PMG cluster without root SSH connection

NathanD

Member
Nov 29, 2019
16
3
23
Hi,

I've two PMG servers and they are stand alone. Now I would like to make a cluster of them, but the state keeps syncing.
So, I ran the pmgcm sync command to gather more information.

The issue is clear for me, but not the solution like a workaround:

syncing master configuration from 'xxx.xxx.xxx.xxx'
root@xxx.xxx.xxx.xxx: Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
syncing master configuration from 'xxx.xxx.xxx.xxx' failed: rsync error: error in rsync protocol data stream (code 12) at io.c(231) [Receiver=3.2.7]

The message is correct because PermitRootLogin on all my servers is set to no, and an alternative user is used which has sudo rights to become root.
I couldn`t imagine the Proxmox team hasn`t a better solution than using root to sync for the cluster setup. When it was a one time only sync, I could temporarily change PermitRootLogin to yes, but because the configuration needs to stay in sync, that is not an option.

Any ideas?
 
I could temporarily change PermitRootLogin to yes
The usual way is to enable sshkey-only: "PermitRootLogin prohibit-password" - this way the root password can not get brute forced.

Works for me. (For other machines, mostly on Debian; PMG should be the same in this aspect.)

That said...: of course the recommendation in these sad times is to avoid open ports to the public at all. I use (handcrafted) Wireguard connections at external systems to allow dedicated access without that exposure. Your choice...
 
Thank you for the response! Could you provide a step-by-step guide on how to do it? I’d really appreciate it!
 
WARNING: do this only if you are brave enough (and have backups)! It is EASY to destroy the whole system (software-wise) with a single "wrong" command!

Quick-n-dirty, may be incomplete:
  • open a root shell on the server
  • use your favorite editor to edit /etc/ssh/sshd_config
  • search for #PermitRootLogin prohibit-password and remove the very first character "#"
  • exit the editor
  • restart ssh daemon by ~# systemctl restart ssh
The result is that you need to have an ssh-key. You'll find tutorials to create a new one "out there".

Add your new key to /root/.ssh/authorized_keys.

That key should have a password. If you do not want to type in that one every time search for "ssh-agent".