Solution: PVE, known_hosts & ECDSA

F

Florent

Member
Apr 3, 2012
91
4
8
Hi,

I think I'm not the only one having problems with PVE & ECDSA SSH keys.

ECDSA is now the default key algorithm in SSH and Proxmox does not handle it yet.

I don't know exactly when this problem occurs, I have it on some clusters and not others...

So sometimes, you have errors like these during migrations of VM :

Code: 
Aug 25 16:19:52 # /usr/bin/ssh -o 'BatchMode=yes' root@10.111.0.X /bin/true
Aug 25 16:19:52 Host key verification failed.
Aug 25 16:19:52 ERROR: migration aborted (duration 00:00:02): Can't connect to destination address using public key
TASK ERROR: migration aborted

OR

Code: 
Aug 25 14:43:57 # /usr/bin/ssh -o 'BatchMode=yes' root@10.111.0.X /bin/true
Aug 25 14:43:57 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 25 14:43:57 @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
Aug 25 14:43:57 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 25 14:43:57 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Aug 25 14:43:57 Someone could be eavesdropping on you right now (man-in-the-middle attack)!
Aug 25 14:43:57 It is also possible that a host key has just been changed.
Aug 25 14:43:57 The fingerprint for the ECDSA key sent by the remote host is
Aug 25 14:43:57 xx:00:xx:a9:xx:40:xx:52:xx:56:xx:c6:xx:25:xx:21.
Aug 25 14:43:57 Please contact your system administrator.
Aug 25 14:43:57 Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Aug 25 14:43:57 Offending ECDSA key in /root/.ssh/known_hosts:4
Aug 25 14:43:57 ECDSA host key for [10.111.0.X]:22 has changed and you have requested strict checking.
Aug 25 14:43:57 Host key verification failed.
Aug 25 14:43:57 ERROR: migration aborted (duration 00:00:00): Can't connect to destination address using public key
TASK ERROR: migration aborted

To don't care about ECDSA between your PVE nodes (be carefull : this could may be a security hole), you simply just have to add a specific configuration for your network in /etc/ssh/ssh_config :

Code: 
Host 10.111.0.*
    HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss

Of course, 10.111.0.* is your PVE network. ECDSA will still be used for others network.

Then remember to delete your /root/.ssh/known_hosts file.

I hope it will help some of you.

Florent
 
Last edited:
On a cluster where I have the problem :

Code: 
proxmox-ve-2.6.32: 3.2-132 (running kernel: 3.10.0-2-pve)
pve-manager: 3.2-4 (running version: 3.2-4/e24a91c1)
pve-kernel-3.10.0-2-pve: 3.10.0-10
pve-kernel-2.6.32-30-pve: 2.6.32-130
pve-kernel-2.6.32-29-pve: 2.6.32-126
pve-kernel-3.10.0-3-pve: 3.10.0-11
pve-kernel-2.6.32-31-pve: 2.6.32-132
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.5-1
pve-cluster: 3.0-12
qemu-server: 3.1-16
pve-firmware: 1.1-3
libpve-common-perl: 3.0-18
libpve-access-control: 3.0-11
libpve-storage-perl: 3.0-19
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-6
vzctl: 4.0-1pve5
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.7-8
ksm-control-daemon: 1.1-1
glusterfs-client: 3.4.2-1

On a cluster where I don't have the problem :

Code: 
proxmox-ve-2.6.32: 3.2-132 (running kernel: 3.10.0-3-pve)
pve-manager: 3.2-4 (running version: 3.2-4/e24a91c1)
pve-kernel-3.10.0-3-pve: 3.10.0-11
pve-kernel-2.6.32-31-pve: 2.6.32-132
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.5-1
pve-cluster: 3.0-12
qemu-server: 3.1-16
pve-firmware: 1.1-3
libpve-common-perl: 3.0-18
libpve-access-control: 3.0-11
libpve-storage-perl: 3.0-19
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-6
vzctl: 4.0-1pve5
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.7-8
ksm-control-daemon: 1.1-1
glusterfs-client: 3.4.2-1

The second one is a recently created cluster.

The first one is old, but updated.
 
both run outdated 3.10 kernel.

use latest:

Code: 
apt-get install pve-kernel-3.10.0-4-pve
 
You must log in or register to reply here.
Top Bottom