Proxmox Host SSH keys: Difference between revisions

From RoseWiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
No edit summary
 
Line 1: Line 1:
== Intended method: ==
== Introduction ==
Delete old ssh host keys:  
Proxmox nodes in a cluster communicate with each other through the Secure Shell (SSH) protocol. The SSH protocol is configured to require authentication by encryption keys. The host stores these keys in /root/.ssh/id_rsa.pub and in /etc/ssh/ssh_host_rsa_key.pub. When removing or replacing a Proxmox node, manual cleanup must be done. You must remove the old key from /etc/pve/priv/authorized_keys, and if joining a new machine in its place, add the new one. 
 
== Removing keys from removed machine. ==
Delete old ssh host keys on the host you're troubleshooting or have removed with:  
   rm /etc/ssh/ssh_host_*
   rm /etc/ssh/ssh_host_*
Reconfigure OpenSSH Server:
After doing this, we need to make sure the fingerprint of the old key is no longer on the other machines. Navigate to ''/etc/pve/priv/known_hosts'' and remove the fingerprint with the hostname of the machine you're treating. Also remove the key itself from /etc/pve/priv/authorized_keys.
 
== Adding key ==
Then we can recreate the keys with OpenSSH.
   dpkg-reconfigure openssh-server
   dpkg-reconfigure openssh-server
Update all ssh client(s) at ~/.ssh/known_hosts
After doing this we must copy the new key from /etc/ssh/ssh_host_rsa_key.pub on the treated machine to /etc/pve/priv/authorized keys. You will most likely have to do this manually copying from the broken machine to a machine still in the cluster, as with the keys removed, corosync may not copy the files correctly. After this we want to make sure that the fingerprint has been updated. On the treated machine, run:
 
Then update certs and keys ''on each machine'':
   pvecm updatecerts -f
   pvecm updatecerts -f


== Manual method<ref>https://forum.proxmox.com/threads/pvecm-updatecert-f-not-working.135812/page-3#post-660500</ref>: ==
== Manual correction if the above fails<ref>https://forum.proxmox.com/threads/pvecm-updatecert-f-not-working.135812/page-3#post-660500</ref> ==
If this fails (which it might), log into each troublesome node through SSHd and copy the public key from  
If this fails (which it might), copy the public key of the troublesome node from ''/etc/ssh/ssh_host_rsa_key.pub'' to ''/etc/pve/nodes/<node>/ssh_known_hosts'' and prepend it with that machine's hostname. Assuming a hostname of pve1, this line should appear as  
  /etc/ssh/ssh_host_rsa_key.pub.
Copy this to  
  /etc/pve/nodes/<node>/ssh_known_hosts  
and prepend it with that machine's hostname. Assuming a hostname of pve1, this line should appear as
   pve1 ssh-rsa <key>
   pve1 ssh-rsa <key>
Then restart the SSH daemon:
Then restart the SSH daemon:
   systemctl restart sshd
   systemctl restart sshd

Latest revision as of 21:21, 28 May 2026

Introduction

Proxmox nodes in a cluster communicate with each other through the Secure Shell (SSH) protocol. The SSH protocol is configured to require authentication by encryption keys. The host stores these keys in /root/.ssh/id_rsa.pub and in /etc/ssh/ssh_host_rsa_key.pub. When removing or replacing a Proxmox node, manual cleanup must be done. You must remove the old key from /etc/pve/priv/authorized_keys, and if joining a new machine in its place, add the new one.

Removing keys from removed machine.

Delete old ssh host keys on the host you're troubleshooting or have removed with: 

 rm /etc/ssh/ssh_host_*

After doing this, we need to make sure the fingerprint of the old key is no longer on the other machines. Navigate to /etc/pve/priv/known_hosts and remove the fingerprint with the hostname of the machine you're treating. Also remove the key itself from /etc/pve/priv/authorized_keys.

Adding key

Then we can recreate the keys with OpenSSH. 

 dpkg-reconfigure openssh-server

After doing this we must copy the new key from /etc/ssh/ssh_host_rsa_key.pub on the treated machine to /etc/pve/priv/authorized keys. You will most likely have to do this manually copying from the broken machine to a machine still in the cluster, as with the keys removed, corosync may not copy the files correctly. After this we want to make sure that the fingerprint has been updated. On the treated machine, run: 

 pvecm updatecerts -f

Manual correction if the above fails[1]

If this fails (which it might), copy the public key of the troublesome node from /etc/ssh/ssh_host_rsa_key.pub to /etc/pve/nodes/<node>/ssh_known_hosts and prepend it with that machine's hostname. Assuming a hostname of pve1, this line should appear as 

 pve1 ssh-rsa <key>

Then restart the SSH daemon: 

 systemctl restart sshd
  1. https://forum.proxmox.com/threads/pvecm-updatecert-f-not-working.135812/page-3#post-660500
Retrieved from "https://www.rosemarknetworks.com/wiki/index.php?title=Proxmox_Host_SSH_keys&oldid=155"