ssh_known_hosts readability

John Ratliff

New Member
Apr 17, 2019
7
0
1
38
The ssh_known_hosts file in the proxmox cluster is stored in the /etc/pve/priv directory, which is not world readable. This means I can't use it with my normal users. Is there a reason why this couldn't be somewhere else in /etc/pve that would be world readable?

Thanks.
 

Chris

Proxmox Staff Member
Staff member
Jan 2, 2019
376
38
28
Hi,
the proxmox cluster filesystem is a database driven fuse mount mounted on /etc/pve https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pmxcfs
As it not implements all POSIX features, you cannot set the permissions. Users of the group www-data can read most files, this might be an alternative? What exactly do you wish to achieve?
 

John Ratliff

New Member
Apr 17, 2019
7
0
1
38
I want to login to a server as a non-root user, and be able to ssh into another server in the cluster without it asking whether the key is okay.
 

Chris

Proxmox Staff Member
Staff member
Jan 2, 2019
376
38
28
Well, as the per user ssh known_hosts are stored in the users home folder under .ssh/known_hosts this should work out of the box. You will have to accept the fingerprint only once on the first connection.
 

John Ratliff

New Member
Apr 17, 2019
7
0
1
38
Yeah, I know I only have to accept the key once, but the /etc/ssh/ssh_known_hosts files should be globally readable so that all users can benefit. Without that, every user needs to verify the signature of every server individually, which is a difficult process. Just accepting the key is a security risk.

I would suggest proxmox change the shared location of the /etc/ssh/ssh_known_hosts link to maybe /etc/pve rather than /etc/pve/priv unless someone can point out some security problem I'm overlooking here.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!