X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pvecm.adoc;h=2fe532e9998f34af3e1104fe4695fd0ed5c2953a;hp=48d86bcae095d4db7dfae9787d2d25731ae28e9b;hb=HEAD;hpb=0554c751fdc4e27b8a98d2d6de447907dd9da1d2 diff --git a/pvecm.adoc b/pvecm.adoc index 48d86bc..5117eaa 100644 --- a/pvecm.adoc +++ b/pvecm.adoc @@ -922,9 +922,27 @@ transfer memory and disk contents. * Storage replication -.Pitfalls due to automatic execution of `.bashrc` and siblings -[IMPORTANT] -==== +SSH setup +~~~~~~~~~ + +On {pve} systems, the following changes are made to the SSH configuration/setup: + +* the `root` user's SSH client config gets setup to prefer `AES` over `ChaCha20` + +* the `root` user's `authorized_keys` file gets linked to + `/etc/pve/priv/authorized_keys`, merging all authorized keys within a cluster + +* `sshd` is configured to allow logging in as root with a password + +NOTE: Older systems might also have `/etc/ssh/ssh_known_hosts` set up as symlink +pointing to `/etc/pve/priv/known_hosts`, containing a merged version of all +node host keys. This system was replaced with explicit host key pinning in +`pve-cluster <>`, the symlink can be deconfigured if still in +place by running `pvecm updatecerts --unmerge-known-hosts`. + +Pitfalls due to automatic execution of `.bashrc` and siblings +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In case you have a custom `.bashrc`, or similar files that get executed on login by the configured shell, `ssh` will automatically run it once the session is established successfully. This can cause some unexpected behavior, as those @@ -944,8 +962,6 @@ case $- in *) return;; esac ---- -==== - Corosync External Vote Support ------------------------------ @@ -1056,13 +1072,13 @@ pve# pvecm qdevice setup The SSH key from the cluster will be automatically copied to the QDevice. -NOTE: Make sure that the SSH configuration on your external server allows root -login via password, if you are asked for a password during this step. +NOTE: Make sure to setup key-based access for the root user on your external +server, or temporarily allow root login with password during the setup phase. If you receive an error such as 'Host key verification failed.' at this stage, running `pvecm updatecerts` could fix the issue. -After you enter the password and all the steps have successfully completed, you -will see "Done". You can verify that the QDevice has been set up with: +After all the steps have successfully completed, you will see "Done". You can +verify that the QDevice has been set up with: ---- pve# pvecm status @@ -1104,6 +1120,10 @@ columns: https://manpages.debian.org/bookworm/libvotequorum-dev/votequorum_qdevice_master_wins.3.en.html]. * `NR`: QDevice is not registered. +NOTE: If your QDevice is listed as `Not Alive` (`NA` in the output above), +ensure that port `5403` (the default port of the qnetd server) of your external +server is reachable via TCP/IP! + Frequently Asked Questions ~~~~~~~~~~~~~~~~~~~~~~~~~~