pvecm updatecerts gets called on each pve-cluster.service start,
thus at least on each node boot and on each pve-cluster update.
updatecerts contained a call to setup_sshd_config, which ensured that
the sshd_config parameter 'PermitRootLogin' gets set to yes, with the
intend that this is needed for a working cluster.
But, also the now more common and secure options 'prohibit-password'
and 'without-password' are OK for a cluster to work properly.
This change was added by
6c0e95b3, without clear indication why, our
installer enforces this setting already, as does a cluster create and
a join to a cluster.
To allow an user to use the more secure setting remove the call from
updatecerts again, thus he only needs to changes this after cluster
create/add operations, on one node only.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
code => sub {
my ($param) = @_;
- PVE::Cluster::setup_sshd_config(0);
PVE::Cluster::setup_rootsshconfig();
PVE::Cluster::gen_pve_vzdump_symlink();