Hi,
I think I'm not the only one having problems with PVE & ECDSA SSH keys.
ECDSA is now the default key algorithm in SSH and Proxmox does not handle it yet.
I don't know exactly when this problem occurs, I have it on some clusters and not others...
So sometimes, you have errors like these during migrations of VM :
OR
To don't care about ECDSA between your PVE nodes (be carefull : this could may be a security hole), you simply just have to add a specific configuration for your network in /etc/ssh/ssh_config :
Of course, 10.111.0.* is your PVE network. ECDSA will still be used for others network.
Then remember to delete your /root/.ssh/known_hosts file.
I hope it will help some of you.
Florent
I think I'm not the only one having problems with PVE & ECDSA SSH keys.
ECDSA is now the default key algorithm in SSH and Proxmox does not handle it yet.
I don't know exactly when this problem occurs, I have it on some clusters and not others...
So sometimes, you have errors like these during migrations of VM :
Code:
Aug 25 16:19:52 # /usr/bin/ssh -o 'BatchMode=yes' root@10.111.0.X /bin/true
Aug 25 16:19:52 Host key verification failed.
Aug 25 16:19:52 ERROR: migration aborted (duration 00:00:02): Can't connect to destination address using public key
TASK ERROR: migration aborted
OR
Code:
Aug 25 14:43:57 # /usr/bin/ssh -o 'BatchMode=yes' root@10.111.0.X /bin/true
Aug 25 14:43:57 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 25 14:43:57 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
Aug 25 14:43:57 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 25 14:43:57 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Aug 25 14:43:57 Someone could be eavesdropping on you right now (man-in-the-middle attack)!
Aug 25 14:43:57 It is also possible that a host key has just been changed.
Aug 25 14:43:57 The fingerprint for the ECDSA key sent by the remote host is
Aug 25 14:43:57 xx:00:xx:a9:xx:40:xx:52:xx:56:xx:c6:xx:25:xx:21.
Aug 25 14:43:57 Please contact your system administrator.
Aug 25 14:43:57 Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Aug 25 14:43:57 Offending ECDSA key in /root/.ssh/known_hosts:4
Aug 25 14:43:57 ECDSA host key for [10.111.0.X]:22 has changed and you have requested strict checking.
Aug 25 14:43:57 Host key verification failed.
Aug 25 14:43:57 ERROR: migration aborted (duration 00:00:00): Can't connect to destination address using public key
TASK ERROR: migration aborted
To don't care about ECDSA between your PVE nodes (be carefull : this could may be a security hole), you simply just have to add a specific configuration for your network in /etc/ssh/ssh_config :
Code:
Host 10.111.0.*
HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
Of course, 10.111.0.* is your PVE network. ECDSA will still be used for others network.
Then remember to delete your /root/.ssh/known_hosts file.
I hope it will help some of you.
Florent
Last edited: