Solution: PVE, known_hosts & ECDSA

F

Florent

Member
Apr 3, 2012
91
2
8
Hi,

I think I'm not the only one having problems with PVE & ECDSA SSH keys.

ECDSA is now the default key algorithm in SSH and Proxmox does not handle it yet.

I don't know exactly when this problem occurs, I have it on some clusters and not others...

So sometimes, you have errors like these during migrations of VM :

Code: 
Aug 25 16:19:52 # /usr/bin/ssh -o 'BatchMode=yes' root@10.111.0.X /bin/true
Aug 25 16:19:52 Host key verification failed.
Aug 25 16:19:52 ERROR: migration aborted (duration 00:00:02): Can't connect to destination address using public key
TASK ERROR: migration aborted

OR

Code: 
Aug 25 14:43:57 # /usr/bin/ssh -o 'BatchMode=yes' root@10.111.0.X /bin/true
Aug 25 14:43:57 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 25 14:43:57 @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
Aug 25 14:43:57 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 25 14:43:57 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Aug 25 14:43:57 Someone could be eavesdropping on you right now (man-in-the-middle attack)!
Aug 25 14:43:57 It is also possible that a host key has just been changed.
Aug 25 14:43:57 The fingerprint for the ECDSA key sent by the remote host is
Aug 25 14:43:57 xx:00:xx:a9:xx:40:xx:52:xx:56:xx:c6:xx:25:xx:21.
Aug 25 14:43:57 Please contact your system administrator.
Aug 25 14:43:57 Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Aug 25 14:43:57 Offending ECDSA key in /root/.ssh/known_hosts:4
Aug 25 14:43:57 ECDSA host key for [10.111.0.X]:22 has changed and you have requested strict checking.
Aug 25 14:43:57 Host key verification failed.
Aug 25 14:43:57 ERROR: migration aborted (duration 00:00:00): Can't connect to destination address using public key
TASK ERROR: migration aborted

To don't care about ECDSA between your PVE nodes (be carefull : this could may be a security hole), you simply just have to add a specific configuration for your network in /etc/ssh/ssh_config :

Code: 
Host 10.111.0.*
    HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss

Of course, 10.111.0.* is your PVE network. ECDSA will still be used for others network.

Then remember to delete your /root/.ssh/known_hosts file.

I hope it will help some of you.

Florent
 
Last edited:
On a cluster where I have the problem :

Code: 
proxmox-ve-2.6.32: 3.2-132 (running kernel: 3.10.0-2-pve)
pve-manager: 3.2-4 (running version: 3.2-4/e24a91c1)
pve-kernel-3.10.0-2-pve: 3.10.0-10
pve-kernel-2.6.32-30-pve: 2.6.32-130
pve-kernel-2.6.32-29-pve: 2.6.32-126
pve-kernel-3.10.0-3-pve: 3.10.0-11
pve-kernel-2.6.32-31-pve: 2.6.32-132
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.5-1
pve-cluster: 3.0-12
qemu-server: 3.1-16
pve-firmware: 1.1-3
libpve-common-perl: 3.0-18
libpve-access-control: 3.0-11
libpve-storage-perl: 3.0-19
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-6
vzctl: 4.0-1pve5
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.7-8
ksm-control-daemon: 1.1-1
glusterfs-client: 3.4.2-1

On a cluster where I don't have the problem :

Code: 
proxmox-ve-2.6.32: 3.2-132 (running kernel: 3.10.0-3-pve)
pve-manager: 3.2-4 (running version: 3.2-4/e24a91c1)
pve-kernel-3.10.0-3-pve: 3.10.0-11
pve-kernel-2.6.32-31-pve: 2.6.32-132
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.5-1
pve-cluster: 3.0-12
qemu-server: 3.1-16
pve-firmware: 1.1-3
libpve-common-perl: 3.0-18
libpve-access-control: 3.0-11
libpve-storage-perl: 3.0-19
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-6
vzctl: 4.0-1pve5
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.7-8
ksm-control-daemon: 1.1-1
glusterfs-client: 3.4.2-1

The second one is a recently created cluster.

The first one is old, but updated.
 
both run outdated 3.10 kernel.

use latest:

Code: 
apt-get install pve-kernel-3.10.0-4-pve
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back