> On Thu, Jan 11, 2024 at 11:51:16AM +0100, Fabian Grünbichler wrote: > > if the target node has already stored their SSH host key on pmxcfs, pin it > > and > > ignore the global known hosts information. > > > > Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> > > --- > > src/PVE/SSHInfo.pm | 15 ++++++++++++++- > > 1 file changed, 14 insertions(+), 1 deletion(-) > > > > diff --git a/src/PVE/SSHInfo.pm b/src/PVE/SSHInfo.pm > > index c351148..fad23bf 100644 > > --- a/src/PVE/SSHInfo.pm > > +++ b/src/PVE/SSHInfo.pm > > @@ -49,11 +49,24 @@ sub get_ssh_info { > > > > sub ssh_info_to_command_base { > > my ($info, @extra_options) = @_; > > + > > + my $nodename = $info->{name}; > > + > > + my $known_hosts_file = "/etc/pve/nodes/$nodename/ssh_known_hosts"; > > + my $known_hosts_options = undef; > > + if (-f $known_hosts_file) { > > + $known_hosts_options = [ > > + '-o', "UserKnownHostsFile=$known_hosts_file", > > + '-o', 'GlobalKnownHostsFile=none', > > why does Global need to be none, even as this only applies if the snippet > exists?
because we want to only let SSH look at our pinned file, not the regular one, which might contain bogus information. since our pinned file contains an entry for our host key alias which must match, the global file can never improve the situation, but it can cause a verification failure. > > + ]; > > + } > > + > > return [ > > '/usr/bin/ssh', > > '-e', 'none', > > '-o', 'BatchMode=yes', > > - '-o', 'HostKeyAlias='.$info->{name}, > > + '-o', 'HostKeyAlias='.$nodename, > > + defined($known_hosts_options) ? @$known_hosts_options : (), > > @extra_options > > ]; > > } > > -- > > 2.39.2 > > > > > > > > _______________________________________________ > > pve-devel mailing list > > pve-devel@lists.proxmox.com > > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel