Proxmox SSH root keys

[slacker]

I had a few questions about the usage of root ssh keys in Proxmox.

A few things I've noticed:

The .ssh directory for root is 755. This is non standard.
The root ssh private key used is without a passphrase.

It would appear Proxmox leverages SSH keys for cluster communications.

Is there any way to configure these root SSH keys to use passphrases?
I've considered locking down sshd_config to only allow connections from the Proxmox hosts and 1 host used for configuration of the Proxmox systems. In an enterprise environment I'm hesitant to use a system that doesn't offer an option to encrypt the private keys for root.
There are many risks of using password less SSH private keys for root if someone were to acquire said keys.

 

[fabian]

I had a few questions about the usage of root ssh keys in Proxmox.

A few things I've noticed:

The .ssh directory for root is 755. This is non standard.

true - but /root is 700 so this does not matter in practice as no-one except root can access it. furthermore, the private key is 600, and none of the files are writable anyhow

The root ssh private key used is without a passphrase.

It would appear Proxmox leverages SSH keys for cluster communications.

Is there any way to configure these root SSH keys to use passphrases?

no, at least not without losing the functionality that needs non-interactive SSH access in a cluster.

I've considered locking down sshd_config to only allow connections from the Proxmox hosts and 1 host used for configuration of the Proxmox systems. In an enterprise environment I'm hesitant to use a system that doesn't offer an option to encrypt the private keys for root.

that is recommended in any case. you should not expose ports 22 and 8006 (or pretty much any other) of your hypervisor to the public internet at large (common protection mechanisms include only allowing access via VPN, jump hosts, specific IP ranges, ...).

There are many risks of using password less SSH private keys for root if someone were to acquire said keys.

the only way to access them is by already having root privilege. if someone has root access who you don't trust, you are already beyond the 'risk' territory IMHO.

 

[slacker]

Thank you for the reply.

Are there any plans to implement the ability to use passphrases on these SSH private keys?
From what I'm reading above, is that you have attempted to mitigate this risk with folder permissions.
Protecting the folders is all well and good, but when technology exists that allows you to encrypt private keys, it should be an option.

I would rather not implement a firewall so I get a happy feeling about using this product going forward.

I've seen non passphrased SSH keys end up in places they should not be numerous times.
All it takes is one person to accidentally put these keys in a place they don't belong, and someone can own the entire environment.

 

[dcsapak]

Are there any plans to implement the ability to use passphrases on these SSH private keys?

as fabian stated, we would lose the ability to access other cluster members non-interactively

All it takes is one person to accidentally put these keys in a place they don't belong, and someone can own the entire environment.

this can also happen with encrypted keys, i can imagine someone who is careless about private keys, also could be too lazy to put in a passphrase every time and removes the passphrase
on his workstation, so this is more a "people" problem than a technical one