When it was a one time only sync, I could temporarily change PermitRootLogin to yes, but because the configuration needs to stay in sync, that is not an option.

Any ideas?
 
NathanD said:
I could temporarily change PermitRootLogin to yes
Click to expand...
The usual way is to enable sshkey-only: "PermitRootLogin prohibit-password" - this way the root password can not get brute forced.

Works for me. (For other machines, mostly on Debian; PMG should be the same in this aspect.)

That said...: of course the recommendation in these sad times is to avoid open ports to the public at all. I use (handcrafted) Wireguard connections at external systems to allow dedicated access without that exposure. Your choice...
 
WARNING: do this only if you are brave enough (and have backups)! It is EASY to destroy the whole system (software-wise) with a single "wrong" command!

Quick-n-dirty, may be incomplete:
  • open a root shell on the server
  • use your favorite editor to edit /etc/ssh/sshd_config
  • search for #PermitRootLogin prohibit-password and remove the very first character "#"
  • exit the editor
  • restart ssh daemon by ~# systemctl restart ssh
The result is that you need to have an ssh-key. You'll find tutorials to create a new one "out there".

Add your new key to /root/.ssh/authorized_keys.

That key should have a password. If you do not want to type in that one every time search for "ssh-agent".
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back