ssh_known_hosts readability

Discussion in 'Proxmox VE: Installation and configuration' started by John Ratliff, Apr 17, 2019.

  1. John Ratliff

    John Ratliff New Member

    Joined:
    Apr 17, 2019
    Messages:
    7
    Likes Received:
    0
    The ssh_known_hosts file in the proxmox cluster is stored in the /etc/pve/priv directory, which is not world readable. This means I can't use it with my normal users. Is there a reason why this couldn't be somewhere else in /etc/pve that would be world readable?

    Thanks.
     
  2. Chris

    Chris Proxmox Staff Member
    Staff Member

    Joined:
    Jan 2, 2019
    Messages:
    210
    Likes Received:
    22
    Hi,
    the proxmox cluster filesystem is a database driven fuse mount mounted on /etc/pve https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pmxcfs
    As it not implements all POSIX features, you cannot set the permissions. Users of the group www-data can read most files, this might be an alternative? What exactly do you wish to achieve?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. John Ratliff

    John Ratliff New Member

    Joined:
    Apr 17, 2019
    Messages:
    7
    Likes Received:
    0
    I want to login to a server as a non-root user, and be able to ssh into another server in the cluster without it asking whether the key is okay.
     
  4. Chris

    Chris Proxmox Staff Member
    Staff Member

    Joined:
    Jan 2, 2019
    Messages:
    210
    Likes Received:
    22
    Well, as the per user ssh known_hosts are stored in the users home folder under .ssh/known_hosts this should work out of the box. You will have to accept the fingerprint only once on the first connection.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. John Ratliff

    John Ratliff New Member

    Joined:
    Apr 17, 2019
    Messages:
    7
    Likes Received:
    0
    Yeah, I know I only have to accept the key once, but the /etc/ssh/ssh_known_hosts files should be globally readable so that all users can benefit. Without that, every user needs to verify the signature of every server individually, which is a difficult process. Just accepting the key is a security risk.

    I would suggest proxmox change the shared location of the /etc/ssh/ssh_known_hosts link to maybe /etc/pve rather than /etc/pve/priv unless someone can point out some security problem I'm overlooking here.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice