ssh_known_hosts readability

John Ratliff

Apr 17, 2019
The ssh_known_hosts file in the proxmox cluster is stored in the /etc/pve/priv directory, which is not world readable. This means I can't use it with my normal users. Is there a reason why this couldn't be somewhere else in /etc/pve that would be world readable?

the proxmox cluster filesystem is a database driven fuse mount mounted on /etc/pve
As it not implements all POSIX features, you cannot set the permissions. Users of the group www-data can read most files, this might be an alternative? What exactly do you wish to achieve?
I want to login to a server as a non-root user, and be able to ssh into another server in the cluster without it asking whether the key is okay.
Well, as the per user ssh known_hosts are stored in the users home folder under .ssh/known_hosts this should work out of the box. You will have to accept the fingerprint only once on the first connection.
Yeah, I know I only have to accept the key once, but the /etc/ssh/ssh_known_hosts files should be globally readable so that all users can benefit. Without that, every user needs to verify the signature of every server individually, which is a difficult process. Just accepting the key is a security risk.

I would suggest proxmox change the shared location of the /etc/ssh/ssh_known_hosts link to maybe /etc/pve rather than /etc/pve/priv unless someone can point out some security problem I'm overlooking here.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!