Proxmox 7.4 RSA Fingerprint Keeps Changing in cluster after upgrade

B

BeDazzler

Member
Jun 22, 2020
34
2
13
Hi All,

I have a cluster of 5x PVE 7.4 nodes which we recently upgraded onto new hardware.

We did this host by host and it all worked fine, however every time I try to remote console (NoVNC) I get "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! "

This is likely due to old host keys still being present in /etc/ssh/ssh_known_hosts.

I've removed them one by one and moved to each host to update certs, however I am still receiving the same message.

Is there something else I need to do ?

Many thanks.
 
It's quite likely that there are still leftovers of the key in /root/.ssh/known_hosts as well
 
shanreich said:
It's quite likely that there are still leftovers of the key in /root/.ssh/known_hosts as well
Click to expand...

Sure, I've looked in there and I do see entries for each host using it's IP and name.

Which ones do I remove ??

Can I just remove all and run updatecerts to refresh them all ?
 
BeDazzler said:
Sure, I've looked in there and I do see entries for each host using it's IP and name.
Click to expand...
Interesting, on my machine the entries are hashed which makes this a bit tricky usually.

In any case you should be able to remove the entries via the following command:
Code: 
ssh-keygen -f /root/.ssh/known_hosts -R <host>

You should remove the hostname as well as the IP(s) of all hosts.
 
shanreich said:
Interesting, on my machine the entries are hashed which makes this a bit tricky usually.

In any case you should be able to remove the entries via the following command:
Code: 
ssh-keygen -f /root/.ssh/known_hosts -R <host>

You should remove the hostname as well as the IP(s) of all hosts.
Click to expand...

I see, I was only removing the host name. I will try again and also remove the IPs. Thanks for your reply.
 
BeDazzler said:
Thank you. Yes I knew the symlink was broken/being overwritten with a local file. As a short term workaround I added 'StrictHostKeyChecking no' to each ssh config file since my PVEs are running on their own internal network. I will have a look at this patch.
Click to expand...
No worries! I actually encountered the same and found quite a few posts on the forum, so wondered if it was boiling down to one and the same. The symlink is actually not really much of a problem, after running ssh-keygen -R on the /etc located file, you may (have also in the past) run the pvecm udpatecerts (just like that, the -f really only applies to SSL certificates).

The patch is for the updatecerts so that it does not go on dropping out keys - which is why you were getting the MITM warnings. You get the warning when NONE of the keys in none of the known_hosts match. This means you had some old keys there, but the new were missing. Of course, after manually removing all of them (as some people did), you could just accept the prompt (when the StrictHostKeyChecking is the default ask) and happy days, but then surprisingly (also depending on which node it was done from) the updatecerts might have broken it yet again.

This applies to anyone whether they ever called a new node the same like dead (previously correctly removed one) or they had simply more keys under the same alias in the known_hosts - it's not like the alias has to be fqdn. Glad someone actually really experiencing this got help with this (or will, if you want to wait for them to okay it and backport), but it's really cosmetic.
 
Last edited:
  • Like
Reactions: BeDazzler
tempacc375924 said:
No worries! I actually encountered the same and found quite a few posts on the forum, so wondered if it was boiling down to one and the same. The symlink is actually not really much of a problem, after running ssh-keygen -R on the /etc located file, you may (have also in the past) run the pvecm udpatecerts (just like that, the -f really only applies to SSL certificates).

The patch is for the updatecerts so that it does not go on dropping out keys - which is why you were getting the MITM warnings. You get the warning when NONE of the keys in none of the known_hosts match. This means you had some old keys there, but the new were missing. Of course, after manually removing all of them (as some people did), you could just accept the prompt (when the StrickhostKeyChecking is the default ask) and happy days, but then surprisingly (also depending on which node it was done) the updatecerts might have broken it yet again.

This applies to anyone whether they ever called a new node the same like dead (previously correctly removed one) or they had simply more keys under the same alias in the known_hosts - it's not like the alias has to be fqdn. Glad someone actually really experiencing this got help with this (or will, if you want to wait for them to okay it and backport), but it's really cosmetic.
Click to expand...
Yes I just read through the bugfix correspondence, very interesting communications in there for sure.
Yes, I also found the issue whilst upgrading infrastructure and worked out that old keys were appearing despite removing and re-generating.
In the end it became annoying and such a waste of time (with no resolution) since the symlinked file is required for the correct information to be shared across PVE hosts, hence disabling checks was the easiest way forward and stopped the complaints from admins.
 
BeDazzler said:
Yes I just read through the bugfix correspondence, very interesting communications in there for sure.
Yes, I also found the issue whilst upgrading infrastructure and worked out that old keys were appearing despite removing and re-generating.
In the end it became annoying and such a waste of time (with no resolution) since the symlinked file is required for the correct information to be shared across PVE hosts, hence disabling checks was the easiest way forward and stopped the complaints from admins.
Click to expand...
I would totally consider deploying SSH certificates for the cluster (and another for VMs but that's out of scope here), which also scales well. It basically takes just a CA signing the host keys and then whatever is signed is accepted by the known_hosts (@ca *.fqdn.tld key ... etc entry, just one for each host and well - they are shared as of now, so one, but it's easy to drop in when joining the cluster.) CAs can have long-term keys and if you operate it on a secure network it's not high risk to have them very long-term). Because otherwise yeah, complaints make people do workarounds that are ... sub-optimal so to say. ;)

I am really glad it helped another person!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back