fix #1566: do not setup ssh config in updatecerts call

pvecm updatecerts gets called on each pve-cluster.service start,
thus at least on each node boot and on each pve-cluster update.

updatecerts contained a call to setup_sshd_config, which ensured that
the sshd_config parameter 'PermitRootLogin' gets set to yes, with the
intend that this is needed for a working cluster.
But, also the now more common and secure options 'prohibit-password'
and 'without-password' are OK for a cluster to work properly.

This change was added by 6c0e95b3, without clear indication why, our
installer enforces this setting already, as does a cluster create and
a join to a cluster.

To allow an user to use the more secure setting remove the call from
updatecerts again, thus he only needs to changes this after cluster
create/add operations, on one node only.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/data/PVE/CLI/pvecm.pm b/data/PVE/CLI/pvecm.pm
index 970711496ddf87cd8a06fb3684608d5007627902..a355ba5fbe3c4eba5c0e0fa6af2e0537e63da2dd 100755 (executable)
--- a/data/PVE/CLI/pvecm.pm
+++ b/data/PVE/CLI/pvecm.pm
@@ -768,7 +768,6 @@ __PACKAGE__->register_method ({
     code => sub {
        my ($param) = @_;
 
-       PVE::Cluster::setup_sshd_config(0);
        PVE::Cluster::setup_rootsshconfig();
 
        PVE::Cluster::gen_pve_vzdump_symlink();