diff --git a/migrator.py b/migrator.py index 80b8090..7031f41 100644 --- a/migrator.py +++ b/migrator.py @@ -203,18 +203,34 @@ class Migrator: print(f" [{node.name}] WARNUNG Key-Kopie: rc={rc} {err}") # Step 2: Ensure sshd checks ~/.ssh/authorized_keys - # Proxmox sshd_config may only list /etc/pve/priv/authorized_keys + # Proxmox sshd_config may only list /etc/pve/priv/authorized_keys, + # or use AuthorizedKeysCommand pointing to /etc/pve/priv/. + # We need to ensure .ssh/authorized_keys is checked as fallback. sshd_cmd = ( "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.pre_migration && " + "NEED_RELOAD=0 && " + # Handle AuthorizedKeysFile "if grep -q '^AuthorizedKeysFile' /etc/ssh/sshd_config; then " - " if grep '^AuthorizedKeysFile' /etc/ssh/sshd_config | grep -q '.ssh/authorized_keys'; then " - " echo sshd_already_ok; " - " else " + " if ! grep '^AuthorizedKeysFile' /etc/ssh/sshd_config | grep -q '.ssh/authorized_keys'; then " " sed -i '/^AuthorizedKeysFile/s|$| .ssh/authorized_keys|' /etc/ssh/sshd_config && " - " systemctl reload sshd && " - " echo sshd_modified; " + " NEED_RELOAD=1; " " fi; " "else " + # No AuthorizedKeysFile line = uses default (.ssh/authorized_keys), which is fine. + # But if AuthorizedKeysCommand is active, it might override. Add explicit line. + " if grep -q '^AuthorizedKeysCommand ' /etc/ssh/sshd_config; then " + " echo 'AuthorizedKeysFile .ssh/authorized_keys' >> /etc/ssh/sshd_config && " + " NEED_RELOAD=1; " + " fi; " + "fi && " + # Temporarily disable AuthorizedKeysCommand if it points to /etc/pve + "if grep '^AuthorizedKeysCommand ' /etc/ssh/sshd_config | grep -q '/etc/pve'; then " + " sed -i 's|^AuthorizedKeysCommand |#AuthorizedKeysCommand_DISABLED |' /etc/ssh/sshd_config && " + " NEED_RELOAD=1; " + "fi && " + "if [ $NEED_RELOAD -eq 1 ]; then " + " systemctl reload sshd && echo sshd_modified; " + "else " " echo sshd_already_ok; " "fi" )