fixed ssh keys finding

2026-03-04 23:06:57 +01:00 · 2026-03-04 23:06:57 +01:00 · 899265faca
parent 955fad399e
commit 899265faca
1 changed files with 22 additions and 6 deletions
--- a/migrator.py
+++ b/migrator.py
@ -203,18 +203,34 @@ class Migrator:
                print(f"  [{node.name}] WARNUNG Key-Kopie: rc={rc} {err}")

            # Step 2: Ensure sshd checks ~/.ssh/authorized_keys
-            # Proxmox sshd_config may only list /etc/pve/priv/authorized_keys
+            # Proxmox sshd_config may only list /etc/pve/priv/authorized_keys,
+            # or use AuthorizedKeysCommand pointing to /etc/pve/priv/.
+            # We need to ensure .ssh/authorized_keys is checked as fallback.
            sshd_cmd = (
                "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.pre_migration && "
+                "NEED_RELOAD=0 && "
+                # Handle AuthorizedKeysFile
                "if grep -q '^AuthorizedKeysFile' /etc/ssh/sshd_config; then "
-                "  if grep '^AuthorizedKeysFile' /etc/ssh/sshd_config | grep -q '.ssh/authorized_keys'; then "
-                "    echo sshd_already_ok; "
-                "  else "
+                "  if ! grep '^AuthorizedKeysFile' /etc/ssh/sshd_config | grep -q '.ssh/authorized_keys'; then "
                "    sed -i '/^AuthorizedKeysFile/s|$| .ssh/authorized_keys|' /etc/ssh/sshd_config && "
-                "    systemctl reload sshd && "
-                "    echo sshd_modified; "
+                "    NEED_RELOAD=1; "
                "  fi; "
                "else "
+                # No AuthorizedKeysFile line = uses default (.ssh/authorized_keys), which is fine.
+                # But if AuthorizedKeysCommand is active, it might override. Add explicit line.
+                "  if grep -q '^AuthorizedKeysCommand ' /etc/ssh/sshd_config; then "
+                "    echo 'AuthorizedKeysFile .ssh/authorized_keys' >> /etc/ssh/sshd_config && "
+                "    NEED_RELOAD=1; "
+                "  fi; "
+                "fi && "
+                # Temporarily disable AuthorizedKeysCommand if it points to /etc/pve
+                "if grep '^AuthorizedKeysCommand ' /etc/ssh/sshd_config | grep -q '/etc/pve'; then "
+                "  sed -i 's|^AuthorizedKeysCommand |#AuthorizedKeysCommand_DISABLED |' /etc/ssh/sshd_config && "
+                "  NEED_RELOAD=1; "
+                "fi && "
+                "if [ $NEED_RELOAD -eq 1 ]; then "
+                "  systemctl reload sshd && echo sshd_modified; "
+                "else "
                "  echo sshd_already_ok; "
                "fi"
            )